1f547f19fb
Merge pull request #20832 from DataExplorerX/doc-linux-samba-module
...
Add documentation for linux/samba/chain_reply module (CVE-2004-0883)
2026-02-20 18:12:05 -06:00
7f8b18d7dc
Update documentation/modules/exploit/linux/samba/chain_reply.md
2026-02-20 17:45:14 -06:00
fcb41a2275
Update documentation/modules/exploit/linux/samba/chain_reply.md
...
Update documentation to point to a specific wayback machine page since the original does not exist, and a few of the wayback machine links are also broken.
2026-02-20 17:42:34 -06:00
f2262a84cc
Land #20841 , adds persistence module for Windows feature active setup
...
active setup persistence
2026-02-20 10:46:45 +01:00
b6f37bef11
Land #20976 , adds module for StoryChief WP plugin (CVE-2025-7441)
...
Add StoryChief WordPress 1.0.42 unauthenticated RCE module (CVE-2025-7441)
2026-02-19 10:06:25 +01:00
c6f7d03d03
Merge pull request #20919 from h00die/emacs
...
emacs extension persistence
2026-02-18 10:58:13 -05:00
a48129b640
Updated doc after checking msftidy_docs
2026-02-18 16:58:51 +02:00
8af82dc7eb
Merge pull request #20844 from 6a6f656c/userinit
...
Windows Userinit persistence
2026-02-18 06:05:04 -05:00
9f301549e8
Update documentation/modules/exploit/windows/persistence/registry_userinit.md
...
Co-authored-by: h00die <h00die@users.noreply.github.com >
2026-02-18 11:46:11 +01:00
7e50106cff
Apply suggestion from @dledda-r7
...
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com >
2026-02-17 07:17:03 -05:00
81e54d42e4
Merge pull request #20856 from msutovsky-r7/exploit/cve-2026-21858
...
Adds module for Ni8mare (CVE-2026-21858)
2026-02-16 10:06:14 -05:00
8ee79fa524
Add StoryChief WordPress 1.0.42 unauthenticated RCE module
2026-02-16 00:44:20 +02:00
a39ed2beac
Removing default version in the Dockerfile
2026-02-13 15:14:41 +01:00
bbfe139e7f
Merge branch 'master' into multi/http/churchcrm_unauth_rce
2026-02-13 15:01:52 +01:00
2b6d95d3c9
Adding a scenario in the documentation
...
The documentation for PHP Fetch have been added. The scenario have been
redone in order to track the last changes.
2026-02-13 15:01:17 +01:00
381972efd2
Changing the documentation
...
According to the recent change, i've changed the documentation and the
scenario outputs.
2026-02-13 14:05:29 +01:00
a4ec3cd40d
Merge pull request #20917 from sfewer-r7/solarwinds-webhelpdesk-rce
...
Add exploit module for SolarWinds Web Help Desk (CVE-2025-40536 + CVE-2025-40551)
2026-02-13 06:51:42 -05:00
7e03a89304
Land #20798 , adds module for FreeBSD rtsold/rtsol command injection (CVE-2025-14558)
...
Add module for rtsold/rtsol DNSSL Command Injection (CVE-2025-14558)
2026-02-13 10:57:03 +01:00
78f4b8f97d
Merge branch 'master' into multi/http/churchcrm_unauth_rce
2026-02-13 08:50:23 +01:00
35b52df28a
Merge pull request #20849 from haicenhacks/haicen_xerte
...
Add three modules for exploiting Xerte Online Toolkits
2026-02-12 15:01:42 -05:00
41414b896b
Tweak whitespacing in the docs for the renderer
2026-02-12 14:43:47 -05:00
7204c64b6b
Improves documentation
2026-02-12 12:05:29 -05:00
66139795e5
Fixes problems with module documentation
2026-02-11 18:20:06 -05:00
4adf87ac18
Merge pull request #20929 from jheysel-r7/feat/mod/cve-2026-24061
...
GNU Inetutils Telnet Auth Bypass (CVE-2026-24061)
2026-02-11 11:12:29 -08:00
9512135c84
Merge branch 'master' into rtsold_dnssl_cmdinject
2026-02-10 16:19:53 -05:00
017e074a61
Address comments
2026-02-10 12:15:48 +01:00
58dd29107f
remove SMB_SRVPORT as an option. It must allways be 445 so the user cannot change it. We print a message to inform the user this port is intended to be in use so that the SMB server is not compleatly opaque.
2026-02-05 17:21:31 +00:00
f632cf34bf
add in a module and docs fo rteh EPMM exploit
2026-02-05 12:26:38 +00:00
eb5507844b
Testing the module on different version
...
