adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77,971 Commits 27 Branches 1,043 Tags
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
Commit Graph

4643 Commits

Author SHA1 Message Date
h00die-gr3y cf5b26dd61 Second release after testing multiple Pandora FMS versions 2024-12-20 20:40:04 +00:00
Brendan 7ddffc790c Merge pull request #19460 from gardnerapp/game_overlay 
Land #19460, CVE-2023-2640, CVE-2023-32629 Game Overlay Ubuntu Privilege Escalation
 2024-12-18 14:44:57 -06:00
h00die-gr3y 2fe0b35384 update2 based on comments 2024-12-18 08:34:10 +00:00
h00die-gr3y 2abde4c923 update based on comments 2024-12-18 08:32:06 +00:00
bwatters-r7 59229ee612 Update payload name, fix payload escapes & quotation, add unix cmd support 2024-12-17 16:52:24 -06:00
sfewer-r7 edf8d186f7 use the HttpClient cookie jar. Thank you @jheysel-r7 for this improvement. 2024-12-17 17:47:00 +00:00
Stephen Fewer c25b3ceb03 typo 4 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-12-17 17:26:46 +00:00
Stephen Fewer 51908d6621 typo 3 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-12-17 17:26:31 +00:00
h00die-gr3y 09ceb48705 init commit module 2024-12-16 16:22:53 +00:00
h00die af462f7dcf arch linux compatibility for runc priv esc 2024-12-16 05:52:29 -05:00
jheysel-r7 c7f7cfd848 Land #19656 Close ssh session on error 2024-12-11 17:00:17 -08:00
adfoster-r7 136599a29a Merge pull request #19714 from bwatters-r7/update/projectsend-cveinfo 
Add CVE info to projectsend module
 2024-12-11 13:54:06 +00:00
bwatters-r7 5311b7014e Add CVE info to projectsend module 2024-12-11 07:37:43 -06:00
adfoster-r7 2421ca768f Merge pull request #19705 from ostrichgolf/projectsend_rce 
Add CVE to ProjectSend module
 2024-12-07 14:24:20 +00:00
ostrichgolf 2952dbb0b8 Add CVE to module 2024-12-07 14:23:30 +01:00
h00die 6911e52d55 peer review 2024-12-06 15:39:19 -05:00
Diego Ledda be30a06af4 Land #19430, Moodle RCE (CVE-2024-43425) Module 
Land #19430, Moodle RCE (CVE-2024-43425) Module
 2024-12-06 12:15:35 +01:00
jheysel-r7 e8911f9129 Land #19402 vCenter Sudo LPE (CVE-2024-37081) 2024-12-04 18:25:05 -08:00
h00die bca3626cf2 peer review 2024-12-04 18:39:43 -05:00
jheysel-r7 21cf475cbb Land #19595 Ivanti Connect Secure auth RCE via OpenSSL (CVE-2024-37404) 2024-12-04 08:26:07 -08:00
Diego Ledda ab2ca41eb8 Land #19629, Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) 
Land #19629, Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220)
 2024-12-04 16:49:56 +01:00
jheysel-r7 fa3716408f Add comment explaining payload architecture restraints 2024-12-03 18:33:43 -08:00
jheysel-r7 2d1af7d809 Land #19648 Add exploit module for FortiManager (CVE-2024-47575) 2024-12-02 18:31:25 -08:00
jheysel-r7 5a837d1ef6 fix a typo 2024-12-02 18:16:43 -08:00
jheysel-r7 a230a353e4 Land #19613 Asterisk authenticated rce via AMI (CVE-2024-42365) 2024-12-02 08:21:35 -08:00
Christophe De La Fuente a46b2f437f Use TARGET_URI when checking the redirection URI 2024-12-02 16:45:12 +01:00
Christophe De La Fuente 3dcb9d58ab Code review 2024-12-02 14:02:07 +01:00
Christophe De La Fuente c943cc6378 Add module and documentation 2024-12-02 14:02:07 +01:00
h00die d13bccca05 peer review 2024-11-28 20:24:25 -05:00
h00die e41f5ad577 needrestart exploit updates 2024-11-27 15:41:23 -05:00
h00die d778f5469b needrestart improvements 2024-11-26 18:22:48 -05:00
h00die 19394960cd needrestart improvements 2024-11-25 16:40:00 -05:00
h00die d4bd00d48e needrestart improvements 2024-11-25 16:38:18 -05:00
sjanusz-r7 566e12b69e Add error_callback to SSH Command Stream 2024-11-25 16:43:59 +00:00
h00die 7fd82b89df offload files to data 2024-11-22 15:57:18 -05:00
h00die 7025871d34 ubuntu needrestart lpe 2024-11-22 15:44:52 -05:00
h00die 94e5e49052 ubuntu needrestart lpe 2024-11-22 15:44:45 -05:00
sfewer-r7 68e9b39ffa register teh Rex socket we create via add_socket. This lets teh frameowkr close the socket after we get a session, and will wait up to WfsDelay for that to happen. This lets us remove the other timeout we had, and teh user can always adjust WfsDelay if needed. (Thanks Spencer) 2024-11-22 12:42:08 +00:00
sfewer-r7 e5cdf6097d favor File.binread over File.read 2024-11-22 12:40:19 +00:00
sfewer-r7 f59bfe98a3 remove the default payload and the default fetch command, and let the framework choose them for us. 2024-11-22 12:39:34 +00:00
sfewer-r7 2ba112a5a4 We can use OptPath here instead of OptString. Also are these are optional, and we dont specify a default, we can omit the nil default value. 2024-11-22 12:38:46 +00:00
sfewer-r7 000ffb2406 make the check routine return a message for Detected. 2024-11-22 12:37:50 +00:00
sfewer-r7 de599a4407 rework how we calculate the chunk size, we now consume the maximum available space a chunk can take, relative to the size of teh command needed to write the chunk to disk. We also rework the logic to ensure the files are sequential. Finally as the size of a chunk may be less the more chunks we write, we impose a max Payload Space valuecalculated to be 5670 chars. 2024-11-22 10:28:27 +00:00
sfewer-r7 eda46f1a10 the check routing shoudl return Safe the first time we try to leverage teh vulnerability, if that doesnt work. But still return Unknown if the vulnerability fails the second time we leverage it. 2024-11-22 10:26:06 +00:00
jheysel-r7 d95d549992 Land #19531 ProjectSend r1335 - r1605 RCE module 2024-11-21 09:53:36 -08:00
sfewer-r7 41bcf4629f The payload we essentially being encoded twice (thanks for calling this out Brendan), we now supply a suitable BadChars and let the framewrk encode the framework paylaod. We rename the variable payload to bootstrap_payload as this was colliding with the frameworks payload variable which was not the intent. 2024-11-21 17:37:34 +00:00
ostrichgolf 68eb6599fd Create projectsend_unauth_rce 2024-11-21 09:34:58 -08:00
sfewer-r7 d2f6e0e10f As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00
sfewer-r7 f9b099a46d remove the DefaultOption PAYLOAD value, and let the framework pick one for us. Mention I tested the exploit with cmd/linux/http/x64/meterpreter_reverse_tcp 2024-11-21 16:22:02 +00:00
sfewer-r7 d40bbd047e remove the DefaultOption FETCH_COMMAND value of WGET, as the default the framework will pick, CURL, will work great. 2024-11-21 16:21:00 +00:00