adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,452 Commits 27 Branches 1,043 Tags
3da170a43c7f288fe9bc88fe325da488733acac3
Commit Graph

18316 Commits

Author SHA1 Message Date
sfewer-r7 d5bcac1370 improve check routine to include target platform 2024-02-23 11:49:38 +00:00
sfewer-r7 003d5e7006 The check routine can now display the targets platform in addition to the version number (we can determine this with a single request, so there is no major change here). This is usefull so you know what platform to set the exploits target to (so you can select an appropriate payload). Thanks @iagox86 for the idea! 2024-02-22 19:23:48 +00:00
errorxyz 97513d473f Update manageengine_endpoint_central and servicedesk_plus default payloads 2024-02-23 00:00:18 +05:30
sfewer-r7 27a1233de8 Turns out only x64 is supported on Windows, so remove ARCH_X86, as if we try to inject an x86 payload in-memory we crash the target x64 service. 2024-02-22 16:41:18 +00:00
sfewer-r7 79bfbe4310 now that Linux is a target we have to move this to the multi directory 2024-02-22 16:34:43 +00:00
cgranleese-r7 d52220cccb Fixes the create session datastore option from appearing for payloads 2024-02-22 14:58:41 +00:00
sfewer-r7 0b14d1b495 add a Linux command payload target, tested on version 20.3.31734. We leverage the path traversal CVE-2023-1708 to ensure the dropped ASHX file can be reached. This was blocking the Linux target from working. Also works fine on Windows. We leverage FileDropper mixin to delete this file. 2024-02-22 14:54:45 +00:00
sfewer-r7 8b4fee010c remove the full stop to make it easier to copy andpast the password (and not accidentaly copy the full stop charachter) 2024-02-22 14:52:18 +00:00
Gaurav Jain b2cb102c9b Merge branch 'rapid7:master' into manageengine 2024-02-22 17:20:28 +05:30
Gaurav Jain 51dcd5c971 Update splunk cve-2023-32707 to use reviewed changes 2024-02-22 17:13:44 +05:30
sfewer-r7 eded0e7788 POST the payload.encoded data when we trigger the ASHX file, this way we dont drop the Metasploit payload to disk. 2024-02-21 23:38:35 +00:00
sfewer-r7 e0ee7940d0 CISA has assigned this vulnerability CVE-2024-1709 2024-02-21 17:12:08 +00:00
sfewer-r7 2839683af5 use Rex::RandomIdentifier::Generator to generate identifiers. 2024-02-21 17:08:40 +00:00
Jack Heysel 0aa20c73a4 Land #18832, Add exploit module CVE-2023-47218 
The PR adds a module targeting CVE-2023-47218, an
unauthenticated command injection vuln affecting QNAP
QTS and QuTH Hero.
 2024-02-21 08:48:30 -08:00
sfewer-r7 10f11c94e1 improve the error description for failure messages 2024-02-21 16:11:50 +00:00
sfewer-r7 9828ffa870 add an in-memory payload target 2024-02-21 16:07:01 +00:00
sfewer-r7 2d8b0f414d remove redundant slashes in other calls to normalize_uri 2024-02-21 16:04:19 +00:00
sfewer-r7 61c1a513a5 drop the leading forward slash 2024-02-21 15:59:25 +00:00
sfewer-r7 6d473b2424 remove debug prints 2024-02-21 13:30:06 +00:00
sfewer-r7 c529749f77 fix tabs 2024-02-21 13:14:35 +00:00
bwatters d21e4080a9 Land #18792, Ivanti Connect Secure - Unauth RCE (CVE-2024-21893 + CVE-2024-21887) #18792 
Merge branch 'land-18792' into upstream-master
 2024-02-20 17:40:12 -06:00
sfewer-r7 edf2bae69a add native java payload support 2024-02-19 11:37:34 +00:00
cgranleese-r7 de17261926 Removes session types from module with session type mixin 2024-02-19 10:34:16 +00:00
bwatters c298540bea Add documentation and fix default payloads 2024-02-16 16:49:49 -06:00
Jack Heysel 8cddffa3d1 Land #18700, Add Kafka-ui Unauth RCE module 
This PR adds an exploit module for CVE-2023-52251 which
is an unauthenticated rce vulnerability in Kafka's UI.
 2024-02-16 15:38:52 -05:00
Jack Heysel a1b0ff0fcf Land #18681, Update Apache Ofbiz w. Auth-Bypass 
This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
 2024-02-16 15:02:34 -05:00
sfewer-r7 a8408f139e add in ARCH_CMD payloads to get a native meterpreter session 2024-02-16 17:28:38 +00:00
sfewer-r7 32ed8eeedf rework some of the cleanup logic 2024-02-16 15:31:07 +00:00
sfewer-r7 04d501a7a7 make msftidy happy 2024-02-16 10:05:24 +00:00
sfewer-r7 cdba70b44d add in jetbrains teamcity rce 0day 2024-02-16 10:04:28 +00:00
Jack Heysel 6c252de974 Docs plus minor edits 2024-02-15 17:12:11 -05:00
bwatters 9e75b70868 Add Windows target 2024-02-15 16:00:59 -06:00
bwatters 8a1f5de8f1 Fix msftidy issue and update file delete 2024-02-15 10:00:44 -06:00
bwatters 20563b64b2 add check method 2024-02-15 09:05:54 -06:00
adfoster-r7 e49c6a792a Land #18770, Extract SMB, PostgreSQL, MySQL and MSSQL optional sessions into their own mixins 2024-02-15 13:19:37 +00:00
SickMcNugget 69b566ce35 Wider runC version support, add Debian, fix bugs. 
Now uses the Rex::Version system to check the user's version of runC.
The old system used to allow runC version 1.1.12 (which is patched).
Now it allows from 1.0.0-rc93->1.1.11 (and I tested that it works as expected).
Support added for Debian as this was tested with both Debian and Ubuntu.
Newer versions of Docker wouldn't delete the built container due to the message format.
I added a new regex to check for the message format which now deletes containers.

