fb7a97077f
Land #14875,CVE-2021-21978 - VMWare View Planner Harness 4.6.x < 4.6 Security Patch 1 Arbitrary File Upload RCE
...
Merge branch 'land-14875' into upstream-master
2021-03-18 12:06:12 -05:00
b1c3c49eb5
Land #14757 , nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes
2021-03-16 17:43:43 -05:00
e30d8db082
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes
...
Resolve Rubocop violations
Fix off-by-one in array index triggered when no file upload succeeds
Fix cleanup: ensure files are removed when upload succeeds but execution fails
Add AutoCheck
Add module notes
Add error handling and associated operator feedback
Add additional writable paths required for some old Nagios versions
Add fallback to session as `apache` if privlege escalation fails
Update documentation in line with above changes and fix software download links
2021-03-16 07:13:55 +00:00
57931956d9
Fix bad style again
2021-03-15 01:33:32 -05:00
ecae6eb91a
Update response check to explicitly check if the response body is empty and to remove unneeded safe navigation operator
2021-03-14 13:14:52 -05:00
6616112b59
Correct exploit ranking, wrap file restoration in ensure clause, fix typos, and address other review comments
2021-03-14 00:00:18 -06:00
89ce1c5229
Quick update to make the backdoor a bit stealthier by removing the extra Payload Success! message that wasn't needed
2021-03-14 00:00:17 -06:00
a6c92a12a1
Add link to wvu's PoC and fix typo
2021-03-14 00:00:17 -06:00
4f2e299d8f
Update the exploit to use Python as its payload since this is a lot more flexible, allows Meterpreter, returns a shell faster, and we are already injecting into and executing a Python file
2021-03-14 00:00:06 -06:00
c2c5db95d8
Add in documentation and fix some mistakes in the description of the module
2021-03-14 00:00:05 -06:00
7d6e636114
Initial upload of exploit code for CVE-2021-21978
2021-03-13 23:59:47 -06:00
d580e7d122
Fix some documentation, remove unnecessary code and fix a filename typo
2021-03-11 12:09:29 -06:00
8d2e644f4f
Add a new Java Deserialization mixin and use it to set the shell
2021-03-11 12:09:29 -06:00
319f15d938
Handle nil versions for rubygems 4
2021-02-25 16:47:49 +00:00
b06c5c12aa
Rubocop recently landed modules continued
2021-02-25 14:13:40 +00:00
8a339f54c1
Land #14734 , updates and runs rubocop against recent modules
...
Rubocop recently landed modules
2021-02-19 13:48:47 +00:00
275e9c5454
Land #14696 , Further Zeitwerk lands to improve boot speed
...
Zeitwerk rex folder
2021-02-19 10:33:37 +00:00
5b3fde7735
Rubocop recently landed modules
2021-02-16 15:08:08 +00:00
a1c316c679
msftidy: Fix exploit module checks for author and stack buffer overflow
2021-02-13 04:10:13 +00:00
c1e2cfd9e7
Land #14744 , add Klog Server unauth cmd injection
2021-02-12 11:40:57 -06:00
bdc2041c83
Add Klog Server authenticate.php user Unauthenticated Command Injection
2021-02-12 17:07:52 +00:00
bed7ae2c78
Add latest rubocop rules
2021-02-12 13:31:51 +00:00
b95be3ed10
Zeitwerk rex folder
2021-02-08 12:24:12 +00:00
3a2932b798
Migrate old uses of manual autocheck to use the new prepend autocheck
2021-02-02 10:15:46 +00:00
39b7ba584e
Randomize strings
...
Spencer tells me not to signature-bait, at least not so obviously. ;)
2021-01-22 16:15:16 -06:00
0d410f32c3
Add MobileIron CVE-2020-15505 exploit
2021-01-22 00:37:07 -06:00
9b8b4621df
Land #14368 , Pulse Connect Secure gzip RCE: cve-2020-8260
2020-12-17 17:43:55 -05:00
43b1497cf6
Remove some debug info and mark bind payloads as being incompatible
2020-12-17 16:36:20 -05:00
e52084242f
Remove unused vprint_status conditional
2020-12-09 22:45:41 -06:00
399c8dbb79
Don't be lazy about sending the request
...
Don't telegraph our command injection _quite_ so much. We still
"complete" the initial command line to minimize disruption.
I am now backgrounding ssh-keygen to improve the speed of the exploit.
2020-12-09 22:07:08 -06:00
2a2694ef16
Apply rubocop changes and precompute the encryption key
2020-12-07 14:59:40 -05:00
d208e441ba
Update the documentation
2020-12-07 10:54:20 -05:00
811de07e7a
Add logout functionality and cleanup HTTP session management
2020-12-07 10:41:42 -05:00
b968cf9183
Cleanup the payload delivery mechanism
2020-12-07 09:40:29 -05:00
7612845714
Add the initial Ruby port for CVE-2020-8260
2020-12-04 17:56:38 -05:00
f73a88a39c
Land #14396 , hadoop_unauth_exec clarification
2020-11-16 12:44:13 -06:00
06a0634828
Describe the Hadoop vuln as not-a-vuln clearly
2020-11-16 11:31:59 -06:00
0328e3f815
Land #14359 , gives preference to default target options
2020-11-13 14:44:13 +00:00
020e90543d
IOS -> IOC
2020-11-11 17:43:16 -05:00
6880376c61
add reliability, stability, side effects to pulse_secure_gzip_rce
2020-11-11 17:19:10 -05:00
fcb507e412
Fix AutoCheck
...
I'm a big dummy.
2020-11-11 15:57:38 -06:00
42bdae919b
Add SaltStack Salt REST API RCE (CVE-2020-16846)
...
Leveraging CVE-2020-25592.
2020-11-11 13:09:26 -06:00
b0b9ace606
Revert "remove ruby pulse_secure_cmd_exec"
...
This reverts commit efb8557e43
2020-11-09 20:09:12 -05:00
da70b74954
fix version numbers
2020-11-08 22:38:53 -05:00
3c4962e9b0
working and clean
2020-11-08 22:31:26 -05:00
9f936038e5
cleanup rnd1
2020-11-08 08:42:19 -05:00
0e62e7793d
working session on linux/x86/shell/reverse_tcp
2020-11-08 08:27:55 -05:00
5b438fd933
Preference target values when registering options
2020-11-05 23:16:37 +00:00
f39e4d62e2
working but needs cleanup
2020-11-04 17:59:04 -05:00
bacc0f78ed
permissions solved
2020-11-04 14:17:16 -05:00
bwatters