adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
49,186 Commits 27 Branches 1,043 Tags
5a978dca2e902ec2344cd7f85dc43ba0b96df108
Commit Graph

2740 Commits

Author SHA1 Message Date
Spencer McIntyre caf76a6555 Add applicable notes to my exploit modules 2018-10-27 20:54:14 -04:00
William Vu 5b14d94957 Land #10671, struts2_namespace_ognl updates 
There are still some outstanding concerns, but I want to unblock this.
 2018-10-12 11:08:33 -05:00
William Vu 2989507b85 Copy check for data_header to avoid crash 
Variable was used but out of scope.
 2018-10-12 11:06:26 -05:00
William Vu 7bc98e0ea8 Fix formatting and convert a missed AKA reference 2018-10-05 03:22:08 -05:00
Jacob Robles 8b955f8ec5 Land #10704, Navigate CMS Unauthenticated RCE 2018-10-04 06:44:21 -05:00
Jacob Robles 97729727d8 Minor modifications 2018-10-02 06:57:04 -05:00
Rob 6f5a8f8f42 Fix outdated metadata 2018-10-01 18:59:09 +01:00
asoto-r7 e4256f4595 Make ENABLE_STATIC an OptBool, as I should have done in the first place 2018-09-27 17:54:22 -05:00
Pyriphlegethon 342cfe4199 Refactor again 2018-09-27 12:38:05 +02:00
Pyriphlegethon 82b1f40925 Add cleanup code 2018-09-27 11:17:53 +02:00
Pyriphlegethon 2b86297138 Refactor 2018-09-27 11:16:54 +02:00
Pyriphlegethon f55483d17d Fix incorrect session_id extraction 2018-09-27 11:07:43 +02:00
Pyriphlegethon f882c3aec2 Add Navigate CMS Unauthenticated Remote Code Execution 2018-09-26 21:39:15 +02:00
asoto-r7 fd8ad6f4d8 struts2_namespace_ognl: Added verbose messages for errors with Tomcat >= 7.0.88 2018-09-18 15:26:28 -05:00
asoto-r7 4933f47ac5 struts2_namespace_ognl: Remove debugging code 2018-09-18 14:46:41 -05:00
asoto-r7 a9e6257891 struts2_namespace_ognl multishot OGNL payloads for Windows Meterpreter support 2018-09-18 14:27:47 -05:00
Brent Cook 6126a627cc Land #10570, AKA Metadata Refactor 2018-09-17 22:29:20 -05:00
Erin Bleiweiss 011c25ed59 Merge changes from master (ghostscript) 2018-09-17 13:57:28 -05:00
William Vu 4c036e70c1 Fix http://seclists.org links to https:// 
I have no idea how this happened in my own code. I was seeing https://.
 2018-09-15 18:54:45 -05:00
Wei Chen 718aaca0f4 Land #10546, Add Apache Struts exploit: CVE-2018-11776 2018-09-07 14:54:23 -05:00
Wei Chen bd50e00ccc Make some small changes: 
Changes made:

* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
 2018-09-07 14:48:33 -05:00
William Vu b3cd4a89ad Move CVE ref to top as per ~standard~ 2018-09-07 14:33:25 -05:00
Adam Cammack 68ca771764 Add CVE reference to ghostscript_failed_restore.rb 2018-09-07 14:24:15 -05:00
asoto-r7 99ca6cef49 Quote-block cleanup and improved error handling 2018-09-07 11:43:04 -05:00
asoto-r7 3671f8f6b0 Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output 
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set.  We now try to detect this as part of `profile_target`.  But that check might fail.  If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.

Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.

Additionally additionally, some Tomcat configurations won't provide output from the payload.  We'll detect that the payload ran successfully, but tell the user there was no output.
 2018-09-06 17:56:42 -05:00
asoto-r7 7eb06b4592 Address travis errors: Updated metadata and target OS logic 2018-09-06 12:43:56 -05:00
asoto-r7 cb16f812ec struts2_namespace_ognl updates from code review 
Thanks to @wvu, @firefart, and @wchen!
 2018-09-06 11:50:57 -05:00
William Vu 243267b2f5 Add Linux dropper target 2018-09-05 19:57:12 -05:00
William Vu 61044e8bca Refactor targets to align with current style 2018-09-05 19:56:32 -05:00
William Vu 692ddc8b8b Eschew updating imagemagick_delegate 
The hype is over, and the target was provided as a bonus. Now update the
module language to reflect that.
 2018-09-05 19:56:32 -05:00
William Vu 1491f13bd5 Add Ghostscript failed restore exploit 2018-09-05 19:56:32 -05:00
Erin Bleiweiss eb17d9b198 Refactor AKA references for modules 2018-08-31 16:56:05 -05:00
asoto-r7 8fe8bf62e3 Renamed to match existing struts2_content_type_ognl and improved comments 2018-08-31 13:48:22 -05:00
asoto-r7 35022d8332 Added payload upload+execution and OGNL-specific URI encoding 2018-08-31 13:39:42 -05:00
William Vu 7c7f63df45 Fix missing normalize_uri in struts2_rest_xstream 
I missed this one previously. May not be necessary but nice to have.
 2018-08-30 15:56:43 -05:00
Jacob Robles 9d3e1c1942 Land #10540, weblogic_deserialize, add check method and linux target 2018-08-30 06:08:03 -05:00
Jacob Robles 3161beff69 Prefer opt hash 2018-08-29 14:56:31 -05:00
Jacob Robles bc4442694e Fix Windows target options, remove comspec 2018-08-29 14:23:00 -05:00
asoto-r7 b373dcc5d4 First draft of module and documentation for struts_namespace_rce against CVE-2018-11776 2018-08-28 16:53:26 -05:00
William Vu f6b868bac2 Prefer regex for target check in exploit method 
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
 2018-08-28 15:56:45 -05:00
William Vu 3dec79da23 Add Windows ARCH_CMD target and refactor again 
Must have been an oversight that I didn't add the target.
 2018-08-28 15:03:41 -05:00
Jacob Robles 94e8cdac37 Move files to correct location 2018-08-28 12:38:54 -05:00
William Vu 7d21c2094e Improve PSH target and refactor check code 2018-08-27 20:18:35 -05:00
William Vu df5f4caaae Uncomment PSH target in struts2_rest_xstream 
I'm full of shit. It works.

msf5 exploit(multi/http/struts2_rest_xstream) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500

meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer        : MSEDGEWIN10
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
 2018-08-27 20:01:00 -05:00
Brent Cook 47ca6c6a14 Land #10527, Fix msftdiy EDB link check, enable HTTPS 2018-08-27 10:49:20 -05:00
Jacob Robles 79b3e4564a Land #10487, add php5 session file target 2018-08-27 06:22:28 -05:00
Brendan Coles 9725e90ba7 Fix msftdiy EDB link check 2018-08-26 04:18:38 +00:00
William Vu 6df235062b Land #10505, post-auth and default creds info 2018-08-24 18:08:15 -05:00
Jacob Robles 7f3824b067 Additional path for Linux target 2018-08-24 07:18:24 -05:00
Wei Chen 3d0d8f7773 Update false negatives on post auth information 2018-08-20 15:43:07 -05:00