This module abuses insufficient validation in the unauthenticated JCE profiles.import endpoint to upload a crafted profile file with a PHP extension. When the file is written under the Joomla tmp directory and executed by the web server, it provides a command execution primitive. 1. Fingerprints the JCE Editor component and checks the detected version. 2. Extracts a Joomla CSRF token from the site root. 3. Uploads a PHP command runner through the vulnerable profiles.import task. 4. Verifies code execution from the Joomla tmp directory. 5. Detects the target operating system through the command runner. 6. Uses the resulting command primitive to commit an OSCI agent or deploy a network agent.
This module checks for and exploits CVE-2026-44825, a hardcoded credentials exposure in the Apache Solr AuthTool BasicAuth configuration workflow. The vulnerability occurs when an Apache SolrCloud deployment is initialized with bin/solr auth enable. During that process, AuthTool loads the bundled security.json template and adds the administrator-supplied user, but it may leave template users such as superadmin, admin, index, and search enabled. In affected installations, those users keep trivial passwords equal to their usernames. In affected installations, those users keep trivial passwords equal to their usernames (superadmin, admin, index, search). As a result, a remote attacker who can reach the Solr HTTP interface may authenticate with predictable credentials and access protected administrative endpoints. If the template accounts have high-impact permissions, the attacker may also be able to modify authentication or authorization settings, create users, or assign roles. Steps: Fingerprint the target by querying Apache Solr administrative endpoints and checking for Solr, BasicAuth, SolrCloud, and version indicators. Attempt the known template credentials superadmin:superadmin, admin:admin, index:index, and search:search against read-only administrative endpoints. If any template credential is accepted, mark the target as vulnerable and register CVE-2026-44825. Retrieve authorization data with the accepted credential and report the effective roles and permissions, including high-impact permissions such as security-edit, config-edit, core-admin-edit, and collection-admin-edit. A malicious attacker with this account may access indexed data stored in Solr and, depending on the assigned roles, create or modify Solr users and roles, change security settings, or alter core and collection configuration. If CREATE USER parameters are provided, use the valid template credential to create or update a proof user through /admin/authentication. Assign the proof user the template roles through /admin/authorization to demonstrate security configuration impact. Verify that the proof user can authenticate successfully and store the created credentials in Identity as exploitation evidence.
This module exploits DirtyClone, a local privilege escalation vulnerability in the Linux kernel. The trigger binary abuses the vulnerability to execute a caller-supplied custom ELF with root privileges. The module uses this mechanism to execute a generated Core Impact agent ELF. The module uploads the DirtyClone trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.
A Server-Side Request Forgery vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) allows unauthenticated remote attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. This module uses the previous vulnerability to upload a jsp webshell into the PSEMHUB.war directory to deploy a network agent via the /PSIGW/HttpListeningConnector endpoint. First, the module will validate the vulnerability by using a random string as operation. If the target is vulnerable, the response should be a base64 encoded java string object with the text "Invalid Operation specified" Then, the module will use the REGISTER_WITH_PEERNAME operation, to get a valid peer ObjectName Then, the module will use the HANDLE_MESSAGE operation with an embedded ExecuteProcessActivityCommand object to create the jsp webshell file inside the PSEMHUB.war directory (a web-accessible location). Finally, the module will make a request to the webshell to deploy the network agent. The deployed agent will run with the same user privileges as the target software.
A Server-Side Request Forgery vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) allows unauthenticated remote attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. This module uses the previous vulnerability to upload a jsp webshell into the PSEMHUB.war directory to deploy a network agent via the /PSIGW/HttpListeningConnector endpoint. First, the module will validate the vulnerability by using a random string as operation. If the target is vulnerable, the response should be a base64 encoded java string object with the text "Invalid Operation specified" Then, the module will use the REGISTER_WITH_PEERNAME operation, to get a valid peer ObjectName Then, the module will use the HANDLE_MESSAGE operation with an embedded ExecuteProcessActivityCommand object to create the jsp webshell file inside the PSEMHUB.war directory (a web-accessible location). Finally, the module will make a request to the webshell to deploy the network agent. The deployed agent will run with the same user privileges as the target software.
