42ccc37bca
Added description to module
2018-09-19 10:22:51 -05:00
8a20e0e702
Specific target, add process option
2018-09-19 08:49:54 -05:00
83af598e6a
Updated VS solution and module
2018-09-17 17:38:19 -05:00
f38e6f45ce
Redo dllinjection
2018-09-14 17:47:53 -05:00
4cf344dd83
WIP: Initial CVE-2018-8440 / ALPC-TaskSched-LPE
2018-09-13 18:00:20 -05:00
2fbbf88ea9
Land #10560 , ms17_010_eternalblue: use SMBDomain value when provided
...
instead of ignoring it
Merge branch 'land-10560' into upstream-master
2018-09-13 10:08:54 -05:00
718aaca0f4
Land #10546 , Add Apache Struts exploit: CVE-2018-11776
2018-09-07 14:54:23 -05:00
bd50e00ccc
Make some small changes:
...
Changes made:
* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
2018-09-07 14:48:33 -05:00
b3cd4a89ad
Move CVE ref to top as per ~standard~
2018-09-07 14:33:25 -05:00
68ca771764
Add CVE reference to ghostscript_failed_restore.rb
2018-09-07 14:24:15 -05:00
99ca6cef49
Quote-block cleanup and improved error handling
2018-09-07 11:43:04 -05:00
3671f8f6b0
Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output
...
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set. We now try to detect this as part of `profile_target`. But that check might fail. If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.
Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.
Additionally additionally, some Tomcat configurations won't provide output from the payload. We'll detect that the payload ran successfully, but tell the user there was no output.
2018-09-06 17:56:42 -05:00
7eb06b4592
Address travis errors: Updated metadata and target OS logic
2018-09-06 12:43:56 -05:00
cb16f812ec
struts2_namespace_ognl updates from code review
...
Thanks to @wvu, @firefart, and @wchen!
2018-09-06 11:50:57 -05:00
d23b252393
Land #10592 , support ERB for foxit_reader_uaf.rb
2018-09-05 21:48:52 -05:00
254e8b9fd0
Cleanup for foxit_reader_uaf
2018-09-05 21:47:57 -05:00
243267b2f5
Add Linux dropper target
2018-09-05 19:57:12 -05:00
61044e8bca
Refactor targets to align with current style
2018-09-05 19:56:32 -05:00
692ddc8b8b
Eschew updating imagemagick_delegate
...
The hype is over, and the target was provided as a bonus. Now update the
module language to reflect that.
2018-09-05 19:56:32 -05:00
1491f13bd5
Add Ghostscript failed restore exploit
2018-09-05 19:56:32 -05:00
13ff71b879
Clean up previous modules
...
Missed in 35670713ff
2018-09-05 19:56:32 -05:00
55bf6e5dd4
removed require in erb file
2018-09-05 18:09:29 -05:00
6a3a4de289
included path to erb, removed multiline pdf string
2018-09-05 14:09:10 -05:00
8fe8bf62e3
Renamed to match existing struts2_content_type_ognl and improved comments
2018-08-31 13:48:22 -05:00
35022d8332
Added payload upload+execution and OGNL-specific URI encoding
2018-08-31 13:39:42 -05:00
7c7f63df45
Fix missing normalize_uri in struts2_rest_xstream
...
I missed this one previously. May not be necessary but nice to have.
2018-08-30 15:56:43 -05:00
6ec8522786
Land #10482 , Add Network Manager VPNC Privesc
2018-08-30 10:46:54 -05:00
9d3e1c1942
Land #10540 , weblogic_deserialize, add check method and linux target
2018-08-30 06:08:03 -05:00
953bafc7e7
Land #10545 , foxit fix generated strings, update doc
2018-08-30 05:55:44 -05:00
d489cd7248
ms17_010_eternalblue: use SMBDomain value when provided instead of ignoring it
2018-08-29 23:53:58 +02:00
3161beff69
Prefer opt hash
2018-08-29 14:56:31 -05:00
a57e5ac5c0
Land #10594 , Remove trailing space from CVE number
2018-08-29 14:31:21 -05:00
bc4442694e
Fix Windows target options, remove comspec
2018-08-29 14:23:00 -05:00
c4d697a629
Remove trailing space from CVE identifier
...
ASUS Net4Switch ipswcom exploit mistakenly included a trailing space at the end of its CVE reference.
2018-08-29 14:12:49 -05:00
468613f688
Land #10536 , https:// reference check for msftidy
2018-08-29 11:14:42 -05:00
d5ad683ba6
More doc updates
2018-08-29 10:59:36 -05:00
086ec5bdfb
Fix generated strings in pdf
2018-08-29 06:24:20 -05:00
326f006146
Land #10542 , CVE ref for office_ms17_11882 exploit
2018-08-29 00:42:53 -05:00
14fa41a376
merge changes
2018-08-29 06:09:40 +02:00
b373dcc5d4
First draft of module and documentation for struts_namespace_rce against CVE-2018-11776
2018-08-28 16:53:26 -05:00
f6b868bac2
Prefer regex for target check in exploit method
...
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
2018-08-28 15:56:45 -05:00
3dec79da23
Add Windows ARCH_CMD target and refactor again
...
Must have been an oversight that I didn't add the target.
2018-08-28 15:03:41 -05:00
6335d867ec
Add CVE reference to office_ms17_11882 exploit
...
The CVE identifier appears in a GitHub URI but is not referenced separately.
2018-08-28 13:44:01 -05:00
94e8cdac37
Move files to correct location
2018-08-28 12:38:54 -05:00
2986a9538d
Whitespace fix
2018-08-28 11:53:08 -05:00
49c5a91fa7
Add linux target to weblogic_deserialize module
2018-08-28 11:51:04 -05:00
12e9cf6af7
Version output
2018-08-28 08:20:02 -05:00
f92d2263d0
Add check to weblogic_deserialize module
2018-08-28 08:09:30 -05:00
a66556b436
fix msftidy errors
2018-08-28 13:12:43 +02:00
7d21c2094e
Improve PSH target and refactor check code
2018-08-27 20:18:35 -05:00
Jacob Robles