adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74,511 Commits 27 Branches 1,043 Tags
4e99e7dfe7b682a0154d4fc8ec49e6a0f4e2a2c8
Commit Graph

4648 Commits

Author SHA1 Message Date
Christophe De La Fuente ba7c7b6456 Land #19298, OpenMediaVault authenticated RCE [CVE-2013-3632] 2024-07-30 17:40:39 +02:00
h00die-gr3y c94dc8f28c changes based on cdelafuente-r7 comments 2024-07-29 14:02:29 +00:00
adfoster-r7 62a3f73e70 Update rubocop target ruby version 2024-07-24 16:47:17 +01:00
bwatters 9b7b1fd16e Land #19313, Ghostscript Command Execution via Format String (CVE-2024-29510) 
Merge branch 'land-19313' into upstream-master
 2024-07-19 11:24:11 -05:00
Christophe De La Fuente 4d485acb73 Remove Windows target since it doesn't work for now 2024-07-19 16:19:56 +02:00
h00die-gr3y a9f8475bf5 moved module + doc to exploit/unix/webapp 2024-07-16 15:50:20 +00:00
Christophe De La Fuente e9c511c979 Add documentation and some updates 2024-07-16 16:34:28 +02:00
Pierre Mauduit 8a0c65e603 Update geoserver_unauth_rce_cve_2024_36401.rb 
looks like a copy/paste typo from another exploit
 2024-07-16 11:20:35 +02:00
Jack Heysel f7449ea850 Land #19311, Add GeoServer unauth RCE module 
This adds an exploit module for CVE-2024-36401, an unauthenticated RCE
vulnerability in GeoServer versions prior to 2.23.6, between version
2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.
 2024-07-12 11:07:36 -07:00
jheysel-r7 c5dad68322 Remove comma after the last item of a hash 2024-07-12 13:38:59 -04:00
H00die.Gr3y 292c177b74 Apply suggestions from code review 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-07-12 19:20:46 +02:00
Jack Heysel 5d210b548b added windows support 2024-07-11 16:34:07 -07:00
h00die-gr3y 4e76068cea added armle architecture support 2024-07-11 21:42:45 +00:00
h00die-gr3y 1ee2131d8d update based on cgranleese-r7 review comments 2024-07-11 16:12:52 +00:00
jheysel-r7 f9bd079618 Apply suggestions from code review 2024-07-10 20:45:53 -04:00
h00die-gr3y 28d6ef92dd fourth release module 2024-07-10 21:44:28 +00:00
h00die-gr3y 198f3f8d9b update based on review comments of jvoisin 2024-07-10 11:05:22 +00:00
h00die-gr3y 92637c4293 third release module 2024-07-09 21:54:55 +00:00
remmons-r7 108e60ae4d Peer review suggestion to swap out fail_with for print_error 
If the response to the code execution request isn't a 200, the module should error instead of fail. All versions tested returned 200s, but it's a great point that some Confluence versions might return a different status code but still pop a shell.
 2024-07-09 16:23:25 -05:00
remmons-r7 abb02a91d5 Add suggested Appears/Safe change from peer review 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-07-09 16:16:41 -05:00
remmons-r7 0852fbfeb8 Remove two whitespaces that snuck in 2024-07-09 14:34:33 -05:00
remmons-r7 8ee90bf2c7 Adding module for CVE-2024-21683 
This adds a module to exploit an authenticated admin-level Rhino script engine injection vulnerability for RCE in Atlassian Confluence.
