feat: Add unauthenticated Openfire setup exploit template and .gitign…

[raskolnikoff]

Summary

Add initial Metasploit exploit template for unauthenticated Openfire setup bypass (CVE-2023-XXXX).

What’s Included

• New Ruby exploit module template: openfire_setup_unauth.rb
  • Inherits from Msf::Exploit::Remote
  • Includes HttpClient
  • Metadata filled (Name, Description, DisclosureDate)
  • Stubbed exploit method with logging (print_status)
• .gitignore updates for:
  • Ruby artifacts (e.g., .bundle/, vendor/bundle/)
  • Metasploit logs and temp files
  • Excluded OS-specific and gem binary files

Validation

• Verified Ruby syntax via:

ruby -c /openfire_setup_unauth.rb

• Bundler dependencies install cleanly:

cd metasploit-module/metasploit-framework
gem install bundler && bundle install

• Basic module load check:
• Start msfconsole
• reload_all
• use exploit/linux/http/openfire_setup_unauth
• show options lists RHOSTS, TARGETURI

Next Steps

• Implement actual exploit logic (e.g., path traversal or POST injection to bypass auth)
• Add check method for preliminary verification
• Test against local Openfire instance
• Prepare testcases and documentation for module integration

Security & Maintenance

• No secrets are included; .gitignore ensures no sensitive artifacts are tracked
• Structure supports safe modular development, easy cleanup, and future enhancements

[Copilot]

Pull Request Overview

This PR adds an initial Metasploit exploit template for an unauthenticated Openfire setup bypass vulnerability and improves project documentation by reorganizing Burp Suite plugin information.

• Creates a new Ruby exploit module template openfire_setup_unauth.rb with placeholder CVE reference
• Adds Metasploit framework as a git submodule for development structure
• Reorganizes and expands documentation for the Burp Extender plugin in both README.md and docs/index.md

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
metasploit-module/metasploit-framework	Adds Metasploit framework as a git submodule
metasploit-module/exploits/linux/http/openfire_setup_unauth.rb	New exploit template with basic structure and placeholder implementation
docs/index.md	Reorganizes Burp plugin documentation and removes outdated sections
README.md	Updates Burp plugin documentation section
.gitmodules	Configures git submodule for Metasploit framework

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Missing 'return' statement before the CheckCode. This will cause the method to always return the last statement regardless of the condition.

Suggested change

	Exploit::CheckCode::Appears
	else
	print_status("Unexpected response (HTTP #{res.code}) - body length=#{res.body.to_s.length}")
	Exploit::CheckCode::Safe
	return Exploit::CheckCode::Appears
	else
	print_status("Unexpected response (HTTP #{res.code}) - body length=#{res.body.to_s.length}")
	return Exploit::CheckCode::Safe

[github-actions]

Qodana Community for JVM

It seems all right 👌

No new problems were found according to the checks applied

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

• Register at Qodana Cloud and configure the action
• Use GitHub Code Scanning with Qodana
• Host Qodana report at GitHub Pages
• Inspect and use qodana.sarif.json (see the Qodana SARIF format for details)

To get *.log files or any other Qodana artifacts, run the action with upload-result option set to true,
so that the action will upload the files as the job artifacts:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2025.2.1
        with:
          upload-result: true

Contact Qodana team

Contact us at qodana-support@jetbrains.com

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions