eda46f1a10
the check routing shoudl return Safe the first time we try to leverage teh vulnerability, if that doesnt work. But still return Unknown if the vulnerability fails the second time we leverage it.
2024-11-22 10:26:06 +00:00
ae61d0a9d6
MSFTidy changes
2024-11-22 13:39:07 +11:00
2af0f506c2
Update modules/exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve.rb
2024-11-22 02:01:12 +01:00
c5ce193fd5
Remove dup line
2024-11-21 23:10:18 +01:00
9c74467950
Refactor code + add check and autocheck
2024-11-21 22:48:36 +01:00
0ec9b1bcb9
Fix a multicast socket issue
2024-11-21 15:14:46 -05:00
24d3ef16cf
Remove some unnecessary code, switch to passive stance
2024-11-21 15:08:43 -05:00
d95d549992
Land #19531 ProjectSend r1335 - r1605 RCE module
2024-11-21 09:53:36 -08:00
41bcf4629f
The payload we essentially being encoded twice (thanks for calling this out Brendan), we now supply a suitable BadChars and let the framewrk encode the framework paylaod. We rename the variable payload to bootstrap_payload as this was colliding with the frameworks payload variable which was not the intent.
2024-11-21 17:37:34 +00:00
68eb6599fd
Create projectsend_unauth_rce
2024-11-21 09:34:58 -08:00
d2f6e0e10f
As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change.
2024-11-21 16:38:09 +00:00
f9b099a46d
remove the DefaultOption PAYLOAD value, and let the framework pick one for us. Mention I tested the exploit with cmd/linux/http/x64/meterpreter_reverse_tcp
2024-11-21 16:22:02 +00:00
d40bbd047e
remove the DefaultOption FETCH_COMMAND value of WGET, as the default the framework will pick, CURL, will work great.
2024-11-21 16:21:00 +00:00
b8f36628da
remove an unnecessary space in the command to write a chunk to disk.
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-11-21 16:08:33 +00:00
077f8700b9
remove an unnecessary space in this command.
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2024-11-21 16:08:09 +00:00
d9d7f1a898
Merge pull request #19654 from h00die/strapi
...
strapi 3.0.0 beta 17.4 password reset (CVE-2019-18818)
2024-11-21 12:35:30 +00:00
0f6da56a52
vcenter sudo module
2024-11-21 04:34:15 -05:00
469671e59d
Added LDAP password change module
2024-11-21 17:34:21 +11:00
4ff389762d
xspy updates
2024-11-20 19:35:19 -05:00
afbbba09e8
Land #19584 Judge0 sandbox escape CVE-2024-28185, CVE-2024-28189
2024-11-20 14:35:38 -08:00
da6f8cd552
Add Judge0 module and document
2024-11-20 14:15:38 -08:00
1a20bed286
Option description fix
2024-11-21 07:48:53 +11:00
05cbd1d9a3
Land #19593 Add exploit for CVE-2023-28324 (Unauthenticated RCE in Ivanti EPM)
...
This exploits an unauthenticated RCE in Ivanti's EPM where a .NET remoting client can invoke a method that results in an OS command being executed in the context of NT AUTHORITY\SYSTEM.
2024-11-20 11:18:58 -08:00
e52edf447c
Implement feedback from the PR
2024-11-20 13:51:39 -05:00
4766976463
Removed executable status
2024-11-20 17:06:53 +11:00
cec793f8f5
Msftidy changes
2024-11-20 16:09:21 +11:00
1ca32eea7e
Implement Reset NTLM behaviour.
2024-11-20 15:00:56 +11:00
8158cf5bae
Add Reset and Change_NTLM actions
2024-11-20 12:13:41 +11:00
2469d4ea23
add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474
2024-11-19 16:15:06 +00:00
f7e210d3e9
Merge pull request #19624 from cdelafuente-r7/fix/mod/ms_icpr
...
Fix a crash when generating CSRs with OpenSSL 3.4.0
2024-11-19 10:58:52 -05:00
441a3215b2
Catch up to head on other branch
2024-11-19 08:59:22 -06:00
479078a5f2
Adding changing/resetting password module
2024-11-19 17:44:59 +11:00
6bd049e346
operator working
2024-11-18 20:09:13 -05:00
19770cf870
Remove unneeded file and rudocop corrections
...