 2024-07-09 14:19:15 -05:00
Christophe De La Fuente 1abc42a873 Add module 2024-07-09 18:34:27 +02:00
h00die-gr3y 702aff81ce second release module 2024-07-08 19:35:34 +00:00
h00die-gr3y 8e598acaeb first draft release 2024-07-08 06:53:16 +00:00
h00die-gr3y 2e1dfa62c1 One small change in check method 2024-07-05 06:55:37 +00:00
h00die-gr3y 7ad152694a Addressed two more review comments 2024-07-04 20:49:17 +00:00
h00die-gr3y 594de4681f Second release module addressing cdelafuente-r7 comments and added documentation 2024-07-04 20:31:02 +00:00
h00die-gr3y 562e93fe3b First release module 2024-07-02 14:54:04 +00:00
Jack Heysel c1826cd2f3 Land #18829, Allow multiple HttpServers in module 
Adding multiple HttpServer services in a module is sometimes complex
since they share the same methods. This usually this causes issues where
on_request_uri needs to be overridden to handle requests coming from
each service. This updates the cmdstager and the Java HTTP ClassLoader
mixins, since these are commonly used in the same module. This also
updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module
to make use of these new changes
 2024-06-18 09:51:38 -07:00
Jack Heysel e14dd93d6f Rebased encoder fix, removed PS paylaod dependency 2024-06-14 16:59:55 -07:00
Jack Heysel ade11a5a4b Added default options fixed Verification Steps 2024-06-14 16:41:12 -07:00
Jack Heysel 1dfd5da51e Apache OFBiz Dir Traversal RCE 2024-06-14 16:41:12 -07:00
Christophe De La Fuente 8fc6e20cec Update other modules to use java_class_loader_start_service and cmdstager_start_service 2024-06-14 12:57:42 +02:00
Christophe De La Fuente 70b21ff3f2 Update manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module 2024-06-13 16:53:07 +02:00
Jack Heysel b9b638dd83 Land #19196, Cacti import package RCE 
This exploit module leverages an arbitrary file write vulnerability
(CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It
abuses the Import Packages feature to upload a specially crafted package
that embeds a PHP file.
 2024-06-12 15:43:46 -07:00
Christophe De La Fuente 45815a4cb5 Code review 2024-06-12 19:47:02 +02:00
Jack Heysel 9bbb82ab55 Land #18998, VSCode exploit for ipynb integration 
VSCode allows users open a Jypiter notebook (.ipynb) file. Versions
v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and
javascript, which can then open new terminal windows within VSCode. Each
of these new windows can then execute arbitrary code at startup
 2024-06-10 14:36:57 -07:00
Christophe De La Fuente 120fa0f2fe Land #19208, Add exploit module for CVE-2024-5084: WordPress Hash Form Plugin RCE 2024-06-05 10:17:02 +02:00
Christophe De La Fuente 67ec4baa66 PR-19208: Add DefaultTarget to the info hash 2024-06-05 10:14:48 +02:00
Chocapikk 6b127249fa Add suggestions 2024-05-31 20:56:03 +02:00
adfoster-r7 1281f4726f Land #19209, update fileformat modules to show the default template datastore values 2024-05-31 15:12:48 +01:00
Zach Goldman 847b29178a change nil guards to default values, nil or blank guards for certain datastore options 2024-05-29 09:34:58 -05:00
Chocapikk bea708d24c Add exploit module for CVE-2024-5084: WordPress Hash Form Plugin RCE 2024-05-28 18:27:02 +02:00
Christophe De La Fuente 06cb6aa713 Update cacti_pollers_sqli_rce to use the new library 
- Update the CSRF token logic in the library
- Update cacti_package_import_rce and cacti_pollers_sqli_rce modules
- Update the FETCH_DELETE logic in cacti_package_import_rce to only
  regenerate the payload when necessary
 2024-05-23 11:30:48 +02:00
Christophe De La Fuente c6c5f2bf7a Add module, lib and documentation 2024-05-22 17:38:53 +02:00
Jack Heysel 10acd86390 Land #19071, Add AVideo RCE module 
Add module for CVE-2024-31819 which exploits an LFI in AVideo which uses
PHP Filter Chaining to turn the LFI into unauthenticated RCE
 2024-05-21 14:27:15 -04:00
Chocapikk da31761336 Lint 2024-05-15 22:13:53 +02:00
Valentin Lobstein 3900680a96 Update modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-05-15 22:07:45 +02:00
Valentin Lobstein c815c2b15c Update modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-05-15 22:07:19 +02:00