The module have been tested on different version of ChurchCRM (6.8.0 and
6.2.0) prooving it's vulnerability to this exploit. This commit contains
modification of the dockerfile/docker-compose in order to support
multi-version installation.
2026-02-05 12:36:26 +01:00
40073bcc8e
typo in docs
2026-02-05 09:00:15 +00:00
50f46aa85d
add docs
2026-02-04 20:36:10 +00:00
4d65f15884
Adding a link to the CVE
2026-02-04 16:17:15 +01:00
ca5ceae1b3
Adding documentation to the churchcrm module
...
The documentation of the module is addedd.
2026-02-04 16:04:42 +01:00
f393055afd
Adds docker instruction
2026-02-04 12:59:38 +01:00
bc77c63496
Adds documentation
2026-02-04 12:57:58 +01:00
6a1babf6c3
Updates docs, fixes JWT, module cleanup
2026-02-04 12:40:41 +01:00
005fbb17a1
Address PR #20768 review feedback
...
- Fix machineKey extraction regex to handle decryption attribute
- Replace Base64.strict_encode64 with Rex::Text.encode_base64
- Add READ_FILE and EXTRACT_MACHINEKEY actions
- Add PRODUCT option for CentreStack/Triofox support
- Use different storage endpoints per product type
- Update documentation with new options and actions
2026-02-04 08:38:35 +01:00
7776588577
Address PR #20768 review feedback
...
- gladinet.rb: Fix machineKey regex to match decryptionKey then validationKey explicitly
- gladinet.rb: Remove DEFAULT_WEB_CONFIG_PATH constant, inline in each module's datastore option
- gladinet_storage_access_ticket_forge.rb: Inline version check
- gladinet_storage_access_ticket_forge.rb: Inline FILEPATH default value (with C:\ for absolute path)
- gladinet_storage_lfi_cve_2025_11371.rb: Inline version check
- gladinet_storage_lfi_cve_2025_11371.rb: Inline valid_response? method (removed)
- gladinet_storage_lfi_cve_2025_11371.rb: Inline FILEPATH default value (without C:\, stripped by build_lfi_path)
- gladinet_storage_lfi_cve_2025_11371.rb: Use vars_get with encode_params instead of manual URL building
- gladinet_viewstate_deserialization: Remove nil fallback (mandatory option with default)
- gladinet_viewstate_deserialization: Remove DEFAULT_MACHINE_KEY constant, inline in datastore option
- gladinet_viewstate_deserialization: Remove duplicate detect_app_type/extract_build_version (already in shared lib)
Note: Suggestion to rename gladinet? to is_gladinet? was NOT applied.
msftidy enforces Naming/PredicatePrefix convention which requires predicate
methods to NOT have 'is_' prefix (gladinet? is correct, is_gladinet? is not).
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-04 08:38:35 +01:00
b1adc514d1
Apply suggestions
...
Co-authored-by: jheysel-r7 <jheysel-r7@users.noreply.github.com >
2026-02-04 08:38:35 +01:00
6d25006e8d
Update documentation/modules/auxiliary/gather/gladinet_storage_access_ticket_forge.md
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-04 08:38:33 +01:00
6773459759
Update documentation/modules/auxiliary/gather/gladinet_storage_access_ticket_forge.md
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-04 08:38:33 +01:00
628c5ee7af
Update Gladinet modules: fix AutoCheck in auxiliary modules and update documentation with real outputs
2026-02-04 08:38:32 +01:00
478345506e
Add Gladinet CentreStack/Triofox auxiliary modules and exploit
2026-02-04 08:38:31 +01:00
bd049dcba4
doc update
2026-02-03 18:41:51 -08:00
a868bc95b2
GNU Inetutils Telnet Auth Bypass
2026-02-03 17:45:59 -08:00
75ff7b6af1
emacs extension persistence
2026-01-31 22:54:18 -05:00
1053ae5c85
Fixes default action, adds base for documentation
2026-01-30 15:39:31 +01:00
641ab527aa
Merge pull request #20857 from msutovsky-r7/exploit/freepbx/sql_to_rce_chain
...
Adds exploit module for FreePBX (CVE-2025-66039, CVE-2025-61675)
2026-01-28 20:03:17 -08:00
63a66ee162
Improved CVE version range info in description
2026-01-28 20:15:25 -07:00
be4a69ab1d
Merge pull request #20846 from msutovsky-r7/exploit/freepbx/injections_rce
...
Adds auxiliary module for FreePBX (CVE-2025-66039, CVE-2025-61675)
2026-01-28 06:39:47 -08:00
Brendan