Skip to content

Add Msf::Exploit::Remote::HTTP::Windmill mixin#21244

Open
Chocapikk wants to merge 1 commit intorapid7:masterfrom
Chocapikk:add-windmill-mixin
Open

Add Msf::Exploit::Remote::HTTP::Windmill mixin#21244
Chocapikk wants to merge 1 commit intorapid7:masterfrom
Chocapikk:add-windmill-mixin

Conversation

@Chocapikk
Copy link
Copy Markdown
Contributor

@Chocapikk Chocapikk commented Apr 7, 2026
edited
Loading

Hello Metasploit Team,

This adds Msf::Exploit::Remote::HTTP::Windmill, an HTTP mixin for interacting with the Windmill workflow automation platform.

This is PR 2/5 of the Windfall suite. Depends on #21242 (Rex::Proto::PostgreSQL). Required by #21245 (Windmill Modules).

What It Does

The mixin provides exploit primitives for Windmill and Nextcloud Flow deployments:

  • Detection: Auto-detects deployment type (standalone, Flow proxy, Flow direct) via response fingerprinting
  • Path traversal: File read via CVE-2026-29059, auto-applies triple URL encoding for proxy deployments
  • Authentication: JWT forging using leaked jwt_secret, token verification, login
  • Workspace management: Auto-discovery, creation if needed
  • Job execution: Run bash/python/deno via Windmill's job API, poll for results
  • PostgreSQL extraction: Uses Rex::Proto::PostgreSQL to extract credentials from heap files without DB access

Files

File Purpose
lib/msf/core/exploit/remote/http/windmill.rb Main mixin loader
lib/msf/core/exploit/remote/http/windmill/constants.rb API endpoints, paths
lib/msf/core/exploit/remote/http/windmill/http_helpers.rb Request helpers, encoding
lib/msf/core/exploit/remote/http/windmill/detection.rb Deployment detection
lib/msf/core/exploit/remote/http/windmill/auth.rb JWT forging, authentication
lib/msf/core/exploit/remote/http/windmill/workspace.rb Workspace management
lib/msf/core/exploit/remote/http/windmill/file_read.rb Path traversal file read
lib/msf/core/exploit/remote/http/windmill/jobs.rb Code execution API
lib/msf/core/exploit/remote/http/windmill/postgres.rb PostgreSQL heap extraction

Verification

msfconsole -q -x "require 'msf/core/exploit/remote/http/windmill'; puts 'Windmill mixin loaded'; exit"

@Chocapikk Chocapikk mentioned this pull request Apr 7, 2026
Open
11 tasks
@Chocapikk Chocapikk force-pushed the add-windmill-mixin branch from fdd8a2d to 5c09b1f Compare April 7, 2026 10:24
@Chocapikk Chocapikk mentioned this pull request Apr 7, 2026
Open
@Chocapikk
Feat: Add Msf::Exploit::Remote::HTTP::Windmill mixin
611996f 
HTTP mixin for Windmill workflow automation platform. Handles deployment
detection (standalone, Nextcloud Flow proxy, Flow direct), authentication
via JWT forging, path traversal file read, workspace management, and
PostgreSQL heap file credential extraction.
@Chocapikk Chocapikk force-pushed the add-windmill-mixin branch from 5c09b1f to 611996f Compare April 7, 2026 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Chocapikk @smcintyre-r7