adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,623 Commits 27 Branches 1,043 Tags
2cf8ea39f94bbf749ca99cd6ddfc034df407d166
Commit Graph

18367 Commits

Author SHA1 Message Date
Jack Heysel 1174344b76 Land #18918, Add CrushFTP Module CVE-2023-43177 
This exploit module leverages an Improperly Controlled Modification of
Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177)
to achieve unauthenticated remote code execution. This affects CrushFTP
versions prior to 10.5.1.
 2024-04-12 12:26:16 -07:00
Christophe De La Fuente 34f0afa298 Land #19044, Gibbon Online School Platform Authenticated RCE [CVE-2024-24725] 2024-04-05 16:20:11 +02:00
h00die-gr3y 8afbbc1553 third release module based on smcintyre-r7 comments 2024-04-04 17:14:32 +00:00
adfoster-r7 926e2fa204 Land #19033, lint modules/exploits/linux/smtp/haraka.py 2024-04-03 14:19:18 +01:00
h00die-gr3y 8aa6d19e7d second release module 2024-04-01 20:21:37 +00:00
Spencer McIntyre 3af68ef51a Land #19032, Fix bad module indentation 
The wp_downloadmanager_upload module has bad indentation
 2024-04-01 11:30:59 -04:00
Spencer McIntyre 7e132758d6 Land #19031, Extra ',' is causing ruby issues 2024-04-01 10:52:14 -04:00
h00die-gr3y d8942b27a2 first release module 2024-04-01 14:49:10 +00:00
Noam Rathaus 9cc294dbaf 1. Remove unused modules 
2. Prettify code
 2024-03-30 17:56:49 +03:00
Noam Rathaus c8c7e74cba Bad indentation 2024-03-30 17:06:25 +03:00
Noam Rathaus 609d356083 Extra ',' is causing ruby issues 2024-03-30 17:02:13 +03:00
Noam Rathaus e75043f00e Module indentation was wrong 2024-03-30 16:50:48 +03:00
Christophe De La Fuente e6e13e7b45 Fixes from code review 2024-03-29 12:18:16 +01:00
Jack Heysel d7f3fd8cc0 Land #18915, Add Watchguard RCE CVE-2022-26318 
This PR adds a module for a buffer overflow at the administration
interface of WatchGuard Firebox and XTM appliances. The appliances are
built from a cherrypy python backend sending XML-RPC requests to a C
binary called wgagent using pre-authentication endpoint /agent/login.
This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before
12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful
exploitation results in remote code execution as user nobody.
 2024-03-28 10:24:32 -07:00
h00die-gr3y 6e6f1beb92 update addressing jheysel-r7 comments 2024-03-28 08:43:08 +00:00
Jack Heysel abb2eb7ffd Land #18891, Add RCE module for wp bricks builder 
This PR adds the wp_bricks_builder_rce exploit module that targets a
known vulnerability in the WordPress Bricks Builder Theme, versions
prior to 1.9.6.
