adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,623 Commits 27 Branches 1,043 Tags
2cf8ea39f94bbf749ca99cd6ddfc034df407d166
Commit Graph

6311 Commits

Author SHA1 Message Date
Jack Heysel 1174344b76 Land #18918, Add CrushFTP Module CVE-2023-43177 
This exploit module leverages an Improperly Controlled Modification of
Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177)
to achieve unauthenticated remote code execution. This affects CrushFTP
versions prior to 10.5.1.
 2024-04-12 12:26:16 -07:00
Christophe De La Fuente d36e22fdc6 Land #18936, mongodb ops manager diagnostic archive info disclosure (cve-2023-0342) 2024-04-12 15:22:18 +02:00
Spencer McIntyre aa739cd92d Land #18962, rancher audit logs information leak 
new post module: rancher audit logs sensitive information leak (CVE-2023-22649)
 2024-04-10 11:51:54 -04:00
Spencer McIntyre f579ec7a1a Clean table printing, document tested version 2024-04-10 11:31:55 -04:00
Ashley Donaldson 4557de9a72 Changes from code review 2024-04-08 11:47:09 +10:00
Ashley Donaldson b1d0918074 Add documentation for module and functions 2024-04-08 11:32:53 +10:00
h00die b83a91a468 review for mongodb ops manager 2024-04-07 05:39:51 -04:00
h00die-gr3y 978fb46e52 added documentation 2024-04-04 17:35:12 +00:00
bwatters 3dc638909f Land #18906, Add template data files for ESC2 and ESC3 
Merge branch 'land-18906' into upstream-master
 2024-03-29 15:29:52 -05:00
Christophe De La Fuente e6e13e7b45 Fixes from code review 2024-03-29 12:18:16 +01:00
Jack Heysel 31cf0e2633 Land #18764, Add unauth Jenkins file read module 
This PR adds a new module to exploit CVE-2024-23897, an unauth arbitrary
(first 2 lines) file read on Jenkins.
 2024-03-28 13:29:39 -07:00
Jack Heysel d7f3fd8cc0 Land #18915, Add Watchguard RCE CVE-2022-26318 
This PR adds a module for a buffer overflow at the administration
interface of WatchGuard Firebox and XTM appliances. The appliances are
built from a cherrypy python backend sending XML-RPC requests to a C
binary called wgagent using pre-authentication endpoint /agent/login.
This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before
12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful
exploitation results in remote code execution as user nobody.
 2024-03-28 10:24:32 -07:00
Jack Heysel abb2eb7ffd Land #18891, Add RCE module for wp bricks builder 
This PR adds the wp_bricks_builder_rce exploit module that targets a
known vulnerability in the WordPress Bricks Builder Theme, versions
prior to 1.9.6.
 2024-03-26 14:46:35 -07:00
bwatters e58c6b9df2 Land #18721, SharePoint Unauth RCE Exploit Chain (CVE-2023-29357 & CVE-2023-24955) 
Merge branch 'land-18721' into upstream-master
 2024-03-26 12:42:22 -05:00
bwatters e775c7c20a Land #18967, Artica Proxy unauthenticated RCE [CVE-2024-2054] 
Merge branch 'land-18967' into upstream-master
 2024-03-25 15:25:27 -05:00
Christophe De La Fuente 57a45a0b55 CrushFTP exploit module CVE-2023-43177 and documentation 2024-03-25 12:41:24 +01:00
cgranleese-r7 9b4114eda0 Land #18961, Adds session documentation 2024-03-25 11:23:05 +00:00
adfoster-r7 decba4350e Additional changes to documentation 2024-03-25 10:53:08 +00:00
h00die-gr3y f217312ad1 module and documentation updates based on review comments (bwatters-r7/cgranleese-r7) 2024-03-21 16:13:55 +00:00
Zach Goldman 2c307f1bb3 Adds session documentation 
add more console output, add to pentesting side

