adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,604 Commits 27 Branches 1,043 Tags
3f2e32ef6a5f0ec003acef910e25eebbf85ed270
Commit Graph

6302 Commits

Author SHA1 Message Date
Ashley Donaldson 4557de9a72 Changes from code review 2024-04-08 11:47:09 +10:00
Ashley Donaldson b1d0918074 Add documentation for module and functions 2024-04-08 11:32:53 +10:00
h00die-gr3y 978fb46e52 added documentation 2024-04-04 17:35:12 +00:00
bwatters 3dc638909f Land #18906, Add template data files for ESC2 and ESC3 
Merge branch 'land-18906' into upstream-master
 2024-03-29 15:29:52 -05:00
Jack Heysel 31cf0e2633 Land #18764, Add unauth Jenkins file read module 
This PR adds a new module to exploit CVE-2024-23897, an unauth arbitrary
(first 2 lines) file read on Jenkins.
 2024-03-28 13:29:39 -07:00
Jack Heysel d7f3fd8cc0 Land #18915, Add Watchguard RCE CVE-2022-26318 
This PR adds a module for a buffer overflow at the administration
interface of WatchGuard Firebox and XTM appliances. The appliances are
built from a cherrypy python backend sending XML-RPC requests to a C
binary called wgagent using pre-authentication endpoint /agent/login.
This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before
12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful
exploitation results in remote code execution as user nobody.
 2024-03-28 10:24:32 -07:00
Jack Heysel abb2eb7ffd Land #18891, Add RCE module for wp bricks builder 
This PR adds the wp_bricks_builder_rce exploit module that targets a
known vulnerability in the WordPress Bricks Builder Theme, versions
prior to 1.9.6.
 2024-03-26 14:46:35 -07:00
bwatters e58c6b9df2 Land #18721, SharePoint Unauth RCE Exploit Chain (CVE-2023-29357 & CVE-2023-24955) 
Merge branch 'land-18721' into upstream-master
 2024-03-26 12:42:22 -05:00
bwatters e775c7c20a Land #18967, Artica Proxy unauthenticated RCE [CVE-2024-2054] 
Merge branch 'land-18967' into upstream-master
 2024-03-25 15:25:27 -05:00
cgranleese-r7 9b4114eda0 Land #18961, Adds session documentation 2024-03-25 11:23:05 +00:00
adfoster-r7 decba4350e Additional changes to documentation 2024-03-25 10:53:08 +00:00
h00die-gr3y f217312ad1 module and documentation updates based on review comments (bwatters-r7/cgranleese-r7) 2024-03-21 16:13:55 +00:00
Zach Goldman 2c307f1bb3 Adds session documentation 
add more console output, add to pentesting side

