3c8f43e23e
Align SQL sessions peerhost and peerport
2024-03-04 13:11:32 +00:00
28a38f3aa0
Land #18908 , Update SAMR computer and ICPR cert to support SMB sessions
2024-03-04 12:20:53 +00:00
f2d836d008
review of ssh_version improvements
2024-03-03 09:18:52 -05:00
76166c0d14
Update SAMR computer and ICPR cert to support SMB sessions
2024-03-01 17:53:58 +00:00
a5fb83d0e1
add in 2023.11.2 as tested on
2024-03-01 17:03:38 +00:00
9988117cca
rename with cve number
2024-03-01 16:42:59 +00:00
fa4a16df5e
add in cve number
2024-03-01 16:39:38 +00:00
a73a7531a9
Land #18827 , Add module for BoidCMS CVE-2023-38836
...
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
2024-02-29 21:31:44 -08:00
550c6f030a
Updates based on jheysel-r7's suggestions
2024-02-29 12:42:22 -06:00
8b1ff6d44e
change bloodhound OutputDirectory to OptString
...
OptPath is intended for a local path and performs validation. Attempting to set it to a target path that doesn't exist on the local fails.
2024-02-29 07:12:37 -06:00
d8abd2bcc2
Land #18898 , Add rex proto mysql client wrapper
2024-02-29 10:13:47 +00:00
a4543b0f41
Land #18897 , Update smb login to support additional configuration
2024-02-29 10:07:02 +00:00
f0ca5c10dc
we can shuffle thequery params so teh jsp param is not first. we can optionally add soem charachters before the trailing .jsp
2024-02-29 09:13:44 +00:00
131585235b
Update SMB Login to support additional configuration
2024-02-28 20:24:06 +00:00
8ce95003fe
Rubocop
2024-02-28 11:09:34 -08:00
6589b86a4c
Updated check method to account for backports
2024-02-28 11:04:38 -08:00
b423241e6b
Use Rex Post MySQL Client for lib, specs & modules
2024-02-28 18:19:50 +00:00
55a8d6732f
Add Rex Proto MySQL Client
2024-02-28 18:19:46 +00:00
4b54d43db5
Land #18892 , Add AD CS Updates for ESC13
...
This PR adds functionality to enable Metasploit users
to be able to exploit the latest ESC technique, ESC13.
2024-02-28 07:28:16 -08:00
b7200b52e1
typo
2024-02-27 14:58:56 +00:00
f52543b4a6
Older version of TeamCity (circa 2018) do not support access tokens, so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account.
2024-02-27 12:01:57 +00:00
8bca294966
use the Faker library
2024-02-27 12:00:38 +00:00
75c6dcdc15
Detect templates that are vulnerable to ESC13
2024-02-26 17:28:42 -05:00
3cbf46c5b7
Reuse the ldap connection once established
2024-02-26 17:28:42 -05:00
fefc3cb73c
Show names for issuance policy OIDs
2024-02-26 17:28:31 -05:00
f2de6d6357
Land #18870 , Add ConnectWise ScreenConnect module.
...
This PR add an unauthenticatd RCE exploit for ConnectWise
ScreenConnect (CVE-2024-1709).
2024-02-23 11:25:33 -08:00
ebe6e54259
use the Faker module to gen the plugins metadata.
2024-02-23 17:48:01 +00:00
fe8867356e
we can use Faker::Internet.uuid here instead of rolling our own uuid maker
2024-02-23 17:47:28 +00:00
f3af1836ce
allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address
2024-02-23 17:46:49 +00:00
47596c6a0c
add in docs
2024-02-23 14:30:53 +00:00
30e761831e
we can also register this path for cleanup
2024-02-23 14:00:27 +00:00
d5bcac1370
improve check routine to include target platform
2024-02-23 11:49:38 +00:00
257ec484c7
Show names for x509 OID constants
2024-02-22 17:36:30 -05:00
003d5e7006
The check routine can now display the targets platform in addition to the version number (we can determine this with a single request, so there is no major change here). This is usefull so you know what platform to set the exploits target to (so you can select an appropriate payload). Thanks @iagox86 for the idea!
2024-02-22 19:23:48 +00:00
97513d473f
Update manageengine_endpoint_central and servicedesk_plus default payloads
2024-02-23 00:00:18 +05:30
27a1233de8
Turns out only x64 is supported on Windows, so remove ARCH_X86, as if we try to inject an x86 payload in-memory we crash the target x64 service.
2024-02-22 16:41:18 +00:00
79bfbe4310
now that Linux is a target we have to move this to the multi directory
2024-02-22 16:34:43 +00:00
d52220cccb
Fixes the create session datastore option from appearing for payloads
2024-02-22 14:58:41 +00:00
0b14d1b495
add a Linux command payload target, tested on version 20.3.31734. We leverage the path traversal CVE-2023-1708 to ensure the dropped ASHX file can be reached. This was blocking the Linux target from working. Also works fine on Windows. We leverage FileDropper mixin to delete this file.
2024-02-22 14:54:45 +00:00
8b4fee010c
remove the full stop to make it easier to copy andpast the password (and not accidentaly copy the full stop charachter)
2024-02-22 14:52:18 +00:00
b2cb102c9b
Merge branch 'rapid7:master' into manageengine
2024-02-22 17:20:28 +05:30
51dcd5c971
Update splunk cve-2023-32707 to use reviewed changes
2024-02-22 17:13:44 +05:30
eded0e7788
POST the payload.encoded data when we trigger the ASHX file, this way we dont drop the Metasploit payload to disk.
2024-02-21 23:38:35 +00:00
e0ee7940d0
CISA has assigned this vulnerability CVE-2024-1709
2024-02-21 17:12:08 +00:00
2839683af5
use Rex::RandomIdentifier::Generator to generate identifiers.
2024-02-21 17:08:40 +00:00
0aa20c73a4
Land #18832 , Add exploit module CVE-2023-47218
...
The PR adds a module targeting CVE-2023-47218, an
unauthenticated command injection vuln affecting QNAP
QTS and QuTH Hero.
2024-02-21 08:48:30 -08:00
10f11c94e1
improve the error description for failure messages
2024-02-21 16:11:50 +00:00
9828ffa870
add an in-memory payload target
2024-02-21 16:07:01 +00:00
2d8b0f414d
remove redundant slashes in other calls to normalize_uri
2024-02-21 16:04:19 +00:00
61c1a513a5
drop the leading forward slash
2024-02-21 15:59:25 +00:00
sjanusz-r7