adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64,195 Commits 27 Branches 1,043 Tags
6ba2b15ab2bbed8421a04bfb0792c19d0c8d1bc5
Commit Graph

3972 Commits

Author SHA1 Message Date
Spencer McIntyre 05fcbd803e Add a new Retry mixin 2022-05-11 15:41:37 -04:00
bwatters 92715c883f Land #16423, Add module for exploit CVE-2022-22965 
Merge branch 'land-16423' into upstream-master
 2022-05-10 08:44:06 -05:00
Spencer McIntyre ece5e2699a Automatically identify the HTTP method 2022-05-05 10:24:04 -04:00
dwelch-r7 a76600f4a9 Land #16462, add support for armle/aarch64 architectures 2022-05-03 15:48:50 +01:00
Spencer McIntyre 7faac7faa4 Update the JSP file to delete itself 2022-05-02 14:34:51 -04:00
Spencer McIntyre 3bdb8e02e2 Use an exponential backoff to retry 2022-05-02 12:30:43 -04:00
Spencer McIntyre 0f8a35e4d3 Whitespace, grammar and timing changes 2022-05-02 10:45:21 -04:00
Jack Heysel 2b8ea72e51 Added autocheck fixed execute_payload method 2022-04-28 08:55:17 -07:00
vleminator 1185cfd99f Add support for payload dropper with windows path (backslash) 2022-04-28 00:02:19 +02:00
vleminator 6c75b7efcb Add WriteableDir as an advanced module option 2022-04-27 23:38:51 +02:00
vleminator 868d35a1ed bugfix encoding of the jsp payload dropper 2022-04-27 23:35:31 +02:00
vleminator 71eb6e6fb6 Refactor code to improve readability and remove unused code 2022-04-27 23:32:36 +02:00
Jack Heysel 5b82a978ea Added reference removed default payload 2022-04-27 09:48:21 -07:00
Jack Heysel 253cb8580a Responded to comments added retry_until_true 2022-04-27 09:45:18 -07:00
vleminator f57bdabb41 Refine the check method to perform less-invasive exploit validation 2022-04-27 14:05:47 +02:00
Jack Heysel a941fea26a Removed unused import added target_uri 2022-04-26 14:11:10 -07:00
Jack Heysel a8ae08d138 Updated authors 2022-04-26 13:55:59 -07:00
Jack Heysel 86ff080d31 Merge branch 'wso2-file-upload-rce' of github.com:jheysel-r7/metasploit-framework into wso2-file-upload-rce 2022-04-26 13:53:17 -07:00
Jack Heysel 1879a7568f Updated authors 2022-04-26 13:52:59 -07:00
jheysel-r7 266d3bb9ca Apply suggestions from @bcoles code review 
Co-authored-by: bcoles <bcoles@gmail.com>
 2022-04-26 13:40:25 -07:00
Jack Heysel 691d9fe001 Added Reliability section to Notes 2022-04-26 13:19:34 -07:00
Jack Heysel 76c8e0b65f Added Notes section to module 2022-04-26 13:01:38 -07:00
Jack Heysel 37c8fff523 Rubocop offenses 2022-04-26 12:51:12 -07:00
Jack Heysel ca0be9c145 Add WSO2 file upload RCE module 2022-04-26 12:29:12 -07:00
Brendan Coles 02d911e655 gdb_server_exec: Cleanup and add support for armle/aarch64 architectures 2022-04-25 19:25:06 +00:00
Jack Heysel 74e69917c6 Land #16450 VNC Keyboard exec fast typing fix 
This PR adds small delays in the VNC Keyboard
Exec to avoid typing long commands too fast.
 2022-04-21 19:45:46 -07:00
Jack Heysel 1e40595c53 Fixed typo in TIME_KBD_THRESHOLD option 2022-04-21 19:32:57 -07:00
Jack Heysel 4417a335ff Land #16379, Make SSH defaults widely used 
Refactored a number of modules to use ssh_client_defaults
 2022-04-19 22:08:45 -07:00
Grant Willcox a756df5400 Add in missing RuboCop note sections 2022-04-19 16:40:57 -05:00
Brendan Coles 94ed9ae28b Modules: Prefer CVE references over cve.mitre.org URL references 2022-04-19 20:42:23 +00:00
ORelio 1fdedebacf Add settings to adjust delay and interval 
TIME_KBD_DELAY: Delay in milliseconds (0 to disable)
TIME_KBD_TRESHOLD: How many keys between each delay
 2022-04-19 17:40:14 +02:00
ORelio fa86decd09 Apply suggestion from code review 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
 2022-04-13 18:25:45 +02:00
ORelio 1ddd893b0f VNC Keyboard Exec: Avoid typing too fast 
Avoid overloading target's keyboard buffer by inserting small sleeps in long commands
 2022-04-13 14:28:17 +02:00
vleminator 2fdcc143c0 Improve usability by turning the payload path into custimizablea module option 2022-04-08 11:10:16 +02:00
vleminator cf5bca9166 Improve exploit reliability 2022-04-08 10:47:23 +02:00
vleminator 6c96fd9ab9 Apply rubocop suggestions 2022-04-08 09:48:41 +02:00
vleminator 7b2e8cf37f Apply suggestions from code review 
Co-authored-by: bcoles <bcoles@gmail.com>
 2022-04-07 16:57:00 +02:00
vleminator 3bba17bc56 fail_with should not be used in check 2022-04-07 16:53:17 +02:00
vleminator b60dd43405 Add modules notes, with Spring4Shell 2022-04-07 16:46:49 +02:00
vleminator 53adf24c86 Apply suggestions from code review 
Co-authored-by: bcoles <bcoles@gmail.com>
 2022-04-07 16:40:03 +02:00
vleminator 4e6176d9ca Finish exploit CVE-2022-22965 2022-04-07 15:22:18 +02:00
Alexander Neumann 642bb12505 postgres_copy_from_program_cmd_exec: Quote table name 
In about 16% of all cases the random value of "tablename" will be set to
a value starting with a number, which needs to be quoted before the
query is sent to the postgres server. Otherwise the query fails with the
message "Exploit failed". This is what happened to me, you can see an
example with a table name set manually here:

