4e61596e7a
Check Build ID before running exploit
2023-12-19 12:15:35 -05:00
e858628292
Execute python payload in memory
2023-12-19 00:46:11 -05:00
549ee43df9
Update docs description minor comments
2023-12-19 00:32:21 -05:00
c6a6809700
Updated attribution
2023-12-18 19:41:49 -05:00
df111afb06
Glibc Tunables Exploit
2023-12-14 18:28:43 -05:00
da9d04d32d
Land #18461 , CVE-2023-22515 - Atlassian Confluence unauthenticated RCE
2023-10-19 10:22:57 +02:00
5e84f57ab3
set :random to true during generate_jar so we can randomize teh metasploit class path
2023-10-18 09:53:46 +01:00
fcffd36af0
no need to test for true, jsut return the value as we are waiting for done to be set to true
2023-10-18 09:37:04 +01:00
9fdbccb74f
catch a JSON ParserError exception and fail_with() if needed. Also detect if the JSON data doesnt have the expected value and fail_with() if needed
2023-10-18 09:36:02 +01:00
34107e4f3b
favod over for string concatenation.
2023-10-17 11:36:07 +01:00
0fc35bf6d3
randomize the plugins version number
2023-10-17 10:01:02 +01:00
415bd49b15
use next semantics to return from a yielded block early (note we cannot use return for this)
2023-10-17 09:43:00 +01:00
54f334479a
fix another typo
2023-10-17 09:30:52 +01:00
9e6e9538e1
typo
2023-10-17 09:29:38 +01:00
d2438bad4e
add a note to explain we need to concat a trailing forward slash
2023-10-17 09:28:04 +01:00
4acdaf3087
typos
2023-10-17 09:22:09 +01:00
d17f065f12
remove 'localhost' in favor of some random chars
2023-10-17 09:21:28 +01:00
3242a7009b
clarify timeout is in seconds
2023-10-17 09:11:05 +01:00
b97cb9f63d
remove whitespace
2023-10-17 09:10:28 +01:00
1c027ac05c
add an RCE exploit for CVE-2023-22515
2023-10-16 20:50:18 +01:00
05dd2e1473
Land #18351 , Apache Superset RCE (CVE-2023-37941)
2023-10-12 17:10:10 -04:00
80d2fa738d
Land #18296 , update more mysql modules to support newer authentication methods
2023-10-12 17:19:02 +01:00
86b7ec4518
Address comments from the review
2023-10-12 09:50:19 -04:00
4f734379d3
Add module docs and print some messages
2023-10-12 09:27:26 -04:00
0799f9d860
Add a check method and populate module metadata
2023-10-12 09:27:26 -04:00
7a226ba285
Randomize components in the MAR file
2023-10-12 09:27:26 -04:00
5a6dc7f9a6
Initial commit of CVE-2023-43654
2023-10-12 09:27:26 -04:00
1b172768b4
Use upstream ruby-mysql in Remote::MYSQL
...
* ... and dependents
2023-10-12 13:08:35 +02:00
45be501a50
Raise a more specific error message
...
Check for and raise a more specific error message when the internal
database fails to mount because the path is incorrect.
2023-10-10 15:21:35 -04:00
59da2865d9
Use an exec-in-place gadget for Python
...
This adds a Python deserialization gadget that will exec arbitrary
Python code in place. It is only compatible with Python 3.x due to
differences in Python's exec function and statement between 2 and 3.
2023-10-10 14:01:24 -04:00
fb834b235a
Land #18417 , Add Kibana Upgrade Assistant RCE
...
Kibana before version 7.6.3 suffers from a prototype
pollution bug within the Upgrade Assistant. This PR adds
an exploit module to exploit the bug. There is no CVE
for this issue at the moment.
2023-10-06 17:29:02 -04:00
931a67d290
kibana telemetry rce rewritten to use fetch payloads
2023-10-06 09:55:10 -04:00
a2a9becc73
convert cmd_stager to fetch payloads
2023-10-06 07:40:17 -04:00
5e0538a239
review comments round 1
2023-10-05 13:12:33 -04:00
8431d11654
leverage Rex::MIME::Message instead of creating the multipart data manualy
2023-10-04 09:39:25 +01:00
ccd8c71ec6
change the payload space to 5000. This allows all the payloads I tested to work but also allows all the 3 gadget chains I tested to work. ClaimsPrincipal and TypeConfuseDelegate will fail if the space is too large.
2023-10-04 09:38:42 +01:00
1be8e0245b
remove the powershell target as the powershell command adapter will handle this for us (thanks Spencer). Increate the space to handle the larger powershell command lines. I tested with cmd/windows/powershell/x64/meterpreter/reverse_tcp and the powershell command length was 4404.
2023-10-03 17:48:37 +01:00
2eacb75feb
Add a reference to the AssetNote blog. Better describe what teh TARGET_URI option is for and why it defaults to /AHT/
2023-10-03 11:17:21 +01:00
88eb44be64
kibana telemetry rce
2023-10-02 16:53:20 -04:00
1695a12c9c
Explicitly state both the release name (e.g. 2022.0.2) and the version number (e.g. 8.8.2) in a more consistent way.
2023-10-02 17:40:11 +01:00
53ed4a632b
add in exploit module for CVE-2023-40044 - WS_FTP unauthenticated RCE via .NET deserialization.
2023-10-02 11:42:19 +01:00
50155e3d94
Land #18389 , Juniper Junos OS PHPRC Manipulation RCE (CVE-2023-36845)
2023-09-29 18:05:28 +02:00
37bc4ca51f
Fixed root password resetting
2023-09-29 11:40:03 -04:00
58642c16c9
Changed WebSocket to SSH
2023-09-28 14:41:03 -04:00
3f15de3995
Responded to Christophes suggestions
2023-09-28 14:26:37 -04:00
36d8a34d39
Land #18408 , JetBrains TeamCity CVE-2023-42793
2023-09-28 14:01:59 -04:00
e7ab983279
Minor code changes
...
Changes include:
* Remove the PAYLOAD key which didn't do anything
* Add the missing payload size constraint
* Use #retry_until_truthy
2023-09-28 13:19:26 -04:00
89940e8b08
use the correct naming convention for normal options.
2023-09-28 16:36:18 +01:00
9a6e2dab71
improve the check routine to explicitly look for either a header value or a cookie value that TeamCity is known to set
2023-09-28 16:28:16 +01:00
96568bf6d3
typo in comment
2023-09-28 16:05:46 +01:00
Jack Heysel