9b8b7045ff
Land #18715 , Add Splunk library
2024-03-05 16:17:30 -05:00
1e8e6d3bc4
Land #18796 , Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966
2024-03-04 20:35:22 +01:00
39af0bf535
Set Java target default paylaod to java/meterpreter/reverse_tcp
2024-03-04 20:33:27 +01:00
3c8f43e23e
Align SQL sessions peerhost and peerport
2024-03-04 13:11:32 +00:00
a73a7531a9
Land #18827 , Add module for BoidCMS CVE-2023-38836
...
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
2024-02-29 21:31:44 -08:00
550c6f030a
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
b423241e6b
Use Rex Post MySQL Client for lib, specs & modules
2024-02-28 18:19:50 +00:00
f2de6d6357
Land #18870 , Add ConnectWise ScreenConnect module.
...
This PR add an unauthenticatd RCE exploit for ConnectWise
ScreenConnect (CVE-2024-1709).
2024-02-23 11:25:33 -08:00
ebe6e54259
use the Faker module to gen the plugins metadata.
2024-02-23 17:48:01 +00:00
fe8867356e
we can use Faker::Internet.uuid here instead of rolling our own uuid maker
2024-02-23 17:47:28 +00:00
f3af1836ce
allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address
2024-02-23 17:46:49 +00:00
003d5e7006
The check routine can now display the targets platform in addition to the version number (we can determine this with a single request, so there is no major change here). This is usefull so you know what platform to set the exploits target to (so you can select an appropriate payload). Thanks @iagox86 for the idea!
2024-02-22 19:23:48 +00:00
97513d473f
Update manageengine_endpoint_central and servicedesk_plus default payloads
2024-02-23 00:00:18 +05:30
27a1233de8
Turns out only x64 is supported on Windows, so remove ARCH_X86, as if we try to inject an x86 payload in-memory we crash the target x64 service.
2024-02-22 16:41:18 +00:00
79bfbe4310
now that Linux is a target we have to move this to the multi directory
2024-02-22 16:34:43 +00:00
d52220cccb
Fixes the create session datastore option from appearing for payloads
2024-02-22 14:58:41 +00:00
0b14d1b495
add a Linux command payload target, tested on version 20.3.31734. We leverage the path traversal CVE-2023-1708 to ensure the dropped ASHX file can be reached. This was blocking the Linux target from working. Also works fine on Windows. We leverage FileDropper mixin to delete this file.
2024-02-22 14:54:45 +00:00
8b4fee010c
remove the full stop to make it easier to copy andpast the password (and not accidentaly copy the full stop charachter)
2024-02-22 14:52:18 +00:00
b2cb102c9b
Merge branch 'rapid7:master' into manageengine
2024-02-22 17:20:28 +05:30
51dcd5c971
Update splunk cve-2023-32707 to use reviewed changes
2024-02-22 17:13:44 +05:30
eded0e7788
POST the payload.encoded data when we trigger the ASHX file, this way we dont drop the Metasploit payload to disk.
2024-02-21 23:38:35 +00:00
e0ee7940d0
CISA has assigned this vulnerability CVE-2024-1709
2024-02-21 17:12:08 +00:00
2839683af5
use Rex::RandomIdentifier::Generator to generate identifiers.
2024-02-21 17:08:40 +00:00
0aa20c73a4
Land #18832 , Add exploit module CVE-2023-47218
...
The PR adds a module targeting CVE-2023-47218, an
unauthenticated command injection vuln affecting QNAP
QTS and QuTH Hero.
2024-02-21 08:48:30 -08:00
10f11c94e1
improve the error description for failure messages
2024-02-21 16:11:50 +00:00
9828ffa870
add an in-memory payload target
2024-02-21 16:07:01 +00:00
2d8b0f414d
remove redundant slashes in other calls to normalize_uri
2024-02-21 16:04:19 +00:00
61c1a513a5
drop the leading forward slash
2024-02-21 15:59:25 +00:00
6d473b2424
remove debug prints
2024-02-21 13:30:06 +00:00
c529749f77
fix tabs
2024-02-21 13:14:35 +00:00
d21e4080a9
Land #18792 , Ivanti Connect Secure - Unauth RCE (CVE-2024-21893 + CVE-2024-21887) #18792
...
Merge branch 'land-18792' into upstream-master
2024-02-20 17:40:12 -06:00
de17261926
Removes session types from module with session type mixin
2024-02-19 10:34:16 +00:00
c298540bea
Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
8cddffa3d1
Land #18700 , Add Kafka-ui Unauth RCE module
...
This PR adds an exploit module for CVE-2023-52251 which
is an unauthenticated rce vulnerability in Kafka's UI.
2024-02-16 15:38:52 -05:00
a1b0ff0fcf
Land #18681 , Update Apache Ofbiz w. Auth-Bypass
...
This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
2024-02-16 15:02:34 -05:00
6c252de974
Docs plus minor edits
2024-02-15 17:12:11 -05:00
9e75b70868
Add Windows target
2024-02-15 16:00:59 -06:00
8a1f5de8f1
Fix msftidy issue and update file delete
2024-02-15 10:00:44 -06:00
20563b64b2
add check method
2024-02-15 09:05:54 -06:00
e49c6a792a
Land #18770 , Extract SMB, PostgreSQL, MySQL and MSSQL optional sessions into their own mixins
2024-02-15 13:19:37 +00:00
843c64d2f6
Code cleaned up
2024-02-14 19:08:11 -06:00
67cd9b425b
Working, but ugly
2024-02-14 15:42:50 -06:00
d716e60cf2
added base64 encoder module of zerosteiner
2024-02-14 21:33:50 +00:00
f5c71d09c2
using data/kafka_ui_versions.json for the version check
2024-02-14 20:57:46 +00:00
8b70cefd83
Update modules/exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-02-14 20:57:46 +00:00
f75722ecf2
Small updates to module and documentation
2024-02-14 20:57:46 +00:00
dde7e3c5d3
Small tweaks to verbose messages
2024-02-14 20:57:46 +00:00
d5f30befbb
Second release of module
2024-02-14 20:57:46 +00:00
3db32da70f
First release of module.
2024-02-14 20:57:45 +00:00
5f703b2e28
First draft. Not ready for review
2024-02-14 20:57:45 +00:00
Spencer McIntyre