adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74,438 Commits 27 Branches 1,043 Tags
393aed445debc4148b6a868ab397f5252b2413ff
Commit Graph

4639 Commits

Author SHA1 Message Date
bwatters 9b7b1fd16e Land #19313, Ghostscript Command Execution via Format String (CVE-2024-29510) 
Merge branch 'land-19313' into upstream-master
 2024-07-19 11:24:11 -05:00
Christophe De La Fuente 4d485acb73 Remove Windows target since it doesn't work for now 2024-07-19 16:19:56 +02:00
Christophe De La Fuente e9c511c979 Add documentation and some updates 2024-07-16 16:34:28 +02:00
Pierre Mauduit 8a0c65e603 Update geoserver_unauth_rce_cve_2024_36401.rb 
looks like a copy/paste typo from another exploit
 2024-07-16 11:20:35 +02:00
Jack Heysel f7449ea850 Land #19311, Add GeoServer unauth RCE module 
This adds an exploit module for CVE-2024-36401, an unauthenticated RCE
vulnerability in GeoServer versions prior to 2.23.6, between version
2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.
 2024-07-12 11:07:36 -07:00
jheysel-r7 c5dad68322 Remove comma after the last item of a hash 2024-07-12 13:38:59 -04:00
H00die.Gr3y 292c177b74 Apply suggestions from code review 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-07-12 19:20:46 +02:00
Jack Heysel 5d210b548b added windows support 2024-07-11 16:34:07 -07:00
h00die-gr3y 4e76068cea added armle architecture support 2024-07-11 21:42:45 +00:00
h00die-gr3y 1ee2131d8d update based on cgranleese-r7 review comments 2024-07-11 16:12:52 +00:00
jheysel-r7 f9bd079618 Apply suggestions from code review 2024-07-10 20:45:53 -04:00
h00die-gr3y 28d6ef92dd fourth release module 2024-07-10 21:44:28 +00:00
h00die-gr3y 92637c4293 third release module 2024-07-09 21:54:55 +00:00
remmons-r7 108e60ae4d Peer review suggestion to swap out fail_with for print_error 
If the response to the code execution request isn't a 200, the module should error instead of fail. All versions tested returned 200s, but it's a great point that some Confluence versions might return a different status code but still pop a shell.
 2024-07-09 16:23:25 -05:00
remmons-r7 abb02a91d5 Add suggested Appears/Safe change from peer review 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-07-09 16:16:41 -05:00
remmons-r7 0852fbfeb8 Remove two whitespaces that snuck in 2024-07-09 14:34:33 -05:00
remmons-r7 8ee90bf2c7 Adding module for CVE-2024-21683 
This adds a module to exploit an authenticated admin-level Rhino script engine injection vulnerability for RCE in Atlassian Confluence.
 2024-07-09 14:19:15 -05:00
Christophe De La Fuente 1abc42a873 Add module 2024-07-09 18:34:27 +02:00
h00die-gr3y 702aff81ce second release module 2024-07-08 19:35:34 +00:00
h00die-gr3y 8e598acaeb first draft release 2024-07-08 06:53:16 +00:00
Jack Heysel c1826cd2f3 Land #18829, Allow multiple HttpServers in module 
Adding multiple HttpServer services in a module is sometimes complex
since they share the same methods. This usually this causes issues where
on_request_uri needs to be overridden to handle requests coming from
each service. This updates the cmdstager and the Java HTTP ClassLoader
mixins, since these are commonly used in the same module. This also
updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module
to make use of these new changes
 2024-06-18 09:51:38 -07:00
Jack Heysel e14dd93d6f Rebased encoder fix, removed PS paylaod dependency 2024-06-14 16:59:55 -07:00
Jack Heysel ade11a5a4b Added default options fixed Verification Steps 2024-06-14 16:41:12 -07:00
Jack Heysel 1dfd5da51e Apache OFBiz Dir Traversal RCE 2024-06-14 16:41:12 -07:00
Christophe De La Fuente 8fc6e20cec Update other modules to use java_class_loader_start_service and cmdstager_start_service 2024-06-14 12:57:42 +02:00
Christophe De La Fuente 70b21ff3f2 Update manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module 2024-06-13 16:53:07 +02:00
Jack Heysel b9b638dd83 Land #19196, Cacti import package RCE 
This exploit module leverages an arbitrary file write vulnerability
(CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It
abuses the Import Packages feature to upload a specially crafted package
that embeds a PHP file.