 2024-03-26 14:46:35 -07:00
Balgogan b9b4a624d9 Fix typos 2024-03-26 21:05:35 +01:00
Valentin Lobstein abc39e86f9 Update modules/exploits/multi/http/wp_bricks_builder_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-03-26 20:40:04 +01:00
Valentin Lobstein 672036f53a Update modules/exploits/multi/http/wp_bricks_builder_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-03-26 20:39:33 +01:00
Valentin Lobstein 8a1290c8a6 Update modules/exploits/multi/http/wp_bricks_builder_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-03-26 20:39:23 +01:00
Valentin Lobstein 85e27b0bc3 Update modules/exploits/multi/http/wp_bricks_builder_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-03-26 20:39:04 +01:00
bwatters e58c6b9df2 Land #18721, SharePoint Unauth RCE Exploit Chain (CVE-2023-29357 & CVE-2023-24955) 
Merge branch 'land-18721' into upstream-master
 2024-03-26 12:42:22 -05:00
bwatters e775c7c20a Land #18967, Artica Proxy unauthenticated RCE [CVE-2024-2054] 
Merge branch 'land-18967' into upstream-master
 2024-03-25 15:25:27 -05:00
adfoster-r7 c03e4c4ab0 Land #19009, add missing Platform to osx/local/persistence module 2024-03-25 17:31:15 +00:00
sjanusz-r7 38c5c6bb11 Add missing Platform to osx/local/persistence module 2024-03-25 16:00:25 +00:00
Christophe De La Fuente 57a45a0b55 CrushFTP exploit module CVE-2023-43177 and documentation 2024-03-25 12:41:24 +01:00
cgranleese-r7 9b4114eda0 Land #18961, Adds session documentation 2024-03-25 11:23:05 +00:00
adfoster-r7 decba4350e Additional changes to documentation 2024-03-25 10:53:08 +00:00
h00die-gr3y f217312ad1 module and documentation updates based on review comments (bwatters-r7/cgranleese-r7) 2024-03-21 16:13:55 +00:00
cgranleese-r7 d750ea19eb Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module 2024-03-21 12:22:11 +00:00
Jack Heysel 2b90d33aef Land #18618, Add OpenNMS privesc and auth RCE 
This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
 2024-03-20 12:54:16 -07:00
Jack Heysel 6cd7f44197 rubocop 2024-03-20 11:39:19 -07:00
Jack Heysel 149dc15b21 Add check to see if notifications are enabled 2024-03-20 11:33:15 -07:00
Spencer McIntyre 0f9986c787 Land #18947, Fix inconsistent casing 
Fix inconsistent casing in windows/local/wmi_persistence
 2024-03-19 12:40:34 -04:00
Jack Heysel bf0d81db03 Land #18838, Improve Runc Priv Esc Check 
This PR adds support for Debian and number of fixes and improvements for
the runc_cwd_priv_esc. Proir to this fix the module would report
vulnerable for a number of versions that the patch had been back ported
to.
 2024-03-18 13:31:09 -07:00
h00die-gr3y e84fe947c2 third release module and documentation updates 2024-03-15 23:33:29 +00:00
h00die-gr3y 5dd75e174b second release module and documentation 2024-03-15 18:27:59 +00:00
h00die-gr3y df0012a63f initial release module 2024-03-15 16:10:05 +00:00
Christophe De La Fuente 44c5422e07 Land #18922, JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198) 2024-03-13 20:16:27 +01:00
sfewer-r7 6d84f0e898 reduce the size of teh exploit method by spinngin out two new methods create_payload_plugin and auth_new_admin_user. several if/unless blocks were flattened to be inline if/unless 2024-03-13 09:58:51 +00:00
sfewer-r7 4bd105202a improve the readability of the XML 2024-03-13 09:29:43 +00:00
sfewer-r7 b04e84ed99 clarify we must call this a second time 2024-03-13 09:17:18 +00:00
sfewer-r7 df2c94f873 anther typo 2024-03-13 09:14:23 +00:00
Stephen Fewer b9e82375c1 typo 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
 2024-03-13 09:13:11 +00:00
Stephen Fewer d7bf7bc2ea Use Failure::NoAccess as a better failure error, as we are trying to login 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
 2024-03-13 09:12:56 +00:00
Stephen Fewer 46dd21d69d use ||= to assign new hash if needed 
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
 2024-03-13 09:11:42 +00:00
cgranleese-r7 4e0e3da74c Land #18835, clean up code duplication 2024-03-12 14:09:22 +00:00
Adrian Șendroiu 2007e6d8fb Fix inconsistent casing in windows/local/wmi_persistence 2024-03-12 12:17:46 +02:00
sfewer-r7 1e371d0e4a resolve teh Java payload issue on Linux by leveraging PayloadServlet, runnign teh payload in a thread, and forcing teh default optiosn for Spawn to be 0 2024-03-11 18:06:44 +00:00
SickMcNugget 67fcd57a1f Merge branch 'runc_priv_esc' of github.com:SickMcNugget/metasploit-framework into runc_priv_esc 2024-03-11 22:23:55 +08:00