1174344b76
Land #18918 , Add CrushFTP Module CVE-2023-43177
...
This exploit module leverages an Improperly Controlled Modification of
Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177)
to achieve unauthenticated remote code execution. This affects CrushFTP
versions prior to 10.5.1.
2024-04-12 12:26:16 -07:00
34f0afa298
Land #19044 , Gibbon Online School Platform Authenticated RCE [CVE-2024-24725]
2024-04-05 16:20:11 +02:00
8afbbc1553
third release module based on smcintyre-r7 comments
2024-04-04 17:14:32 +00:00
8aa6d19e7d
second release module
2024-04-01 20:21:37 +00:00
d8942b27a2
first release module
2024-04-01 14:49:10 +00:00
609d356083
Extra ',' is causing ruby issues
2024-03-30 17:02:13 +03:00
e6e13e7b45
Fixes from code review
2024-03-29 12:18:16 +01:00
abb2eb7ffd
Land #18891 , Add RCE module for wp bricks builder
...
This PR adds the wp_bricks_builder_rce exploit module that targets a
known vulnerability in the WordPress Bricks Builder Theme, versions
prior to 1.9.6.
2024-03-26 14:46:35 -07:00
b9b4a624d9
Fix typos
2024-03-26 21:05:35 +01:00
abc39e86f9
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:40:04 +01:00
672036f53a
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:39:33 +01:00
8a1290c8a6
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:39:23 +01:00
85e27b0bc3
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:39:04 +01:00
57a45a0b55
CrushFTP exploit module CVE-2023-43177 and documentation
2024-03-25 12:41:24 +01:00
44c5422e07
Land #18922 , JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198)
2024-03-13 20:16:27 +01:00
6d84f0e898
reduce the size of teh exploit method by spinngin out two new methods create_payload_plugin and auth_new_admin_user. several if/unless blocks were flattened to be inline if/unless
2024-03-13 09:58:51 +00:00
4bd105202a
improve the readability of the XML
2024-03-13 09:29:43 +00:00
b04e84ed99
clarify we must call this a second time
2024-03-13 09:17:18 +00:00
df2c94f873
anther typo
2024-03-13 09:14:23 +00:00
b9e82375c1
typo
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:13:11 +00:00
d7bf7bc2ea
Use Failure::NoAccess as a better failure error, as we are trying to login
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:12:56 +00:00
46dd21d69d
use ||= to assign new hash if needed
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:11:42 +00:00
1e371d0e4a
resolve teh Java payload issue on Linux by leveraging PayloadServlet, runnign teh payload in a thread, and forcing teh default optiosn for Spawn to be 0
2024-03-11 18:06:44 +00:00
0513654f10
Fix edge case for java payloads when Spawn is set to 0, all access to the plugin will block. We can still get a session if we fall through here. We cant delete the plugin as access will block because we did not spawn.
2024-03-08 17:09:14 +00:00
ab0327fb33
clarify we are using SpEL not OGNL here
2024-03-08 15:57:46 +00:00
9b8b7045ff
Land #18715 , Add Splunk library
2024-03-05 16:17:30 -05:00
5c56d6a4fc
typo
2024-03-05 14:47:04 +00:00
b925f798e5
typo and clarify description
2024-03-05 14:39:17 +00:00
aac4ef09cc
add in disclosure date and blogs
2024-03-05 11:09:22 +00:00
1e8e6d3bc4
Land #18796 , Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966
2024-03-04 20:35:22 +01:00
39af0bf535
Set Java target default paylaod to java/meterpreter/reverse_tcp
2024-03-04 20:33:27 +01:00
d748adcf80
check the expected response from a patched server
2024-03-04 14:32:39 +00:00
3c8f43e23e
Align SQL sessions peerhost and peerport
2024-03-04 13:11:32 +00:00
a5fb83d0e1
add in 2023.11.2 as tested on
2024-03-01 17:03:38 +00:00
9988117cca
rename with cve number
2024-03-01 16:42:59 +00:00
fa4a16df5e
add in cve number
2024-03-01 16:39:38 +00:00
1f05f9a0f1
Add recommendation
2024-03-01 14:36:13 +01:00
a73a7531a9
Land #18827 , Add module for BoidCMS CVE-2023-38836
...
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
2024-02-29 21:31:44 -08:00
550c6f030a
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
f0ca5c10dc
we can shuffle thequery params so teh jsp param is not first. we can optionally add soem charachters before the trailing .jsp
2024-02-29 09:13:44 +00:00
45ae984dc1
Add additional verification step
2024-02-28 20:30:58 +01:00
b3d45f7d9b
Fix oversight and further optimize code execution
2024-02-28 20:16:14 +01:00
9f87510b50
Optimize code structure and enhance vulnerability check
2024-02-28 20:02:31 +01:00
b7200b52e1
typo
2024-02-27 14:58:56 +00:00
f52543b4a6
Older version of TeamCity (circa 2018) do not support access tokens, so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account.
2024-02-27 12:01:57 +00:00
8bca294966
use the Faker library
2024-02-27 12:00:38 +00:00
f04b66d6dd
Add wp_bricks_builder_rce
2024-02-26 22:09:38 +01:00
ebe6e54259
use the Faker module to gen the plugins metadata.
2024-02-23 17:48:01 +00:00
fe8867356e
we can use Faker::Internet.uuid here instead of rolling our own uuid maker
2024-02-23 17:47:28 +00:00
f3af1836ce
allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address
2024-02-23 17:46:49 +00:00
Jack Heysel