split out session, help, query, query_interactive sections

add multiline examples

update mysql, smb
 2024-03-21 09:52:10 -05:00
Jack Heysel 2b90d33aef Land #18618, Add OpenNMS privesc and auth RCE 
This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
 2024-03-20 12:54:16 -07:00
Jack Heysel 149dc15b21 Add check to see if notifications are enabled 2024-03-20 11:33:15 -07:00
h00die-gr3y e84fe947c2 third release module and documentation updates 2024-03-15 23:33:29 +00:00
h00die-gr3y 5dd75e174b second release module and documentation 2024-03-15 18:27:59 +00:00
h00die 251aa021e1 rancher audit logs module 2024-03-13 16:42:51 -04:00
Christophe De La Fuente 44c5422e07 Land #18922, JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198) 2024-03-13 20:16:27 +01:00
Christophe De La Fuente 0252429715 Land #18775, Adding new module for MinIO (CVE-2023-28432) 2024-03-11 14:46:59 +01:00
h00die b41e38bca3 mongodb ops manager diagnostic archive info disclosure 2024-03-07 17:05:25 -05:00
Spencer McIntyre 7bce40308a Update module data to improve discoverability 2024-03-07 13:28:22 -05:00
Christophe De La Fuente ba75b3bb3f Land #18716, gitlab password reset account takeover (CVE-2023-7028) 2024-03-07 14:40:29 +01:00
Christophe De La Fuente e20558ec35 Land #18821, Gitlab public email disclosure CVE-2023-5612 2024-03-06 17:39:24 +01:00
Spencer McIntyre 23e0abe2f6 Land #18686, ssh_version module 2024-03-06 10:32:01 -05:00
h00die 8b6f7594e4 ssh_version module 2024-03-05 17:18:24 -05:00
h00die c4837d09e9 ssh_version module 2024-03-05 17:15:43 -05:00
h00die-gr3y 7dbd25bcbf added documentation 2024-03-05 18:42:09 +00:00
sfewer-r7 5c56d6a4fc typo 2024-03-05 14:47:04 +00:00
sfewer-r7 b925f798e5 typo and clarify description 2024-03-05 14:39:17 +00:00
sfewer-r7 aac4ef09cc add in disclosure date and blogs 2024-03-05 11:09:22 +00:00
h00die 7f6be50855 review of ssh_version improvements 2024-03-03 17:59:00 -05:00
h00die f2d836d008 review of ssh_version improvements 2024-03-03 09:18:52 -05:00
sfewer-r7 a5fb83d0e1 add in 2023.11.2 as tested on 2024-03-01 17:03:38 +00:00
sfewer-r7 9988117cca rename with cve number 2024-03-01 16:42:59 +00:00
Jack Heysel a73a7531a9 Land #18827, Add module for BoidCMS CVE-2023-38836 
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
 2024-02-29 21:31:44 -08:00
bwatters 550c6f030a Updates based on jheysel-r7's suggestions 2024-02-29 12:42:22 -06:00
sfewer-r7 b7200b52e1 typo 2024-02-27 14:58:56 +00:00
sfewer-r7 f52543b4a6 Older version of TeamCity (circa 2018) do not support access tokens, so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account. 2024-02-27 12:01:57 +00:00
Balgogan f04b66d6dd Add wp_bricks_builder_rce 2024-02-26 22:09:38 +01:00
Jack Heysel f2de6d6357 Land #18870, Add ConnectWise ScreenConnect module. 
This PR add an unauthenticatd RCE exploit for ConnectWise
ScreenConnect (CVE-2024-1709).
 2024-02-23 11:25:33 -08:00
sfewer-r7 d7a0dee7d1 @rad10 noted the download link we gave no longer works, but has provided a second link, so adding that to the docs 2024-02-23 17:54:14 +00:00
sfewer-r7 f3af1836ce allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address 2024-02-23 17:46:49 +00:00