289605f532
Require that the user know the CVE since the check is questionable
2020-12-15 19:17:35 -05:00
9bdf591a98
Add a working command stager for CVE-2020-17530
2020-12-15 09:13:06 -05:00
7826cbb8de
Initial addition of the Struts2 Double Eval exploit
2020-12-15 09:13:06 -05:00
9c47803609
increase wfsdelay
2020-12-14 14:54:54 +00:00
7af996ae4c
add offsets
2020-12-14 14:54:54 +00:00
a30cdfc892
Fix #14254 , Add CVE-2020-1054, win32k DrawIconEx OOB Write LPE
2020-12-14 14:54:54 +00:00
98d6364248
Land #14482 , Use CVE-2020-5752 path traversal bypass for CVE-2019-3999
2020-12-14 15:10:09 +01:00
f255724e01
Changes to support older Solr (tested 5.3.0)
...
Use a new parameter instead of a header because older versions don't
have access to the request object.
There was an issue where the exploit would fail if the exec returned -1
despite the payload otherwise working, fixed by not trying to return
output in that case.
Also updates the documentation to reflect that we have a Java target now
and quoting is no longer a concern.
2020-12-13 19:05:47 -06:00
ba125c1c64
Merge remote-tracking branch 'upstream/master' into feature/solaris
2020-12-11 14:25:05 -06:00
1fec224bae
Adding a new check raised by an unforeseen usecase. I tested the usecase of a webserver on which a malicious user succeeded to upload a meterpreter .exe and execute it by calling its url. The meterpreter sessions belongs to IUSRS, which is not allowed to enumerate services. Thus the exploit fails, but checks pass. So added new checks for filtering this usecase.
2020-12-11 05:22:37 -05:00
d1956199aa
Updating a warning message.
2020-12-11 03:58:14 -05:00
53a12a7984
Updating doc.
2020-12-11 03:53:25 -05:00
83943adf8b
Land #14466 , add Aerospike UDF rce
2020-12-10 11:07:56 -06:00
a9e231ad0a
Use CVE-2020-5752 path traversal bypass for CVE-2019-3999
2020-12-10 12:14:47 +00:00
38cd5817d7
Updating authors.
2020-12-10 02:09:24 -05:00
c8f1dfa642
Land #14479 , enhanced CVE-2020-25592 check
2020-12-10 00:56:52 -06:00
c005492ee9
Updating doc.
2020-12-10 00:58:53 -05:00
b7bf7fcc86
Updating functions comments.
2020-12-10 04:08:49 -05:00
4883050f7f
Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001).
2020-12-10 03:53:06 -05:00
9696e709ae
Remove unused vprint_status conditional
2020-12-09 22:48:16 -06:00
e52084242f
Remove unused vprint_status conditional
2020-12-09 22:45:41 -06:00
399c8dbb79
Don't be lazy about sending the request
...
Don't telegraph our command injection _quite_ so much. We still
"complete" the initial command line to minimize disruption.
I am now backgrounding ssh-keygen to improve the speed of the exploit.
2020-12-09 22:07:08 -06:00
a33a6e6c55
Don't be lazy about checking the redirect
...
And don't be lazy about sending the request.
To trigger UnexpectedExceptionPage, we can send bogus data instead of
telegraphing our payload-less gadget chain.
God, I'm so lazy. This took like five extra minutes. :|
2020-12-09 21:09:49 -06:00
9452c1dcfa
Fix merge conflict from #14202 , in linear history
2020-12-09 17:24:29 -06:00
367c5e747f
Land #14470 , Fix ssi template for some sharepoint versions
2020-12-09 16:23:34 -05:00
d337d832b8
Land #14422 , add GitLab file read/rce
2020-12-09 11:34:14 -06:00
941762b3c5
remove trailing commas
2020-12-09 11:29:00 -06:00
fb9b1c5de4
Land #14409 , add weak services technique to the service permissions LPE
2020-12-09 17:16:53 +00:00
f8a7517633
Improving description of SHUTDOWN_SERVICES option.
2020-12-09 08:01:56 +00:00
7a358cf577
Giving to the user the choice for if the module should attempt or not to shutdown WinRM and BITS services.
2020-12-09 07:43:32 +00:00
d2db1fba4a
Updating exploit metatdata.
2020-12-09 07:06:31 +00:00
8f72102116
Updating exploit description (got by "info" command).
2020-12-09 06:55:17 +00:00
d43fba1ae1
Adding new check functionalities. Now, ruby module check through the previous meterpreter session if BITS and WinRM are currently running, and tries to shutdown them if they are. It is not necessary anymore to deal with windows versions to know if target is vulnerable: the module can guess it reliably by its own.
2020-12-09 06:47:29 +00:00
175d4a5c43
Add a check to see if the session is already running as SYSTEM
2020-12-08 18:05:28 -05:00
6d7c6c054a
Update the module docs with more details for the registry technique
2020-12-08 17:39:34 -05:00
dcb1637ac2
Land #14463 , web_delivery: Add SyncAppvPublishingServer target
2020-12-08 17:28:15 -05:00
e7f8d00717
Note technique compatibility and fix the reference URL
2020-12-08 17:26:39 -05:00
85a9accbee
Land #14202 , Add initial zeitwerk autoloader approach for lib/msf/core
2020-12-08 12:53:02 +00:00
748d11dfe4
Removing a useless batch of code remaining from outdated powershell functions.
2020-12-07 22:43:15 -05:00
134c0fdc73
Fixing an issue in getting notepad path.
2020-12-08 03:13:39 +00:00
ff8981c4ee
Various little corrections.
2020-12-07 21:38:55 -05:00
c86f93b9c0
Updating list of tested machines.
2020-12-07 21:38:42 -05:00
8a3790f265
Adding process informations to hide notepad.exe when launching.
2020-12-07 21:38:30 -05:00
46f59a76f0
Removing powershell payload serving method, and replacing it by just writing and executing in remote SYSTEM process.
2020-12-07 21:37:35 -05:00
30bf917075
Land #14401 , add Windows support for consul rce
2020-12-07 16:21:36 -06:00
45ce738af7
add default payload for targets, run rubocop
2020-12-07 16:17:12 -06:00
8e1cab0131
Land #14339 , add flexdotnetcms rce
2020-12-07 14:28:01 -06:00
cd900a0507
fix comment
2020-12-07 14:27:07 -06:00
2a2694ef16
Apply rubocop changes and precompute the encryption key
2020-12-07 14:59:40 -05:00
d208e441ba
Update the documentation
2020-12-07 10:54:20 -05:00
Spencer McIntyre