561eef98c1
Land #20188 , adds module for CVE-2024-7399 Samsung MagicINFO 9 Server
...
Samsung MagicINFO 9 Server RCE (CVE-2024-7399) Module
2025-05-19 09:49:09 +02:00
76471731f9
Merge pull request #20112 from cdelafuente-r7/mod/ivanti/rce/cve_2025_22457
...
Ivanti Connect Secure Unauthenticated RCE via Stack-based Buffer Overflow CVE-2025-22457
2025-05-15 11:44:49 -05:00
c598d8b4b0
Land #20020 , adds module for Nextcloud Workflow Remote Code Execution
...
Add exploit module for the nextcloud workflow vulnerability CVE-2023-26482
2025-05-15 12:31:51 +02:00
365caab8fc
Update the error message in case of Broken pipe error and update the documentation
2025-05-15 12:10:53 +02:00
2259de33c1
Fixed a txpo in nextcloud_workflows_rce.md
2025-05-14 13:40:47 +00:00
fe5f56cac0
Land #20159 , adds module for privilege escalation in Wordpress (CVE-2025-2563)
...
Add Unauthenticated privesc for WP User Registration & Membership plugin (CVE-2025-2563)
2025-05-14 15:33:30 +02:00
7d8d0230cb
Land #20026 , adds module for CVE-2024-57487
...
New Exploit Module & Documentation for CVE-2024-57487
2025-05-14 08:00:20 +02:00
e335841bb0
Add Unauthenticated privesc for WP User Registration & Membership plugin (CVE-2025-2563)
2025-05-13 21:42:09 +02:00
cb6495e5bc
Merge pull request #20146 from Chocapikk/wp_suretriggers_auth_bypass
...
Add WP SureTriggers ≤1.0.78 admin-creation & RCE module (CVE-2025-3102)
2025-05-13 10:53:44 -05:00
09aaf5865c
Rearranged code and removed wait_for_payload_session
2025-05-13 13:48:56 +00:00
e819362398
automatic module_metadata_base.json update
2025-05-13 13:45:30 +00:00
5faa0a5b6b
Merge pull request #19777 from msutovsky-r7/linqpad_deserialization
...
Linqpad deserialization persistence
2025-05-13 08:03:30 -05:00
3af76cfa00
Renames incorrect option in documentation
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2025-05-13 06:30:00 +02:00
8c647cd1ad
Land #20118 , changes target option for smb_to_ldap module
...
Fix the smb_to_ldap module's missing target option
2025-05-12 09:56:06 +02:00
e9c88b55f2
cleanup
2025-05-09 22:39:30 +01:00
803581ab81
CVE-2024-7399
2025-05-09 17:27:22 +01:00
4d0c7bb71a
Add WP SureTriggers ≤1.0.78 admin-creation & RCE module (CVE-2025-3102)
2025-05-07 17:45:30 +02:00
d16c639278
Adds cleanup option in documentation
2025-05-06 09:07:21 +02:00
24a86cd74a
Refactoring based on comments
2025-05-06 08:43:57 +02:00
4b9032a487
Merge pull request #20060 from mekhalleh/rce_cve-2025-21293
...
Added exploit module for CVE-2025-32433 (Erlang/OTP)
2025-05-02 07:05:30 -07:00
3216fbbde3
Fix the smb_to_ldap module
2025-05-01 16:59:16 -04:00
0f22a18dac
Merge pull request #20081 from msutovsky-r7/exploit/wondercms-rce
...
Adds module for CVE-2023-41425 WonderCMS RCE
2025-04-30 13:14:45 -07:00
d83e6072ef
Add the module and documentation for Ivanti RCE CVE-2025-22457
2025-04-30 22:02:16 +02:00
f2e0fe79be
Responding to comments
2025-04-30 17:53:26 +02:00
39a5d710aa
Refactor module: modularization, session-path leak, randomized key, improved check
...
- Centralized fetch_cookies_and_csrf and execute_via_session methods for clarity
- Added leak_session_path() to call send_transform("phpinfo") and parse session.save_path via XPath
- In check(): first try to leak the PHP session directory (report vulnerable if successful), then perform a simple RCE check by summing two 4-digit random numbers with print_r()
- Stub injection now happens once in fetch_cookies_and_csrf; execute_via_session only needs the payload
- Randomized the "as hack" key in send_transform
- Simplified exploit() to reuse execute_via_session with a Base64-encoded payload
- Big thanks to @jvoisin for the suggestions!
2025-04-30 00:24:25 +02:00
f24801a4a4
Update doc
2025-04-29 20:06:40 +02:00
32a8e6797e
fixes review
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-27 20:31:13 +04:00
89404c28e1
Fix markdown
2025-04-26 23:55:00 +02:00
b8d2681335
Remove useless config suggestions
2025-04-26 23:53:59 +02:00
c4e621f3cf
Add new exploit for CVE-2025-32432: Craft CMS Preauth RCE
2025-04-26 05:43:13 +02:00
b117843c00
Addressing comments
2025-04-25 20:17:46 +02:00
9d5c4a59e8
Adding documentation
2025-04-25 14:47:00 +02:00
665065e4df
Module init
2025-04-25 14:35:24 +02:00
740a8130d4
combine modules
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-25 10:35:16 +04:00
f5aafdcfdf
Merge pull request #20046 from Takahiro-Yoko/bentoml_runner_server_rce_cve_2025_32375
...
Add BentoML's runner server unauth RCE module (CVE-2025-32375)
2025-04-22 12:32:08 -07:00
1da0ebff66
exploit/solaris/sunrpc/sadmind_*: Cleanup and add documentation
2025-04-22 13:33:25 +10:00
0a428b8d03
add scanner capability + code review
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-20 18:02:52 +04:00
59ed219775
Added exploit module for CVE-2025-21293 (Erlang/OTP)
...
Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re >
2025-04-19 00:18:46 +04:00
98702a6326
Merge pull request #20044 from jheysel-r7/cve_2025_21293
...
Updated service_permissions with action to exploit CVE-2025-21293
2025-04-17 13:24:46 -05:00
e1b5109c70
Add BentoML RCE module (CVE-2025-32375)
2025-04-17 20:46:43 +09:00
3ead0fdf42
Add check for is_uac_enabled?
2025-04-16 17:59:53 -07:00
9a95f60df6
Updated service_permissions with action to exploit CVE-2025-21293
2025-04-16 10:55:05 -07:00
edcc30699a
Make user be able to specify a particular endpoint
2025-04-16 21:47:31 +09:00
8dc4beba7f
Update documentation/modules/exploit/linux/http/bentoml_rce_cve_2025_27520.md
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2025-04-16 20:48:34 +09:00
a33a8d91fe
Update the document
2025-04-16 12:52:15 +09:00
e51cd24383
Add BentoML RCE module (CVE-2025-27520)
2025-04-15 22:46:42 +09:00
0a3e3c3b6b
Made all changes as requested
2025-04-14 23:40:25 +05:30
140b93e802
Land #20022 , Langflow RCE module
...
Add Langflow unauth RCE module (CVE-2025-3248)
2025-04-14 08:24:44 +02:00
c7fdcc8e91
Update the document
2025-04-12 10:21:13 +09:00
cd307984cb
msftidy Fixes
2025-04-11 23:05:43 +05:30
msutovsky-r7