 2024-06-12 15:43:46 -07:00
Christophe De La Fuente 45815a4cb5 Code review 2024-06-12 19:47:02 +02:00
Jack Heysel 9bbb82ab55 Land #18998, VSCode exploit for ipynb integration 
VSCode allows users open a Jypiter notebook (.ipynb) file. Versions
v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and
javascript, which can then open new terminal windows within VSCode. Each
of these new windows can then execute arbitrary code at startup
 2024-06-10 14:36:57 -07:00
Christophe De La Fuente 120fa0f2fe Land #19208, Add exploit module for CVE-2024-5084: WordPress Hash Form Plugin RCE 2024-06-05 10:17:02 +02:00
Christophe De La Fuente 67ec4baa66 PR-19208: Add DefaultTarget to the info hash 2024-06-05 10:14:48 +02:00
Chocapikk 6b127249fa Add suggestions 2024-05-31 20:56:03 +02:00
adfoster-r7 1281f4726f Land #19209, update fileformat modules to show the default template datastore values 2024-05-31 15:12:48 +01:00
Zach Goldman 847b29178a change nil guards to default values, nil or blank guards for certain datastore options 2024-05-29 09:34:58 -05:00
Chocapikk bea708d24c Add exploit module for CVE-2024-5084: WordPress Hash Form Plugin RCE 2024-05-28 18:27:02 +02:00
Christophe De La Fuente 06cb6aa713 Update cacti_pollers_sqli_rce to use the new library 
- Update the CSRF token logic in the library
- Update cacti_package_import_rce and cacti_pollers_sqli_rce modules
- Update the FETCH_DELETE logic in cacti_package_import_rce to only
  regenerate the payload when necessary
 2024-05-23 11:30:48 +02:00
Christophe De La Fuente c6c5f2bf7a Add module, lib and documentation 2024-05-22 17:38:53 +02:00
Jack Heysel 10acd86390 Land #19071, Add AVideo RCE module 
Add module for CVE-2024-31819 which exploits an LFI in AVideo which uses
PHP Filter Chaining to turn the LFI into unauthenticated RCE
 2024-05-21 14:27:15 -04:00
Chocapikk da31761336 Lint 2024-05-15 22:13:53 +02:00
Valentin Lobstein 3900680a96 Update modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-05-15 22:07:45 +02:00
Valentin Lobstein c815c2b15c Update modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-05-15 22:07:19 +02:00
Valentin Lobstein 7d2c06a246 Update modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-05-15 22:07:04 +02:00
Valentin Lobstein cd10c2d208 Update modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-05-15 22:06:53 +02:00
Jack Heysel 216ffec555 Add Linux compatibility 2024-05-13 10:11:56 -07:00
adfoster-r7 5e1dc05f09 Fix apache_normalize_path_rce check method 2024-05-01 20:01:38 +01:00
jheysel-r7 6055d8a005 Apply suggestions from code review 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
 2024-04-29 17:37:49 -04:00
Jack Heysel 3b57fbf052 ActiveMQ fixes 2024-04-26 14:25:16 -07:00
Jack Heysel 429eaff5ca RocketMQ fixes 2024-04-26 14:24:08 -07:00
Jack Heysel b8675f0fd7 Land #19005, Add Gambio Webshop Unauth RCE 
A Remote Code Execution vulnerability in Gambio online webshop version
4.9.2.0 and lower allows remote attackers to run arbitrary commands via
unauthenticated HTTP POST request
 2024-04-19 12:18:17 -07:00
jheysel-r7 3205fe9e63 Apply suggestions from code review 2024-04-19 13:44:18 -04:00