e0dd5117aa
added platform=linux and changed the payload to a fetch-payload
2023-10-12 11:12:32 +00:00
1b172768b4
Use upstream ruby-mysql in Remote::MYSQL
...
* ... and dependents
2023-10-12 13:08:35 +02:00
45be501a50
Raise a more specific error message
...
Check for and raise a more specific error message when the internal
database fails to mount because the path is incorrect.
2023-10-10 15:21:35 -04:00
59da2865d9
Use an exec-in-place gadget for Python
...
This adds a Python deserialization gadget that will exec arbitrary
Python code in place. It is only compatible with Python 3.x due to
differences in Python's exec function and statement between 2 and 3.
2023-10-10 14:01:24 -04:00
f0862d4d76
Refactoring
2023-10-06 23:02:17 +00:00
fb834b235a
Land #18417 , Add Kibana Upgrade Assistant RCE
...
Kibana before version 7.6.3 suffers from a prototype
pollution bug within the Upgrade Assistant. This PR adds
an exploit module to exploit the bug. There is no CVE
for this issue at the moment.
2023-10-06 17:29:02 -04:00
2f23d53e90
Exploit module for CVE-2023-26035
...
This commit adds a exploit module for an unauthenticated remote
code execution vulnerability in Zoneminder.
This exploit allows to choose between dropper and in-memory
payloads and works reliable.
2023-10-06 16:47:30 +00:00
931a67d290
kibana telemetry rce rewritten to use fetch payloads
2023-10-06 09:55:10 -04:00
a2a9becc73
convert cmd_stager to fetch payloads
2023-10-06 07:40:17 -04:00
5e0538a239
review comments round 1
2023-10-05 13:12:33 -04:00
8431d11654
leverage Rex::MIME::Message instead of creating the multipart data manualy
2023-10-04 09:39:25 +01:00
ccd8c71ec6
change the payload space to 5000. This allows all the payloads I tested to work but also allows all the 3 gadget chains I tested to work. ClaimsPrincipal and TypeConfuseDelegate will fail if the space is too large.
2023-10-04 09:38:42 +01:00
1be8e0245b
remove the powershell target as the powershell command adapter will handle this for us (thanks Spencer). Increate the space to handle the larger powershell command lines. I tested with cmd/windows/powershell/x64/meterpreter/reverse_tcp and the powershell command length was 4404.
2023-10-03 17:48:37 +01:00
2eacb75feb
Add a reference to the AssetNote blog. Better describe what teh TARGET_URI option is for and why it defaults to /AHT/
2023-10-03 11:17:21 +01:00
88eb44be64
kibana telemetry rce
2023-10-02 16:53:20 -04:00
1695a12c9c
Explicitly state both the release name (e.g. 2022.0.2) and the version number (e.g. 8.8.2) in a more consistent way.
2023-10-02 17:40:11 +01:00
53ed4a632b
add in exploit module for CVE-2023-40044 - WS_FTP unauthenticated RCE via .NET deserialization.
2023-10-02 11:42:19 +01:00
50155e3d94
Land #18389 , Juniper Junos OS PHPRC Manipulation RCE (CVE-2023-36845)
2023-09-29 18:05:28 +02:00
37bc4ca51f
Fixed root password resetting
2023-09-29 11:40:03 -04:00
58642c16c9
Changed WebSocket to SSH
2023-09-28 14:41:03 -04:00
3f15de3995
Responded to Christophes suggestions
2023-09-28 14:26:37 -04:00
36d8a34d39
Land #18408 , JetBrains TeamCity CVE-2023-42793
2023-09-28 14:01:59 -04:00
e7ab983279
Minor code changes
...
Changes include:
* Remove the PAYLOAD key which didn't do anything
* Add the missing payload size constraint
* Use #retry_until_truthy
2023-09-28 13:19:26 -04:00
89940e8b08
use the correct naming convention for normal options.
2023-09-28 16:36:18 +01:00
9a6e2dab71
improve the check routine to explicitly look for either a header value or a cookie value that TeamCity is known to set
2023-09-28 16:28:16 +01:00
96568bf6d3
typo in comment
2023-09-28 16:05:46 +01:00
ad7ff705c7
add in a Linux target
2023-09-28 14:57:02 +01:00
fbd5e60cfc
add in coverage for CVE-2023-42793. Currently only a Windows target.
2023-09-28 12:31:59 +01:00
a4c6b11237
Fix pass by reference bug on the module side
2023-09-27 09:43:32 -05:00
1058291af9
Land #18314 , Windows Error Reporting RCE (CVE-2023-36874)
2023-09-27 15:25:06 +02:00
3eaa4adcb7
rubocop
2023-09-26 18:48:33 -04:00
9a1881cbcf
jvoisin suggestions
2023-09-26 18:42:14 -04:00
09f3a98d13
Finished JAIL_BREAK addition
2023-09-26 16:45:28 -04:00
0b84feaf60
updates from code review
2023-09-26 14:03:31 -05:00
b4539f174d
Added JAIL_BREAK option and corresponding methods
2023-09-25 19:03:54 -04:00
203470302a
Remove deprecated report_auth_info method call from vbulletic_vote_sqli_exec module
2023-09-24 22:20:35 +05:30
be731f330e
Add error checking and randomize the report directory
2023-09-22 14:43:21 -05:00
b1de44d892
Fix code styling
2023-09-22 16:51:49 +02:00
4044835a64
Improve the cleanup method
...
- The cleanup methos is deleting the job and removing the app directory
- Added a change dir command as an AutoRunScript just to avoid the error when trying to access the current directory in the session
2023-09-22 15:45:40 +02:00
47d8e4de04
Remove ReturnOutput option
...
TODO: distinguish commands that return output and commands that don't
2023-09-22 11:52:14 +02:00
127f0104d2
Address review comments
2023-09-21 13:36:00 -04:00
12de4dd2c7
Improved request sending and added watchtower ref
2023-09-21 09:45:59 -04:00
1e69086d24
Land #18365 , TOTOLINK X5000R Wireless GigaBit Router Unauthenticed RCE [CVE-2023-30013]
2023-09-21 11:27:19 +02:00
6e11f4353b
Updates addressing cdelafuente-r7 comments
2023-09-20 22:14:48 +00:00
da8c020d14
Junos OS SRX and EX PHPRC Manipulation RCE
2023-09-20 16:47:05 -04:00
03fa034ff5
Actually delete the file I told you to delete
2023-09-20 09:10:51 -05:00
37b506c238
Land #18374 , fix related modules references
2023-09-20 10:03:47 +01:00
b4a1bb8fa2
Add docs and support for shell sessions; update exe to work without runtime lib.
2023-09-19 17:50:18 -05:00
525c957af2
Land #18333 , Lexmark Device Embedded Web Server RCE (CVE-2023-26068)
2023-09-19 10:32:59 +02:00
bfa876c3a1
Land #18283 , Apache Airflow 1.10.10 - Example DAG Remote Code Execution
...
CVE-2020-11978 + CVE-2020-13927
Merge branch 'land-18283' into upstream-master
2023-09-18 17:00:19 -05:00
Wolfgang Hotwagner