c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
628275ef59
Revert "This adjusts module options that need a routable address"
2026-03-08 17:37:49 +00:00
1ec87b586a
Merge pull request #20989 from zeroSteiner/feat/lib/mod-address-opts
...
This adjusts module options that need a routable address
2026-03-05 11:46:52 -05:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
bf41455bca
Fix: Address review feedback - remove dead execute_command, fix dropper race condition
2026-03-05 14:01:12 +01:00
1b39311784
Remove redundant definitions of SRVHOST
2026-03-03 09:37:27 -05:00
821e3c28f1
Replace old patterns with srvhost_addr
2026-03-03 09:37:27 -05:00
9df6879a95
Update modules to use srvhost method
2026-03-03 09:37:25 -05:00
758ac7f2f6
Apply rubocop changes
2026-03-03 09:34:49 -05:00
fc49421939
Replace checks for nonroutable addresses
...
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
2026-03-03 09:34:49 -05:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
097a4700cb
Fix: check method returns CheckCode instead of fail_with on login failure
2026-02-26 17:13:57 +01:00
11806c983d
Update modules/exploits/linux/http/tacticalrmm_ssti_rce_cve_2025_69516.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-26 17:12:42 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
0c12becfcf
Separates modules
2026-02-25 13:56:13 +01:00
63c7bd4958
Temp rollback
2026-02-25 13:54:20 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
c5303e2ac1
Apply suggestion from @msutovsky-r7
2026-02-25 12:54:17 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
e77b1c00c6
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:12:23 +01:00
fd92207119
Fix BeyondTrust exploit failing on older instances (22.x)
...
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").
Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
2026-02-25 10:12:21 +01:00
4f2eafda09
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-25 10:11:18 +01:00
0b78ab319e
improved version checking (i think)
2026-02-25 10:11:18 +01:00
b43b204060
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:11:15 +01:00
70dd190bc7
Fix: Inline shellcode via asm db instead of mmap RWX
...
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.
Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:32:05 +01:00
d6d9180b7c
Fix: Clarify why fork+setsid is in the constructor
...
PrependFork operates at shellcode level, but fork must happen in the
.so constructor so the runner process returns immediately and is not
blocked by the payload execution.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:25 +01:00
4031d7d950
Fix: Randomize chat trigger message content
...
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:13 +01:00
29a02274cf
Refactor: Remove redundant Platform/Arch from single target
2026-02-24 17:54:28 +01:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
33d24cc85b
Update modules/exploits/linux/http/ollama_rce_cve_2024_37032.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-24 17:47:51 +01:00
98b3357e2a
Adds beyondtrust lib, moves functionality into library, shares those functions to two modules
2026-02-24 16:16:05 +01:00
1ddee63f05
Merge pull request #20983 from sfewer-r7/0day-grandstream
...
Add exploit (CVE-2026-2329) and auxiliary modules for the Grandstream GXP1600 series
2026-02-24 08:50:42 -06:00
c390260291
Rubocopes
2026-02-24 13:12:37 +01:00
338804f028
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-24 09:47:49 +01:00
fc3a6cd0fe
improved version checking (i think)
2026-02-24 09:47:48 +01:00
e0bc7c4533
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-24 09:47:45 +01:00
d934f2006c
Feat: Add default payloads per target
2026-02-23 19:36:49 +01:00
bef9b7ad3b
Feat: Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-02-23 19:31:22 +01:00
1f5ad66248
comment gen_buffer to explain why this is needed
2026-02-23 13:04:42 +00:00
54f5b88baa
clarify the offsets used in patch_offset2cmd
2026-02-23 12:39:37 +00:00
2c807a6d95
clarify the initial valud in our rop buffer and the function epilogue that reads them
2026-02-23 12:39:10 +00:00
8519bffeff
add a Check message for this and change from Safe to Unknown which is more accurate
2026-02-23 11:28:53 +00:00
cab7bf064e
Fix: Add email to Sagi Tzadik credit
2026-02-21 17:06:42 +01:00
22fb85f648
Fix: Correct vulnerability discovery credit to Sagi Tzadik (Wiz Research)
2026-02-21 17:05:58 +01:00
b17d227d28
Feat: Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-21 16:52:43 +01:00
cf497a8d6e
Merge pull request #20938 from Chocapikk/fix-beyondtrust-mech-list-fallback
...
Fix BeyondTrust PRA/RS exploit failing on older instances
2026-02-20 17:38:40 -06:00
08efa9cd16
add in the Grandstream modules
2026-02-17 22:33:46 +00:00
d330de16c8
Merge pull request #20932 from sfewer-r7/ivanti-epmm-rce
...
Add exploit module for Ivant EPMM/MobileIron (CVE-2026-1281)
2026-02-10 11:07:39 -06:00
3f6d228954
Update modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-10 18:06:20 +01:00
defeb14ef4
Update modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-10 18:02:22 +01:00
Valentin Lobstein