02e2072a87
Update module traits after joint testing
2020-03-13 14:01:54 -05:00
eaf8554e69
Patch serialVersionUID in the library
2020-03-13 13:17:26 -05:00
c11be38e1c
Default to certutil CmdStager
2020-03-13 12:38:07 -05:00
03ff32210e
Fix CmdStager target
2020-03-13 12:26:45 -05:00
0806e9ef42
Add CmdStager target back in so we can debug it
2020-03-13 11:17:37 -05:00
4f6720f962
Add TARGETURI back in
2020-03-13 11:05:14 -05:00
86851e54ff
Still looking for mountpoint bug....
2020-03-13 08:27:57 -05:00
b1225d4d72
Land #13062 , Remove preceeding whitespace from module name
2020-03-13 13:08:50 +00:00
83387212a7
Update language to address different patches
2020-03-12 17:50:13 -05:00
0b117849d0
Note specific patch versions
...
Hat tip @sranjit-r7.
2020-03-12 17:40:46 -05:00
a908ceb58a
Add ManageEngine Desktop Central exploit
2020-03-12 17:36:53 -05:00
f7d8c43722
Land #13040 , SQL Server Reporting Services ViewState deserialization RCE
2020-03-12 18:26:01 +01:00
54878d3f68
Remove preceding whitespace from module name
2020-03-12 01:12:00 +00:00
4f294a5deb
Update dependencies and finish exploit module, but something wrong with the mountpoint
2020-03-11 18:06:36 -05:00
f3d38e147d
Replace another use with the target type
2020-03-09 11:43:26 -04:00
b148e9da30
Land #13042 , use VHOST when creating the full URI
2020-03-09 10:40:03 -04:00
b19ed20d0a
Land #12990 , Add initial rubocop rules to consistently format modules
2020-03-09 09:24:46 -05:00
a10f51e1f9
manually realign shellcode. Note below:
...
The linter here indents strangely only in the case where you have a
standalone string literal without an assignment nor a return or
function/method call. In all other cases it aligns properly. Given that
this really is easy to work around, with what looks like beneficial code
changes, this is still far worth the benefit.
See https://github.com/rapid7/metasploit-framework/pull/12990#pullrequestreview-369907902
2020-03-09 09:22:01 -05:00
9bd6fb9e76
Update cve-2020-0618 based on feedback
2020-03-09 09:18:44 -04:00
fe8cd52c9d
Use VHOST instead of RHOST
...
The 'vhost_uri: true' enables the successfully exploitation of this vulnerability in environments where you can't use an IP address (RHOST) to access the OWA web page.
2020-03-07 10:43:51 +01:00
4c004d51a7
Add an exploit for CVE-2020-0618
2020-03-06 16:21:37 -05:00
3a046f01da
Run rubocop -a on subset of files
2020-03-06 10:41:45 +00:00
4fe7678b01
Land #12910 , Add exploit module for apache activemq traversal
2020-03-05 15:05:13 +00:00
c7ca43b585
reformat date to iso standard
2020-03-05 15:03:05 +00:00
4e8eefe4ee
More structs....
2020-03-04 15:20:39 -06:00
633899402c
Split up description
2020-03-04 17:02:34 +02:00
a87a1ae1b4
Split up description
2020-03-04 16:57:36 +02:00
ba924b3047
Land #13014 , Exchange ECP ViewState exploit
2020-03-03 17:23:17 -06:00
4759f7d39d
Check for nil res
2020-03-03 17:17:28 -06:00
573b8302ec
Fix missing var and change default target
2020-03-03 17:15:19 -06:00
a4feaec188
Implement a check method for cve-2020-0688
2020-03-03 14:22:27 -05:00
cd6c01ae9d
Add suggestions from code review.
2020-03-03 20:17:13 +02:00
5574eaa591
Make a new .NET serialization lib
2020-03-03 10:41:59 -05:00
7acad12c3e
Move mountpoint magic to library and add more code.
...
Not yet there, but getting closer. Needs some more cowbell.
2020-03-02 19:53:31 -06:00
167f1027c4
Address initial PR feedback
2020-03-02 12:21:24 -05:00
b3867dc200
Finish up the cve-2020-0688 module
2020-03-02 10:51:25 -05:00
203b2486ae
Commit some work on the module for a milestone
2020-03-01 11:07:32 -05:00
29608d13bf
Save some work before changing context
2020-02-28 08:30:59 -05:00
c9d9d3af29
Figured out how to generate the viewstate
2020-02-27 21:57:08 -05:00
ea64a6225a
First draft of CVE-2020-0668
2020-02-27 15:53:09 -06:00
af9d2a28de
Fix msftidy warnings
2020-02-26 14:56:08 +00:00
6bac1ec2aa
Remove executable flags from exploit files
2020-02-26 10:39:50 +00:00
c9e4ca34c3
Land #12921 , Updating regex in ms16_075_reflection_juicy exploit windows version check
...
Merge branch 'land-12921' into upstream-master
2020-02-20 21:10:37 -06:00
f6e4b52446
Removing dead code.
2020-02-21 08:33:20 +09:00
4288632203
Applied suggestions from rubocop.
...
Feedback from bwatters-r7
2020-02-19 16:59:08 +09:00
4fa3b25788
Correct language in crosschex_device_bof
2020-02-18 23:18:45 -06:00
028285de77
Refactoring juicy potato check() logic.
...
Previously, server 2016/19 was not correctly detected and falsely
reporting as vulnerable, because the check was overly trusting the
reported OS name - see PR #355 for a description of the problem.
Furthermore, I discovered a self-introduced bug in the regex of build
detection, which would in some cases first match on '2016' and not the
build number, which would be less than the five-digit build number for
the forseeable future.
Testing data included in PR comments.
Feedback from @bwatters-r7
2020-02-19 11:19:02 +09:00
9aac803f41
remove a scratchpad line I saved while testing blog link fixes
2020-02-18 09:26:29 -06:00
8489bcdfd9
This fixes broken links to the community.rapid7.com blog
...
Performed mechanically with sed, spot-checked that the new blog can consume these links.
2020-02-18 09:06:11 -06:00
f61c188e57
Handling possible nil case of regex on OS build.
...
Feedback from adfoster-r7
Testing of detection:
```
msf5 exploit(windows/local/ms16_075_reflection_juicy) > check
[*] Target appears to be patched or not vulnerable (Windows 10 (10.0
Build 18363).)
[*] The target is not exploitable.
```
Testing of (forced) nil-case:
```
msf5 exploit(windows/local/ms16_075_reflection_juicy) > check
[*] Reloading module...
[!] Could not determine Windows build number - exploiting might fail.
[*] The target is not exploitable.
```
2020-02-14 09:26:04 +09:00
William Vu