split out session, help, query, query_interactive sections

add multiline examples

update mysql, smb
 2024-03-21 09:52:10 -05:00
Jack Heysel 2b90d33aef Land #18618, Add OpenNMS privesc and auth RCE 
This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
 2024-03-20 12:54:16 -07:00
Jack Heysel 149dc15b21 Add check to see if notifications are enabled 2024-03-20 11:33:15 -07:00
h00die-gr3y e84fe947c2 third release module and documentation updates 2024-03-15 23:33:29 +00:00
h00die-gr3y 5dd75e174b second release module and documentation 2024-03-15 18:27:59 +00:00
Christophe De La Fuente 44c5422e07 Land #18922, JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198) 2024-03-13 20:16:27 +01:00
Christophe De La Fuente 0252429715 Land #18775, Adding new module for MinIO (CVE-2023-28432) 2024-03-11 14:46:59 +01:00
Spencer McIntyre 7bce40308a Update module data to improve discoverability 2024-03-07 13:28:22 -05:00
Christophe De La Fuente ba75b3bb3f Land #18716, gitlab password reset account takeover (CVE-2023-7028) 2024-03-07 14:40:29 +01:00
Christophe De La Fuente e20558ec35 Land #18821, Gitlab public email disclosure CVE-2023-5612 2024-03-06 17:39:24 +01:00
Spencer McIntyre 23e0abe2f6 Land #18686, ssh_version module 2024-03-06 10:32:01 -05:00
h00die 8b6f7594e4 ssh_version module 2024-03-05 17:18:24 -05:00
h00die c4837d09e9 ssh_version module 2024-03-05 17:15:43 -05:00
h00die-gr3y 7dbd25bcbf added documentation 2024-03-05 18:42:09 +00:00
sfewer-r7 5c56d6a4fc typo 2024-03-05 14:47:04 +00:00
sfewer-r7 b925f798e5 typo and clarify description 2024-03-05 14:39:17 +00:00
sfewer-r7 aac4ef09cc add in disclosure date and blogs 2024-03-05 11:09:22 +00:00
h00die 7f6be50855 review of ssh_version improvements 2024-03-03 17:59:00 -05:00
h00die f2d836d008 review of ssh_version improvements 2024-03-03 09:18:52 -05:00
sfewer-r7 a5fb83d0e1 add in 2023.11.2 as tested on 2024-03-01 17:03:38 +00:00
sfewer-r7 9988117cca rename with cve number 2024-03-01 16:42:59 +00:00
Jack Heysel a73a7531a9 Land #18827, Add module for BoidCMS CVE-2023-38836 
This is an authenticated RCE against BoidCMS versions 2.0.0 and earlier.
The underlying issue is that the file upload check allows a php file to
be uploaded and executes as a media file if the GIF header is present in
the PHP file.
 2024-02-29 21:31:44 -08:00
bwatters 550c6f030a Updates based on jheysel-r7's suggestions 2024-02-29 12:42:22 -06:00
sfewer-r7 b7200b52e1 typo 2024-02-27 14:58:56 +00:00
sfewer-r7 f52543b4a6 Older version of TeamCity (circa 2018) do not support access tokens, so we can fall back on creating an admin user accoutn before we upload the plugin. Creating an access token is better as we can delete the token, unlike the user account. 2024-02-27 12:01:57 +00:00
Balgogan f04b66d6dd Add wp_bricks_builder_rce 2024-02-26 22:09:38 +01:00
Jack Heysel f2de6d6357 Land #18870, Add ConnectWise ScreenConnect module. 
This PR add an unauthenticatd RCE exploit for ConnectWise
ScreenConnect (CVE-2024-1709).
 2024-02-23 11:25:33 -08:00
sfewer-r7 d7a0dee7d1 @rad10 noted the download link we gave no longer works, but has provided a second link, so adding that to the docs 2024-02-23 17:54:14 +00:00
sfewer-r7 f3af1836ce allow a custom USERNAME and PASSWORD to be specified if needed. Will default to a random value. Also use Faker::Internet.email to gen an email address 2024-02-23 17:46:49 +00:00
sfewer-r7 47596c6a0c add in docs 2024-02-23 14:30:53 +00:00
sfewer-r7 003d5e7006 The check routine can now display the targets platform in addition to the version number (we can determine this with a single request, so there is no major change here). This is usefull so you know what platform to set the exploits target to (so you can select an appropriate payload). Thanks @iagox86 for the idea! 2024-02-22 19:23:48 +00:00
sfewer-r7 79bfbe4310 now that Linux is a target we have to move this to the multi directory 2024-02-22 16:34:43 +00:00
cgranleese-r7 d52220cccb Fixes the create session datastore option from appearing for payloads 2024-02-22 14:58:41 +00:00
sfewer-r7 65cb30b0a4 update docs 2024-02-22 14:55:02 +00:00
sfewer-r7 f6b1c9b1ce add in docs 2024-02-21 17:44:16 +00:00
Jack Heysel 0aa20c73a4 Land #18832, Add exploit module CVE-2023-47218 
The PR adds a module targeting CVE-2023-47218, an
unauthenticated command injection vuln affecting QNAP
QTS and QuTH Hero.
 2024-02-21 08:48:30 -08:00
bwatters d21e4080a9 Land #18792, Ivanti Connect Secure - Unauth RCE (CVE-2024-21893 + CVE-2024-21887) #18792 
Merge branch 'land-18792' into upstream-master
 2024-02-20 17:40:12 -06:00
bwatters c298540bea Add documentation and fix default payloads 2024-02-16 16:49:49 -06:00