Fixed error reporting bug, runC version sanitising

Some runC versions contain the `+` and `~` token. These break
Rex::Version objects. A simple check was added against these symbols
and anything following them is cut off. Another solution may be
to replace these tokens with the `-` symbol to maintain information.
One of the failure cases was unreachable and this was fixed.

Fix runC and docker presence checks

The old runC and docker presence checks wer using `if` instead of `unless`.
executable? also requires a full path to work correctly. Since only the command
names themselves were being passed in, the check was silently failing.
The chosen fix was to instead use the command_exists? function,
which has the added benefit of working on both Windows and Linux.
 2024-02-15 16:45:40 +08:00
bwatters 843c64d2f6 Code cleaned up 2024-02-14 19:08:11 -06:00
bwatters 67cd9b425b Working, but ugly 2024-02-14 15:42:50 -06:00
h00die-gr3y d716e60cf2 added base64 encoder module of zerosteiner 2024-02-14 21:33:50 +00:00
h00die-gr3y f5c71d09c2 using data/kafka_ui_versions.json for the version check 2024-02-14 20:57:46 +00:00
H00die.Gr3y 8b70cefd83 Update modules/exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-02-14 20:57:46 +00:00
h00die-gr3y f75722ecf2 Small updates to module and documentation 2024-02-14 20:57:46 +00:00
h00die-gr3y dde7e3c5d3 Small tweaks to verbose messages 2024-02-14 20:57:46 +00:00
h00die-gr3y d5f30befbb Second release of module 2024-02-14 20:57:46 +00:00
h00die-gr3y 3db32da70f First release of module. 2024-02-14 20:57:45 +00:00
h00die-gr3y 5f703b2e28 First draft. Not ready for review 2024-02-14 20:57:45 +00:00
Jack Heysel d987b81591 Use Rex MIME Message 2024-02-14 13:15:37 -05:00
Christophe De La Fuente 747d328bcb Land #18786, Fix option collision in service_persistence 2024-02-14 17:25:15 +01:00
Dean Welch fa5c4c0193 lowercase session types 2024-02-14 15:45:34 +00:00
Dean Welch 0d4e1ed755 Use mssql option session mixin with mssql modules 2024-02-14 15:37:11 +00:00