d7f3fd8cc0
Land #18915 , Add Watchguard RCE CVE-2022-26318
...
This PR adds a module for a buffer overflow at the administration
interface of WatchGuard Firebox and XTM appliances. The appliances are
built from a cherrypy python backend sending XML-RPC requests to a C
binary called wgagent using pre-authentication endpoint /agent/login.
This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before
12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful
exploitation results in remote code execution as user nobody.
2024-03-28 10:24:32 -07:00
6e6f1beb92
update addressing jheysel-r7 comments
2024-03-28 08:43:08 +00:00
e775c7c20a
Land #18967 , Artica Proxy unauthenticated RCE [CVE-2024-2054]
...
Merge branch 'land-18967' into upstream-master
2024-03-25 15:25:27 -05:00
f217312ad1
module and documentation updates based on review comments (bwatters-r7/cgranleese-r7)
2024-03-21 16:13:55 +00:00
2b90d33aef
Land #18618 , Add OpenNMS privesc and auth RCE
...
This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
2024-03-20 12:54:16 -07:00
6cd7f44197
rubocop
2024-03-20 11:39:19 -07:00
149dc15b21
Add check to see if notifications are enabled
2024-03-20 11:33:15 -07:00
e84fe947c2
third release module and documentation updates
2024-03-15 23:33:29 +00:00
5dd75e174b
second release module and documentation
2024-03-15 18:27:59 +00:00
df0012a63f
initial release module
2024-03-15 16:10:05 +00:00
7f02daf37d
use send_request_cgi for payload delivery
2024-03-08 10:53:45 +00:00
66e7f3c582
third release module
2024-03-07 21:22:14 +00:00
6bc74364e1
second release module
2024-03-04 18:57:54 +00:00
5d20321153
first release module
2024-03-03 19:38:02 +00:00
0aa20c73a4
Land #18832 , Add exploit module CVE-2023-47218
...
The PR adds a module targeting CVE-2023-47218, an
unauthenticated command injection vuln affecting QNAP
QTS and QuTH Hero.
2024-02-21 08:48:30 -08:00
d21e4080a9
Land #18792 , Ivanti Connect Secure - Unauth RCE (CVE-2024-21893 + CVE-2024-21887) #18792
...
Merge branch 'land-18792' into upstream-master
2024-02-20 17:40:12 -06:00
8cddffa3d1
Land #18700 , Add Kafka-ui Unauth RCE module
...
This PR adds an exploit module for CVE-2023-52251 which
is an unauthenticated rce vulnerability in Kafka's UI.
2024-02-16 15:38:52 -05:00
a1b0ff0fcf
Land #18681 , Update Apache Ofbiz w. Auth-Bypass
...
This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
2024-02-16 15:02:34 -05:00
6c252de974
Docs plus minor edits
2024-02-15 17:12:11 -05:00
d716e60cf2
added base64 encoder module of zerosteiner
2024-02-14 21:33:50 +00:00
f5c71d09c2
using data/kafka_ui_versions.json for the version check
2024-02-14 20:57:46 +00:00
8b70cefd83
Update modules/exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-02-14 20:57:46 +00:00
f75722ecf2
Small updates to module and documentation
2024-02-14 20:57:46 +00:00
dde7e3c5d3
Small tweaks to verbose messages
2024-02-14 20:57:46 +00:00
d5f30befbb
Second release of module
2024-02-14 20:57:46 +00:00
3db32da70f
First release of module.
2024-02-14 20:57:45 +00:00
d987b81591
Use Rex MIME Message
2024-02-14 13:15:37 -05:00
423bf0c519
work in progress exploit module for cve-2023-47218
2024-02-13 17:32:14 +00:00
1f292c8a73
remove the linux and unix targets in favor of a single automatic target
2024-02-09 09:26:08 +00:00
84278b8e0e
fix ofbiz auto detection
2024-02-06 16:45:02 -05:00
03a58c784b
fix typo in variable name
2024-02-06 14:08:54 +00:00
367783bcb5
add in RCE exploit for CVE-2024-21893
2024-02-06 11:49:04 +00:00
2efbf6e2f5
review comments
2024-01-29 17:21:06 -05:00
14181572c1
add PRIVESC_SAVE_DELAY option for opennms authenticated RCE
2024-01-27 01:13:04 +02:00
acc15c23fe
Add code review changes to opennms auth rce
2024-01-27 00:10:45 +02:00
c278ef9b73
Land #18648 , Add Module for GL.iNet products
...
This PR adds an exploit module for a number of
different GL.iNet network products. The module combines
an auth by-pass CVE-2023-50919 with an RCE CVE-2023-50445.
2024-01-23 14:57:29 -05:00
13d2968fad
Capitalize remaining references to Meterpreter
2024-01-23 13:11:03 -05:00
8d7907edee
Update based on @jheysel-r7 comments
2024-01-23 10:10:21 +00:00
094d6ee36b
Add additional reliability and stability notes to modules
2024-01-22 23:29:57 +00:00
919c846064
Final small updates (removed UDP and corrected typo in release date
2024-01-20 11:27:10 +00:00
06dcc82ced
Land #18630 , Add CVE-2023-50917: MajorDoMo RCE
...
Add CVE-2023-50917: MajorDoMo Command Injection Module
2024-01-19 17:10:40 -05:00
de6ed9e1d6
use get_json_document instead of JSON.parse
2024-01-18 15:35:43 +00:00
4ff399844f
By replacing the trailing ';' with a '#' we comment out the remaining portion of the command string (Thank you @jvoisin). We must also include a space character for this to work as expected, doing so also removes the need to bootstrap the Linux payloads with a separate file.
2024-01-18 10:04:38 +00:00
c74fd86961
Update modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-01-18 09:18:46 +00:00
3bb1d2bc02
Update modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-01-18 09:18:35 +00:00
70ef0dcb0d
improve the check logic to fall through when the json doesnt have the key we expect it to have
2024-01-17 10:02:59 +00:00
518c1e5d3c
mention Pull Connect as well as the CVEs in the description
2024-01-17 10:02:11 +00:00
ad7e348eaa
remove a copy pasta link
2024-01-17 09:16:18 +00:00
d7cf9155a6
ofbiz working for 18.12.09
2024-01-16 20:06:11 -05:00
f9419c4839
seperate commands into an array instead of one bog long string
2024-01-16 17:19:13 +00:00
Jack Heysel