3da170a43c
smcintyre-r7 recommendation for better payload handling
2024-03-22 17:04:06 -04:00
f6b65993ac
ipynb vscode exploit
2024-03-22 16:26:03 -04:00
d750ea19eb
Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module
2024-03-21 12:22:11 +00:00
2b90d33aef
Land #18618 , Add OpenNMS privesc and auth RCE
...
This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
2024-03-20 12:54:16 -07:00
6cd7f44197
rubocop
2024-03-20 11:39:19 -07:00
149dc15b21
Add check to see if notifications are enabled
2024-03-20 11:33:15 -07:00
0f9986c787
Land #18947 , Fix inconsistent casing
...
Fix inconsistent casing in windows/local/wmi_persistence
2024-03-19 12:40:34 -04:00
bf0d81db03
Land #18838 , Improve Runc Priv Esc Check
...
This PR adds support for Debian and number of fixes and improvements for
the runc_cwd_priv_esc. Proir to this fix the module would report
vulnerable for a number of versions that the patch had been back ported
to.
2024-03-18 13:31:09 -07:00
44c5422e07
Land #18922 , JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198)
2024-03-13 20:16:27 +01:00
6d84f0e898
reduce the size of teh exploit method by spinngin out two new methods create_payload_plugin and auth_new_admin_user. several if/unless blocks were flattened to be inline if/unless
2024-03-13 09:58:51 +00:00
4bd105202a
improve the readability of the XML
2024-03-13 09:29:43 +00:00
b04e84ed99
clarify we must call this a second time
2024-03-13 09:17:18 +00:00
df2c94f873
anther typo
2024-03-13 09:14:23 +00:00
b9e82375c1
typo
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:13:11 +00:00
d7bf7bc2ea
Use Failure::NoAccess as a better failure error, as we are trying to login
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:12:56 +00:00
46dd21d69d
use ||= to assign new hash if needed
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:11:42 +00:00
4e0e3da74c
Land #18835 , clean up code duplication
2024-03-12 14:09:22 +00:00
2007e6d8fb
Fix inconsistent casing in windows/local/wmi_persistence
2024-03-12 12:17:46 +02:00
1e371d0e4a
resolve teh Java payload issue on Linux by leveraging PayloadServlet, runnign teh payload in a thread, and forcing teh default optiosn for Spawn to be 0
2024-03-11 18:06:44 +00:00
67fcd57a1f
Merge branch 'runc_priv_esc' of github.com:SickMcNugget/metasploit-framework into runc_priv_esc
2024-03-11 22:23:55 +08:00
6c1b4c1421
Update check to account for backports
2024-03-11 22:19:18 +08:00
7ce91df66e
clean up code duplication
2024-03-11 09:09:46 -05:00
0513654f10
Fix edge case for java payloads when Spawn is set to 0, all access to the plugin will block. We can still get a session if we fall through here. We cant delete the plugin as access will block because we did not spawn.
2024-03-08 17:09:14 +00:00
ab0327fb33
clarify we are using SpEL not OGNL here
2024-03-08 15:57:46 +00:00
9b8b7045ff
Land #18715 , Add Splunk library
2024-03-05 16:17:30 -05:00
5c56d6a4fc
typo
2024-03-05 14:47:04 +00:00
b925f798e5
typo and clarify description
2024-03-05 14:39:17 +00:00
aac4ef09cc
add in disclosure date and blogs
2024-03-05 11:09:22 +00:00
1e8e6d3bc4
Land #18796 , Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966
2024-03-04 20:35:22 +01:00
39af0bf535
Set Java target default paylaod to java/meterpreter/reverse_tcp
2024-03-04 20:33:27 +01:00
d748adcf80
check the expected response from a patched server
2024-03-04 14:32:39 +00:00
3c8f43e23e
Align SQL sessions peerhost and peerport
2024-03-04 13:11:32 +00:00
a5fb83d0e1
add in 2023.11.2 as tested on
2024-03-01 17:03:38 +00:00
9988117cca
rename with cve number
2024-03-01 16:42:59 +00:00
fa4a16df5e
add in cve number
2024-03-01 16:39:38 +00:00
a73a7531a9
Land #18827 , Add module for BoidCMS CVE-2023-38836
...
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
2024-02-29 21:31:44 -08:00
550c6f030a
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
f0ca5c10dc
we can shuffle thequery params so teh jsp param is not first. we can optionally add soem charachters before the trailing .jsp
2024-02-29 09:13:44 +00:00
8ce95003fe
Rubocop
2024-02-28 11:09:34 -08:00
6589b86a4c
Updated check method to account for backports
2024-02-28 11:04:38 -08:00
b423241e6b
Use Rex Post MySQL Client for lib, specs & modules
2024-02-28 18:19:50 +00:00
b7200b52e1
typo
2024-02-27 14:58:56 +00:00
f52543b4a6
Older version of TeamCity (circa 2018) do not support access tokens, so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account.
2024-02-27 12:01:57 +00:00
8bca294966
use the Faker library
2024-02-27 12:00:38 +00:00
f2de6d6357
Land #18870 , Add ConnectWise ScreenConnect module.
...
This PR add an unauthenticatd RCE exploit for ConnectWise
ScreenConnect (CVE-2024-1709).
2024-02-23 11:25:33 -08:00
ebe6e54259
use the Faker module to gen the plugins metadata.
2024-02-23 17:48:01 +00:00
fe8867356e
we can use Faker::Internet.uuid here instead of rolling our own uuid maker
2024-02-23 17:47:28 +00:00
f3af1836ce
allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address
2024-02-23 17:46:49 +00:00
47596c6a0c
add in docs
2024-02-23 14:30:53 +00:00
30e761831e
we can also register this path for cleanup
2024-02-23 14:00:27 +00:00
h00die