This module exploits the RoguePlanet local privilege escalation vulnerability in Microsoft Defender to execute a Core Impact agent with SYSTEM privileges. The exploit abuses Defender's privileged remediation workflow. RoguePlanet first prepares an attacker-controlled Windows Error Reporting path under a writable temporary directory and forces Defender to scan it. While Defender is cleaning the detected content, the trigger uses file-system synchronization primitives to redirect operations that started in the temporary tree so they later resolve inside the native Windows directory. After the Windows Error Reporting executable is reached through that redirected path, the module triggers the Windows Error Reporting scheduled task. When the executable starts as SYSTEM, RoguePlanet uses its named-pipe handoff to duplicate the SYSTEM token into the interactive session and launch the staged Core Impact agent. Because the primitive depends on race timing, the module records trigger output, retries failed attempts, verifies the returned agent privileges, and restores the original Windows Error Reporting executable. The public RoguePlanet proof of concept reports reliable exploitation on some systems and intermittent failures on others due to race timing. The exploit has been reported as tested against Windows 10 and Windows 11 systems with June 2026 patches installed. The steps performed by the exploit are: Resolves the native Windows and temporary paths, backs up the Windows Error Reporting executable, and stages the Core Impact agent with the RoguePlanet trigger. Starts the trigger as the current non-SYSTEM user. The trigger creates the RoguePlanet named pipe, mounts its embedded ISO, and creates a controlled temporary System32\\wermgr.exe path. Calls Defender through MpClient.dll so MpScanStart detects the staged content and MpCleanStart begins privileged remediation against the controlled path. Coordinates the race by watching for the new shadow-copy device, opening the staged file's alternate data stream, using oplocks and ReadDirectoryChangesW for timing, and repeatedly swapping directories with junctions. Turns the parent temporary directory into a junction to the native Windows directory so Defender cleanup and Windows Error Reporting file operations resolve to the real Windows Error Reporting executable. Triggers the \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting scheduled task, causing Windows Error Reporting to start as SYSTEM. Completes the SYSTEM handoff over the RoguePlanet named pipe, duplicates the SYSTEM token into the pipe server's session, and launches the staged Core Impact agent with CreateProcessAsUserA. Captures trigger output, retries timing-dependent failures, verifies SYSTEM privileges, and restores the backed-up executable.
This module performs profile-driven HTTP/2 HPACK bomb denial-of-service attacks against vulnerable servers. The module selects the requested profile and applies its default attack parameters unless PORT, CONNECTIONS or STREAMS are overridden. It verifies target reachability and, when required, records a pre-attack TCP or TLS latency baseline. It then establishes HTTP/2 sessions by negotiating h2, sending the client preface, and completing the initial SETTINGS exchange. After setup, it sends profile-specific HPACK bomb payloads through HEADERS and CONTINUATION frames across multiple streams. These payloads force the server to expand small compressed header blocks into much larger in-memory header state or repeated header reconstruction work. The attacked streams are held open for a profile-specific interval, optionally using WINDOW_UPDATE drips to keep server-side state active. Finally, the module determines success from post-attack liveness, latency degradation, or recovery behavior, depending on the selected profile. Blank parameters inherit the selected profile defaults. Most profiles require TLS plus ALPN h2 support in the runtime SSL stack. Pingora can be used over cleartext h2c by disabling USE TLS.
In a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. In CUPS, the server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line "PPD:" text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary with with lp user privileges. This module will first get the list of the shared printers of the target. Then, it will register an endpoint in the local webserver for future files exfiltrations. Later, it will use the vulnerability against each shared printer to exfiltrate the /etc/os-release file. If the file is retrieved, then the target will be marked as vulnerable and the following printers will be skipped in the attack. Also, the ID field of the exfiltrated file will be used to identify the Linux distribution and decide the following step of the attack. If the Linux distribution is Arch, then the module will use the vulnerability again to deploy an agent in the target that will run with the cups user privileges. If the Linux distribution is any other, the module will use the vulnerability again to exfiltrate the /etc/passwd file. This is due the fact that in any other Linux distribution CUPS's sub-processes are isolated and monitored by AppArmor or SELinux.
CVE-2026-9082 is a SQL injection vulnerability in Drupal Core when Drupal uses PostgreSQL. The vulnerable PostgreSQL Entity Query condition handling can place attacker-controlled array keys into PDO placeholder names, allowing raw SQL to reach PostgreSQL from anonymous HTTP entry points that build entity queries. In exposed configurations, this can lead to arbitrary SQL execution, data disclosure, privilege escalation, and, when the PostgreSQL role has sufficient privileges, remote code execution. The affected Drupal Core versions are 8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, and 11.3.0 through 11.3.9, only for sites using PostgreSQL. This module targets the JSON:API filter entry point. It automatically discovers a usable JSON:API resource and filter field, validates the SQL injection by leaking PostgreSQL context, and commits CVE-2026-9082 when the primitive is confirmed. If the PostgreSQL role is superuser, the module writes an Impact agent and an embedded PostgreSQL preload library through large objects, updates PostgreSQL preload settings, reloads the configuration, and launches the agent from a fresh PostgreSQL backend. If the role is not superuser, the module collects bounded PostgreSQL and Drupal evidence, then finishes gracefully after reporting that agent deployment is not possible.
This module exploits Fragnesia, a local privilege escalation vulnerability in the Linux kernel XFRM ESP-in-TCP subsystem. The vulnerability can be abused to corrupt cached pages of read-only privileged files through kernel networking components. The trigger binary temporarily corrupts the page-cache contents of "/usr/bin/su" with a small ELF launcher that executes a caller-supplied custom ELF as root. The module uses this mechanism to execute a generated Core Impact agent ELF. The module uploads the Fragnesia trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.