d960aa522c
Land #18348 , Splunk account take over (CVE-2023-32707) leading to RCE
2023-10-26 11:34:02 -04:00
e5e58bc0be
Update modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb
...
Co-authored-by: Zach Goldman <106169455+zgoldman-r7@users.noreply.github.com >
2023-10-26 14:03:06 +02:00
c0af43c10b
Update modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb
...
Co-authored-by: Zach Goldman <106169455+zgoldman-r7@users.noreply.github.com >
2023-10-25 11:02:30 +02:00
ff9639e6a6
Land #18460 , VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE
2023-10-24 17:32:28 +02:00
5e19c8fd88
Update splunk_privilege_escalation_cve_2023_32707.rb
2023-10-24 14:44:27 +02:00
fa71d8b6e2
set all targets to dynamically build list
2023-10-23 06:54:38 -04:00
97f9edb5f7
review
2023-10-23 06:35:23 -04:00
da9d04d32d
Land #18461 , CVE-2023-22515 - Atlassian Confluence unauthenticated RCE
2023-10-19 10:22:57 +02:00
5e84f57ab3
set :random to true during generate_jar so we can randomize teh metasploit class path
2023-10-18 09:53:46 +01:00
fcffd36af0
no need to test for true, jsut return the value as we are waiting for done to be set to true
2023-10-18 09:37:04 +01:00
9fdbccb74f
catch a JSON ParserError exception and fail_with() if needed. Also detect if the JSON data doesnt have the expected value and fail_with() if needed
2023-10-18 09:36:02 +01:00
00b534dbed
review
2023-10-17 13:17:10 -04:00
34107e4f3b
favod over for string concatenation.
2023-10-17 11:36:07 +01:00
0fc35bf6d3
randomize the plugins version number
2023-10-17 10:01:02 +01:00
415bd49b15
use next semantics to return from a yielded block early (note we cannot use return for this)
2023-10-17 09:43:00 +01:00
54f334479a
fix another typo
2023-10-17 09:30:52 +01:00
9e6e9538e1
typo
2023-10-17 09:29:38 +01:00
d2438bad4e
add a note to explain we need to concat a trailing forward slash
2023-10-17 09:28:04 +01:00
4acdaf3087
typos
2023-10-17 09:22:09 +01:00
d17f065f12
remove 'localhost' in favor of some random chars
2023-10-17 09:21:28 +01:00
3242a7009b
clarify timeout is in seconds
2023-10-17 09:11:05 +01:00
b97cb9f63d
remove whitespace
2023-10-17 09:10:28 +01:00
1c027ac05c
add an RCE exploit for CVE-2023-22515
2023-10-16 20:50:18 +01:00
b3b1595ef4
vmware aria ssh keys exploit
2023-10-16 13:06:17 -04:00
05dd2e1473
Land #18351 , Apache Superset RCE (CVE-2023-37941)
2023-10-12 17:10:10 -04:00
80d2fa738d
Land #18296 , update more mysql modules to support newer authentication methods
2023-10-12 17:19:02 +01:00
86b7ec4518
Address comments from the review
2023-10-12 09:50:19 -04:00
4f734379d3
Add module docs and print some messages
2023-10-12 09:27:26 -04:00
0799f9d860
Add a check method and populate module metadata
2023-10-12 09:27:26 -04:00
7a226ba285
Randomize components in the MAR file
2023-10-12 09:27:26 -04:00
5a6dc7f9a6
Initial commit of CVE-2023-43654
2023-10-12 09:27:26 -04:00
1b172768b4
Use upstream ruby-mysql in Remote::MYSQL
...
* ... and dependents
2023-10-12 13:08:35 +02:00
45be501a50
Raise a more specific error message
...
Check for and raise a more specific error message when the internal
database fails to mount because the path is incorrect.
2023-10-10 15:21:35 -04:00
59da2865d9
Use an exec-in-place gadget for Python
...
This adds a Python deserialization gadget that will exec arbitrary
Python code in place. It is only compatible with Python 3.x due to
differences in Python's exec function and statement between 2 and 3.
2023-10-10 14:01:24 -04:00
fb834b235a
Land #18417 , Add Kibana Upgrade Assistant RCE
...
Kibana before version 7.6.3 suffers from a prototype
pollution bug within the Upgrade Assistant. This PR adds
an exploit module to exploit the bug. There is no CVE
for this issue at the moment.
2023-10-06 17:29:02 -04:00
931a67d290
kibana telemetry rce rewritten to use fetch payloads
2023-10-06 09:55:10 -04:00
a2a9becc73
convert cmd_stager to fetch payloads
2023-10-06 07:40:17 -04:00
5e0538a239
review comments round 1
2023-10-05 13:12:33 -04:00
8431d11654
leverage Rex::MIME::Message instead of creating the multipart data manualy
2023-10-04 09:39:25 +01:00
ccd8c71ec6
change the payload space to 5000. This allows all the payloads I tested to work but also allows all the 3 gadget chains I tested to work. ClaimsPrincipal and TypeConfuseDelegate will fail if the space is too large.
2023-10-04 09:38:42 +01:00
1be8e0245b
remove the powershell target as the powershell command adapter will handle this for us (thanks Spencer). Increate the space to handle the larger powershell command lines. I tested with cmd/windows/powershell/x64/meterpreter/reverse_tcp and the powershell command length was 4404.
2023-10-03 17:48:37 +01:00
2eacb75feb
Add a reference to the AssetNote blog. Better describe what teh TARGET_URI option is for and why it defaults to /AHT/
2023-10-03 11:17:21 +01:00
88eb44be64
kibana telemetry rce
2023-10-02 16:53:20 -04:00
1695a12c9c
Explicitly state both the release name (e.g. 2022.0.2) and the version number (e.g. 8.8.2) in a more consistent way.
2023-10-02 17:40:11 +01:00
53ed4a632b
add in exploit module for CVE-2023-40044 - WS_FTP unauthenticated RCE via .NET deserialization.
2023-10-02 11:42:19 +01:00
50155e3d94
Land #18389 , Juniper Junos OS PHPRC Manipulation RCE (CVE-2023-36845)
2023-09-29 18:05:28 +02:00
37bc4ca51f
Fixed root password resetting
2023-09-29 11:40:03 -04:00
58642c16c9
Changed WebSocket to SSH
2023-09-28 14:41:03 -04:00
3f15de3995
Responded to Christophes suggestions
2023-09-28 14:26:37 -04:00
36d8a34d39
Land #18408 , JetBrains TeamCity CVE-2023-42793
2023-09-28 14:01:59 -04:00
Zach Goldman