10ee87c712
Add an optional CISCO_ADMIN_USERNAME and CISCO_ADMIN_PASSWORD options. If set these admin creds are used to leverage CVE-2023-20273. If not set, then CVE-2023-20198 is used to create a new temp admin account before leveraging CVE-2023-20273
2023-11-06 10:20:07 +00:00
ea21036995
reduce nesting in the check routine
2023-11-06 09:42:59 +00:00
4272678938
reduce the indentation in on_request_uri
2023-11-06 09:36:20 +00:00
fa8c40072c
ensure the payload doesnt contain a CDATA closing tag, if found then fail before we attempt exploitation
2023-11-06 09:36:20 +00:00
b9c65d5b75
Delete log entries on target
2023-11-06 02:00:25 +05:30
ba196b4264
Handle serving of payloads for different targets
2023-11-06 01:57:44 +05:30
1cde6198b5
Land #18481 , MagnusBilling unauthenticated RCE [CVE-2023-30258]
2023-11-03 20:42:27 +01:00
a55132b36f
strip out "**CLI Line # " from the results and use print_line instead of print_status for cleaner output.
2023-11-03 17:09:08 +00:00
c8121ebd8e
mention dropping to User EXEC mode via two exit keywords
2023-11-03 16:43:21 +00:00
ce5188a76c
Land #18218 , improve Windows checkvm post module
...
This PR includes a number of enhancements to the windows
checkvm post module, including reducing the number of requests
set to the targets among other things.
2023-11-03 12:17:06 -04:00
17420289dc
Add two auxiliary modules for the recent Cisco IOS XE exploit chain bugs (CVE-2023-20198 and CVE-2023-20273). This allows for unauthenticated remote CLI or OS command execution.
2023-11-03 15:38:35 +00:00
23110e2ee3
Update modules/post/windows/gather/checkvm.rb
2023-11-03 11:18:55 -04:00
8bb7b98ce9
Land #18506 , Fix stability issue for f5 2023-46747
...
This PR fixes a statbility issue with the
f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix
occasionally the module would fail on login as things were
running too quickly, the module now retrys loging in.
2023-11-03 10:51:04 -04:00
e5790f8d6e
Fix a stability issue with the module
...
Occassionally the module will fail on login if things are running too
quickly. Fix it by retrying like update_user_password does.
2023-11-02 17:10:20 -04:00
eef0527668
Land #18504 , add date and link on grafana dir traversal module
2023-11-02 19:13:31 +00:00
c27412a1ac
Land #18494 , Add AjaxPro Deserialization RCE
...
This PR adds a module which leverages an insecure
deserialization of data to get remote code execution
on the target OS in the context of the user running
the website which utilized AjaxPro.
2023-11-02 13:54:17 -04:00
f83f183fe2
Apply Code Suggestions from review
2023-11-03 00:04:20 +08:00
17f7d5c253
Land #18497 , Add Exploit For F5 CVE-2023-46747
...
This module exploits a flaw in F5s BIG-IP Traffic Management User
Interface (TMUI) that enables an external, unauthenticated
attacker to create an administrative user. The attacker can then use
the admin user to execute arbitrary code in the context of the root user.
2023-11-02 11:46:15 -04:00
27d86be456
Remove the REPEATABLE_SESSION tag
...
The module is generally reliable, but may fail after it's been run multiple
times.
2023-11-02 11:11:36 -04:00
cea4c1f326
Feedback from module review
2023-11-02 10:17:45 -04:00
d26742a266
Add check code annotations, update AJP link
2023-11-02 08:53:56 -04:00
c55290a44a
date and link on grafana dir traversal module
2023-11-02 07:43:01 -04:00
42cf28dbbe
nifi creds stealer
2023-11-02 06:56:33 -04:00
24810183ca
add in a unix target as ActiveMQ can run on OSX
2023-11-02 10:25:45 +00:00
94b5211525
set exploit Stance to Agressive
2023-11-02 09:32:36 +00:00
763fae6cd7
Fix typo to pass msftidy
2023-11-02 10:41:53 +08:00
a7e8be4860
Fix code styling to pass msftidy
2023-11-02 10:35:49 +08:00
9f9f18c73f
Apply suggestions from code review
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2023-11-02 10:10:26 +08:00
9c67b92a4d
Rename the other TMUI RCE module
2023-11-01 16:55:42 -04:00
7b53592b4f
Add module docs
2023-11-01 16:55:41 -04:00
03252913a1
Add the check method
2023-11-01 16:55:41 -04:00
714eeaaa3a
Finish cleaning the exploit up
2023-11-01 16:55:36 -04:00
df040b30aa
typos and improve comments
2023-11-01 17:59:00 +00:00
a408181def
Add initial work on exploit module for CVE-2023-46604
2023-11-01 17:34:30 +00:00
c803d6ef7e
Fetch the admin hash as a bonus
2023-10-31 15:27:31 -04:00
04388d9e25
Initial commit of CVE-2023-46747
2023-10-31 09:55:18 -04:00
ad6e4618df
third release module with minor text changes
2023-10-31 09:29:13 +00:00
bfff35eb63
second release module with php fix
2023-10-31 09:05:51 +00:00
00ccebe8ce
Upadte documentation for AjaxPro Deserializaion RCE
2023-10-31 13:31:10 +08:00
62f3dafd91
Apply CheckCode message suggestions from code review
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2023-10-31 10:45:58 +08:00
ec3cf74ff3
Land #18492 , Add module for Citrix Bleed (CVE-2023-4966)
2023-10-30 17:25:53 +01:00
9bd819e2d7
Add java in-memory target for manageengine servicedesk exploit
2023-10-30 20:12:37 +05:30
6e9facbefb
Merge pull request #18419 from smashery/dcsync_kerberos
...
DCSync using Kerberos Pass-the-Ticket
2023-10-30 09:41:22 -04:00
3bf4c0e7b1
Add the peer prefix to messages
2023-10-27 13:48:45 -04:00
cd3556dd71
Add Exploit for AjaxPro Deserialization RCE (CVE2021-23758)
2023-10-28 00:48:52 +08:00
7b76cc01f9
Add x86 support to windows/manage/kerberos_tickets
2023-10-27 12:47:19 -04:00
54bce7fcb5
Add module docs
2023-10-27 12:47:19 -04:00
b44bf1ce7e
Resolve the ticket host
2023-10-27 12:47:19 -04:00
7137820381
Refactor the module and update output handling
2023-10-27 12:47:19 -04:00
79a3e756b3
Add the ENUM_LUIDS action
2023-10-27 12:47:19 -04:00
sfewer-r7