Update modules/exploits/linux/local/gameoverlay_privesc.rb
Co-authored-by: Brendan <bwatters@rapid7.com >
Give bwatters7 credit, add docs
Experiment with randomized bash copy and Rex::File.join
remove unused line
Add missing parenthesis
fix problem with bash copy
Remove rex::join, call proper method for generating payload
add exploit::exe mixin, bash copy randomization
Rubocop changes
Remove nc
2024-11-18 17:01:08 -06:00
6e09722f67
Rubocop changes and arch tracking for payload
...
Update modules/exploits/linux/local/gameoverlay_privesc.rb
Co-authored-by: Brendan <bwatters@rapid7.com >
Rubocop changes
2024-11-18 16:59:37 -06:00
c6425f7245
Break out command building to make it easier to read
...
Update modules/exploits/linux/local/gameoverlay_privesc.rb
Co-authored-by: Brendan <bwatters@rapid7.com >
2024-11-18 16:58:56 -06:00
e506c34e13
Update modules/exploits/linux/local/gameoverlay_privesc.rb
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2024-11-18 16:57:17 -06:00
883a0f8985
Update modules/exploits/linux/local/gameoverlay_privesc.rb
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2024-11-18 16:57:17 -06:00
51194ad0c9
Rebase and maintain authorship
...
Rebase and change payload delivery
Rebase and remove cmdstager
Update modules/exploits/linux/local/game_overlay_privesc.rb
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
remove CmdStager Mixin
Add PrependSetuid
Remove python from exploit
Remove generate_payload_exe and add dynamic directory to upper mount layer
Change where payload is dropped
Remove FileUtils module
Call proper method for generating payload
Seperate exploit and triggering of payload
Seperate exploit and triggering payload
test
2024-11-18 16:55:59 -06:00
c927f22d66
Update modules/exploits/linux/local/game_overlay_privesc.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-11-18 16:44:33 -06:00
5edec2525f
Rebase and Squash
...
init
Add moduel scaffolding
Add Opts, check and exploit methods
Rubocop changes
Add checks for vunerable kernel versions
Write check for distro type
Finish protoype of check add exploit
Make changes to check method
Add checkcode
Add x86 for payload compatability
remove check, add kernel version
add codenam, transform keys in vuln
Note
minor spelling change
Add description
Add cve references
Start trying to drop payloads on disk
Change description, include modules for file upload, use proper methods for writing payload
continue trying to upload
Use write_file instead of upload_and_chmodx
remove upload_dir opt
expirement w g1vi exploit
Include cmd_stage module, add generate_payload_exe, run payload in new namespace
Add missing call to setcap, fix description
Fix unterminated string, fix directory for calling python copy
Rubocop changes
Create dynamic payload
Add mkdir_p and WritableDir opts
Update modules/exploits/linux/local/game_overlay_privesc.rb
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
Revert back to python exploit, add dynamic writable dir
Add todos
Remove FileUtils
Change module name
Add checkcodes
Add more checkcodes
2024-11-18 16:41:38 -06:00
1ed2d7e258
Merge pull request #19658 from cdelafuente-r7/fix/mod/get_ticket/file_read
...
Fix `auxiliary/admin/kerberos/get_ticket` issue on Windows
2024-11-18 16:08:27 +00:00
2970c99471
Use binread instead
2024-11-18 15:32:08 +01:00
dd7e1786e1
Merge pull request #19643 from smashery/dcsync_individual
...
DCsync individual accounts and groups
2024-11-18 09:25:21 -05:00
7c512b7054
Read the certificate in binary mode
2024-11-18 15:11:36 +01:00
f38661d6c3
pod user working
2024-11-18 07:30:21 -05:00
4856817131
fix a typo
2024-11-18 09:44:53 +00:00
dfebca457c
strapi review
2024-11-16 15:47:54 -05:00
6629d5dff2
strapi password reset
2024-11-15 15:12:34 -05:00
feb1ac79da
add in a suitable certificate and private key to use by default.
2024-11-15 17:41:31 +00:00
sfewer-r7