adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77,971 Commits 27 Branches 1,043 Tags
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
Commit Graph

38478 Commits

Author SHA1 Message Date
chutton-r7 df8c0b465e Simplified targets, confirmed working with CommonsCollections6 2025-03-19 18:02:11 +00:00
chutton-r7 20e51b44bc Initial commit 2025-03-19 13:52:45 +00:00
Brendan 413c1931f7 Merge pull request #19832 from cdelafuente-r7/mod/relay/smb_to_ldap 
SMB to LDAP relay module
 2025-03-17 11:14:24 -05:00
adfoster-r7 9917f574c0 Merge pull request #19913 from h00die/hash_validator 
hash_cracker_validator script to verify hash cracking
 2025-03-17 15:50:07 +00:00
msutovsky-r7 e484855c05 Land #19960, adding more robust check for CVE-2024-30038 
Fix check method for Windows Kernel Time of Check Time of Use LPE (CVE-2024-30038)
 2025-03-17 10:13:14 +01:00
e2002e 7bbd6406e7 use new domain name. 2025-03-15 03:18:44 +01:00
Christophe De La Fuente 5305e04891 Add a check for the LDAP session feature 2025-03-14 15:28:39 +01:00
Christophe De La Fuente f8760a9e3b Update from code review 2025-03-14 15:28:39 +01:00
Christophe De La Fuente d4fd890fed Add the smb_to_ldap relay module and documentation 2025-03-14 15:28:39 +01:00
e2002e 5e24b8448d Merge https://github.com/rapid7/metasploit-framework 2025-03-14 15:22:59 +01:00
e2002e d982678154 update info 2025-03-14 13:20:32 +01:00
msutovsky-r7 741a222e9a Land #19961, fixing incorrect URL in the InvoiceNinja module 
BUGFIX invoiceninja module - fixed invalid attackerkb reference
 2025-03-14 11:15:23 +01:00
msutovsky-r7 9961bfbc58 Land #19950, module for InvoiceShelf unauthenticated PHP deserialization 
InvoiceShelf unauthenticated PHP deserialization vulnerability [CVE-2024-55556]
 2025-03-14 10:21:56 +01:00
h00die-gr3y 84012fd60c fixed invalid attackerkb reference 2025-03-14 08:23:10 +00:00
h00die-gr3y 0ca2599f48 update based on review comments 2025-03-14 08:04:22 +00:00
Jack Heysel cf08a4e533 Readd missing checks 2025-03-13 13:14:13 -07:00
Jack Heysel 82f07c171b Fix check method 2025-03-13 13:00:24 -07:00
Jack Heysel fdf4531c10 Add SMB to HTTP relay support for get_naa_creds 2025-03-13 10:59:59 -07:00
Martin Sutovsky cac9b6e26b Removing auxiliary module 2025-03-13 12:36:15 +01:00
Martin Sutovsky 9886f78575 Upgrade Eramba RCE module 2025-03-13 12:34:50 +01:00
sfewer-r7 4c5137846c call fail_with upon failure rather than passing around Failure's as variables. 2025-03-13 09:41:58 +00:00
Stefan Pietsch 538cdc1d6f remove Rank, fix title 2025-03-13 08:26:34 +01:00
Stefan Pietsch 5bb5b40eee Add Eramba Remote Code Execution Exploit 2025-03-13 08:26:34 +01:00
Spencer McIntyre f3d644cd84 Use real SiteReference instances 
This fixes an issue in how the vulnerabilities are reported
 2025-03-12 16:26:54 -04:00
h00die-gr3y 1ca57c86fc added base64 encoding in php payload execution 2025-03-11 21:30:32 +00:00
h00die-gr3y e341398871 small update on module and documentation 2025-03-10 19:35:37 +00:00
h00die-gr3y 281b728000 initial module and documentation 2025-03-07 17:34:22 +00:00
msutovsky-r7 196d95b2bf Land #19944, adding dynamic session for module CVE-2025-0655 
Update dtale_rce_cve_2025_0655.rb to use dynamically generated session
 2025-03-07 14:35:51 +01:00
Takah1ro edb47d968c Update function name after applied suggestion 2025-03-07 08:05:00 +09:00
Takahiro Yokoyama 233c710d82 Update modules/exploits/linux/http/dtale_rce_cve_2025_0655.rb 
Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com>
 2025-03-07 07:54:50 +09:00
machang-r7 a0ca1b10af Create sitecore_xp_cve_2025_27218.rb 2025-03-05 17:54:54 -05:00
Spencer McIntyre f6c8b98bd6 Finish up the ESC8 check after more research 2025-03-05 13:44:33 -05:00
Spencer McIntyre 04842eaaee Add a check method to the smb_relay module 2025-03-05 13:44:33 -05:00
Spencer McIntyre b43dc8be08 Switch relay modules, add ESC8 check method 2025-03-05 13:44:33 -05:00
Spencer McIntyre 7950d866f3 Use the existing #validate method for options 2025-03-05 13:44:33 -05:00
Diego Ledda c698979dd3 Land #19935, SonicWall NSv HTTP Login Module 
Land #19935, SonicWall NSv HTTP Login Module
 2025-03-05 18:27:34 +01:00
adfoster-r7 8604c72ef4 Merge pull request #19895 from cgranleese-r7/update-dead-module-references 
Update dead module references
 2025-03-05 16:57:05 +00:00
Takah1ro bf5ae87a3d Use dynamically generated session 2025-03-05 12:56:01 +09:00
sfewer-r7 2f5758b8ed improve the logic here 2025-03-04 09:22:11 +00:00
sfewer-r7 efb0d5da4c fix typo, C1000v should be CSR1000v. Be consistant with IOS XE and not IOS-XE. 2025-03-04 09:09:32 +00:00
Martin Sutovsky 8d7bbdd84f Sonicwall module 2025-03-04 08:20:22 +01:00
jheysel-r7 b1d0eedc26 Merge pull request #19712 from smashery/naa_creds 
NAA creds from SCCM
 2025-03-03 13:50:31 -08:00
sfewer-r7 94606036bd typos in comments 2025-03-03 20:45:37 +00:00
sfewer-r7 9c075c7cce Previously the check routine only leveraged the first vuln in the chain, CVE-2023-20198, to perform a version based check. However the second vuln in the chain, CVE-2023-20273, was not verified as to working, so a return code of CheckCode::Vulnerable may no have been acurate if the target was vulnerable to CVE-2023-20198 but not CVE-2023-20273. Now we leverage both CVE-2023-20198 and CVE-2023-20273 to ensure the target is actually vulnerable. For example, it has been observed that the C8000v series appliance version 17.6.5 is vulnerable to CVE-2023-20198, but not vulnerable to CVE-2023-20273, even though the IOS-XE version indicates they should be vulnerable to CVE-2023-20273. As this exploit chains both CVE-2023-20198 and CVE-2023-20273 together, the check routine must verify both CVEs work as expected in order to return CheckCode::Vulnerable (i.e. we cannot solely rely on a version based check via CVE-2023-20198). 2025-03-03 20:29:20 +00:00
sfewer-r7 4a38605576 bugfix the check routine, to get a suitable response from a targets webui path, we must have the trailing slash (seen in a C8000v target, verified to work in both C8000v and C1000v targets) 2025-03-03 20:25:31 +00:00
sfewer-r7 e71a851e3f mention that the C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273. Inspecting the Lua code shows this appliance has additional command injection filtering in place (see pexec_setsid in /usr/binos/openresty/nginx/conf/pexec.lua) which prevents the injection from working 2025-03-03 20:22:46 +00:00
Jack Heysel 4d57710d92 Make timeout configurable and nil check content 2025-03-03 11:47:10 -08:00
adfoster-r7 2f958c21af Fix crash when running mssql payload against sessions 2025-03-03 19:20:56 +00:00
msutovsky-r7 3c4d0aae2f Land #19899, D-Tale remote code execution module 
Add D-Tale RCE module (CVE-2024-3408, CVE-2025-0655)
 2025-03-03 13:04:45 +01:00
Takah1ro 47351e4959 Use FETCH_DELETE as default 2025-03-03 20:52:55 +09:00