9b8b7045ff
Land #18715 , Add Splunk library
2024-03-05 16:17:30 -05:00
1e8e6d3bc4
Land #18796 , Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966
2024-03-04 20:35:22 +01:00
39af0bf535
Set Java target default paylaod to java/meterpreter/reverse_tcp
2024-03-04 20:33:27 +01:00
a73a7531a9
Land #18827 , Add module for BoidCMS CVE-2023-38836
...
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
2024-02-29 21:31:44 -08:00
550c6f030a
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
ebe6e54259
use the Faker module to gen the plugins metadata.
2024-02-23 17:48:01 +00:00
fe8867356e
we can use Faker::Internet.uuid here instead of rolling our own uuid maker
2024-02-23 17:47:28 +00:00
f3af1836ce
allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address
2024-02-23 17:46:49 +00:00
003d5e7006
The check routine can now display the targets platform in addition to the version number (we can determine this with a single request, so there is no major change here). This is usefull so you know what platform to set the exploits target to (so you can select an appropriate payload). Thanks @iagox86 for the idea!
2024-02-22 19:23:48 +00:00
97513d473f
Update manageengine_endpoint_central and servicedesk_plus default payloads
2024-02-23 00:00:18 +05:30
27a1233de8
Turns out only x64 is supported on Windows, so remove ARCH_X86, as if we try to inject an x86 payload in-memory we crash the target x64 service.
2024-02-22 16:41:18 +00:00
79bfbe4310
now that Linux is a target we have to move this to the multi directory
2024-02-22 16:34:43 +00:00
51dcd5c971
Update splunk cve-2023-32707 to use reviewed changes
2024-02-22 17:13:44 +05:30
c298540bea
Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
9e75b70868
Add Windows target
2024-02-15 16:00:59 -06:00
8a1f5de8f1
Fix msftidy issue and update file delete
2024-02-15 10:00:44 -06:00
20563b64b2
add check method
2024-02-15 09:05:54 -06:00
843c64d2f6
Code cleaned up
2024-02-14 19:08:11 -06:00
67cd9b425b
Working, but ugly
2024-02-14 15:42:50 -06:00
cc0fc56874
Draft nonworking start
2024-02-12 17:44:24 -06:00
184ed3a162
Add suggested changes
2024-02-09 02:22:20 +05:30
4dc21bae45
Merge branch 'rapid7:master' into manageengine
2024-02-08 15:11:15 +05:30
25804edbf4
Add java targets for manageengine cve-2022-47966 modules
2024-02-08 01:55:52 +05:30
85974d16c2
Land #18769 , Add Cacti RCE via SQLi Module
...
This exploit module leverages a SQLi (CVE-2023-49085) and
a LFI (CVE-2023-49084) vulnerability in Cacti versions prior
to 1.2.26 to achieve RCE
2024-02-02 11:46:10 -05:00
b91648f065
Fix typos
2024-02-02 11:45:51 +01:00
1ff1302df7
Use exceptions instead of returning a boolean in do_login
2024-02-02 11:39:13 +01:00
be2d2d61ca
Land #18762 , Add exploit module for CVE-2024-0204
...
This pull request adds an exploit module for CVE-2024-0204
in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from
6.0.1, and 7.x before 7.4.1 are vulnerable.
2024-02-01 22:36:32 -05:00
b259c5d6a7
store the credentials we create in the DB
2024-02-01 19:48:01 +00:00
612feac5f1
add in vendor advisory URL
2024-02-01 19:47:23 +00:00
81eba7a6e7
Use FileDropper mixin and fix typo
2024-02-01 17:23:05 +01:00
5054b3bfd0
Add methods to get the version and the CSRF token
2024-02-01 12:31:01 +01:00
a867793870
Update modules/exploits/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-02-01 09:05:02 +00:00
546de49bec
Update modules/exploits/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-02-01 09:04:49 +00:00
6e4294c013
Update modules/exploits/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-02-01 09:04:26 +00:00
f10619d870
Add module and documentation
2024-01-30 12:52:02 +01:00
577898d91b
Check the response when exploiting
2024-01-29 14:38:49 -05:00
c70092a2c7
bugfix a copy pasta whereby a path seperator was not being added as expected
2024-01-29 17:52:37 +00:00
08a19959fe
add an RCE exploit module for CVE-2024-0204 in Fortra GoAnywhere MFT
2024-01-29 17:17:45 +00:00
b5de25a2b6
Fingerprint the target as Mirth Connect first
2024-01-29 12:11:38 -05:00
8a793dd1b0
Use the correct exploit and use sh instead of bash
2024-01-29 09:03:25 -05:00
9e41825e51
Finish up the exploit
...
Tested on Linux (versions 4.1.1, 4.3.0, and 4.4.0) and Windows (version
4.4.0).
2024-01-26 17:20:54 -05:00
530d58de49
Initial commit of NextGen Connect RCEs
2024-01-26 14:50:33 -05:00
fe84c0dff7
Land #18734 , Add exploit for CVE-2023-22527
...
This adds an exploit for CVE-2023-22527 which is an
unauthenticated RCE in Atlassian Confluence. The
vulnerability is due to an SSTI flaw that allows an
OGNL expression to be evaluated.
2024-01-25 14:15:10 -05:00
96241b3a6e
Keep version detection consistent
2024-01-25 13:50:34 -05:00
49532613e5
Implement some feedback from the review
2024-01-25 09:20:17 -05:00
deabf9b1d8
Add module docs
2024-01-24 12:49:27 -05:00
094d6ee36b
Add additional reliability and stability notes to modules
2024-01-22 23:29:57 +00:00
b8a0e33ce3
Initial exploit for CVE-2023-22527
2024-01-22 17:06:29 -05:00
847a72c417
Land #18638 , add exploit for CVE-2022-42889 Apache Commons Text RCE
2024-01-19 13:02:53 +01:00
fd3ca96988
Update splunk cve-2023-32707 to use splunk library
2024-01-19 01:56:15 +05:30
Spencer McIntyre