44c5422e07
Land #18922 , JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198)
2024-03-13 20:16:27 +01:00
6d84f0e898
reduce the size of teh exploit method by spinngin out two new methods create_payload_plugin and auth_new_admin_user. several if/unless blocks were flattened to be inline if/unless
2024-03-13 09:58:51 +00:00
4bd105202a
improve the readability of the XML
2024-03-13 09:29:43 +00:00
b04e84ed99
clarify we must call this a second time
2024-03-13 09:17:18 +00:00
df2c94f873
anther typo
2024-03-13 09:14:23 +00:00
b9e82375c1
typo
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:13:11 +00:00
d7bf7bc2ea
Use Failure::NoAccess as a better failure error, as we are trying to login
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:12:56 +00:00
46dd21d69d
use ||= to assign new hash if needed
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:11:42 +00:00
1e371d0e4a
resolve teh Java payload issue on Linux by leveraging PayloadServlet, runnign teh payload in a thread, and forcing teh default optiosn for Spawn to be 0
2024-03-11 18:06:44 +00:00
0513654f10
Fix edge case for java payloads when Spawn is set to 0, all access to the plugin will block. We can still get a session if we fall through here. We cant delete the plugin as access will block because we did not spawn.
2024-03-08 17:09:14 +00:00
ab0327fb33
clarify we are using SpEL not OGNL here
2024-03-08 15:57:46 +00:00
9b8b7045ff
Land #18715 , Add Splunk library
2024-03-05 16:17:30 -05:00
5c56d6a4fc
typo
2024-03-05 14:47:04 +00:00
b925f798e5
typo and clarify description
2024-03-05 14:39:17 +00:00
aac4ef09cc
add in disclosure date and blogs
2024-03-05 11:09:22 +00:00
1e8e6d3bc4
Land #18796 , Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966
2024-03-04 20:35:22 +01:00
39af0bf535
Set Java target default paylaod to java/meterpreter/reverse_tcp
2024-03-04 20:33:27 +01:00
d748adcf80
check the expected response from a patched server
2024-03-04 14:32:39 +00:00
a5fb83d0e1
add in 2023.11.2 as tested on
2024-03-01 17:03:38 +00:00
9988117cca
rename with cve number
2024-03-01 16:42:59 +00:00
fa4a16df5e
add in cve number
2024-03-01 16:39:38 +00:00
a73a7531a9
Land #18827 , Add module for BoidCMS CVE-2023-38836
...
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
2024-02-29 21:31:44 -08:00
550c6f030a
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
f0ca5c10dc
we can shuffle thequery params so teh jsp param is not first. we can optionally add soem charachters before the trailing .jsp
2024-02-29 09:13:44 +00:00
b7200b52e1
typo
2024-02-27 14:58:56 +00:00
f52543b4a6
Older version of TeamCity (circa 2018) do not support access tokens, so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account.
2024-02-27 12:01:57 +00:00
8bca294966
use the Faker library
2024-02-27 12:00:38 +00:00
ebe6e54259
use the Faker module to gen the plugins metadata.
2024-02-23 17:48:01 +00:00
fe8867356e
we can use Faker::Internet.uuid here instead of rolling our own uuid maker
2024-02-23 17:47:28 +00:00
f3af1836ce
allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address
2024-02-23 17:46:49 +00:00
47596c6a0c
add in docs
2024-02-23 14:30:53 +00:00
30e761831e
we can also register this path for cleanup
2024-02-23 14:00:27 +00:00
d5bcac1370
improve check routine to include target platform
2024-02-23 11:49:38 +00:00
003d5e7006
The check routine can now display the targets platform in addition to the version number (we can determine this with a single request, so there is no major change here). This is usefull so you know what platform to set the exploits target to (so you can select an appropriate payload). Thanks @iagox86 for the idea!
2024-02-22 19:23:48 +00:00
97513d473f
Update manageengine_endpoint_central and servicedesk_plus default payloads
2024-02-23 00:00:18 +05:30
27a1233de8
Turns out only x64 is supported on Windows, so remove ARCH_X86, as if we try to inject an x86 payload in-memory we crash the target x64 service.
2024-02-22 16:41:18 +00:00
79bfbe4310
now that Linux is a target we have to move this to the multi directory
2024-02-22 16:34:43 +00:00
51dcd5c971
Update splunk cve-2023-32707 to use reviewed changes
2024-02-22 17:13:44 +05:30
edf2bae69a
add native java payload support
2024-02-19 11:37:34 +00:00
c298540bea
Add documentation and fix default payloads
2024-02-16 16:49:49 -06:00
a8408f139e
add in ARCH_CMD payloads to get a native meterpreter session
2024-02-16 17:28:38 +00:00
32ed8eeedf
rework some of the cleanup logic
2024-02-16 15:31:07 +00:00
04d501a7a7
make msftidy happy
2024-02-16 10:05:24 +00:00
cdba70b44d
add in jetbrains teamcity rce 0day
2024-02-16 10:04:28 +00:00
9e75b70868
Add Windows target
2024-02-15 16:00:59 -06:00
8a1f5de8f1
Fix msftidy issue and update file delete
2024-02-15 10:00:44 -06:00
20563b64b2
add check method
2024-02-15 09:05:54 -06:00
843c64d2f6
Code cleaned up
2024-02-14 19:08:11 -06:00
67cd9b425b
Working, but ugly
2024-02-14 15:42:50 -06:00
cc0fc56874
Draft nonworking start
2024-02-12 17:44:24 -06:00
Christophe De La Fuente