    msf6 > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
    [*] Using configured payload cmd/unix/reverse_perl
    msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.2.2
    RHOSTS => 192.168.2.2
    msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set tablename 123test
    tablename => 123test
    [...]
    msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run

    [*] Started reverse TCP handler on 192.168.2.1:4444·
    [*] 192.168.2.2:5432 - 192.168.2.2:5432 - PostgreSQL [...]
    [*] 192.168.2.2:5432 - Exploiting...
    [!] 192.168.2.2:5432 - 192.168.2.2:5432 - Unable to execute query: DROP TABLE IF EXISTS 123test;
    [-] 192.168.2.2:5432 - Exploit Failed

This can be verified manually as follows, quoting the table name works:

    $ psql --user postgres -W -h 192.168.2.2 template1
    [...]
    template1=# DROP TABLE IF EXISTS 123test;
    ERROR:  syntax error at or near "123"
    LINE 1: DROP TABLE IF EXISTS 123test;
                                 ^
    template1=# DROP TABLE IF EXISTS "123test";
    NOTICE:  table "123test" does not exist, skipping
    DROP TABLE

With the patch, the script also works with table names which start with
numbers:

    msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run

    [*] Started reverse TCP handler on 192.168.2.1:4444
    [*] 192.168.2.2:5432 - 192.168.2.2:5432 - PostgreSQL [...]
    [*] 192.168.2.2:5432 - Exploiting...
    [+] 192.168.2.2:5432 - 192.168.2.2:5432 - 123test dropped successfully
    [+] 192.168.2.2:5432 - 192.168.2.2:5432 - 123test created successfully
    [+] 192.168.2.2:5432 - 192.168.2.2:5432 - 123test copied successfully(valid syntax/command)
    [+] 192.168.2.2:5432 - 192.168.2.2:5432 - 123test dropped successfully(Cleaned)
    [*] 192.168.2.2:5432 - Exploit Succeeded

    [*] Command shell session 1 opened (192.168.2.1:4444 -> 192.168.2.2:51734 ) at 2022-03-24 10:15:33 +0100
 2022-04-04 10:32:01 +02:00
Spencer McIntyre 211626e7ce Fix the check method, add docs 2022-03-31 09:01:08 -04:00
Spencer McIntyre 94cf23e4cf Finish the Spring Cloud Function exploit 2022-03-30 18:38:41 -04:00
Heyder Andrade 6bc0032c8d Use SSH defaults 
- Merge ssh defaults
- Remove options equals to default
 2022-03-24 22:52:15 +01:00
Grant Willcox bf88b7f618 Land #16325 - Replace IO read on binary files with File binread 2022-03-24 10:08:40 -05:00
adfoster-r7 03d645016c Land #16250, Update service mixins for NAT options 2022-03-23 00:13:20 +00:00
Spencer McIntyre 86aed4928e Add the HttpListenerBindPort to the log4shell exploit 2022-03-22 09:06:22 -04:00
Spencer McIntyre 6ec530a5ee Improve some error handling 2022-03-21 15:22:00 -04:00
Spencer McIntyre 49aff227c5 Fix character escaping in the apisix exploit 2022-03-21 15:06:03 -04:00