3870dad3d1
Fix handler type copy pasta
2019-06-24 13:55:53 -04:00
8be8aa603c
Adjust logic
...
Early return to reduce nesting ifs
2019-06-24 12:43:26 -05:00
3d143f366c
Remove LIMIT and adjust quotes
2019-06-24 12:40:01 -05:00
510b2f5aac
Trim reverse ssh cmd payload
2019-06-23 21:27:48 -04:00
d1eaac9932
Implement native reverse SSH via openssh binary
...
Implement a reverse SSH shell using nothing but the on-target SSH
client and a fifo in the same manner as used by netcat payloads.
This is not forensically sound as the fifo will be caught by HIDS,
filesystem snapshots, and other defensive measures. However, it
does provide a way out from almost any modern POSIX system as they
nearly all have an SSH client in one form or another.
Convert existing Ruby reverse SSH payloads to use dynamic cached
payload sizing.
2019-06-23 05:48:50 -04:00
c339662fed
SshCommandSession and Ruby Payloads
...
Implement a command-only session type over the HrrRbSsh client
Connection Channels' file descriptors, adjust from base command
session to deal with the separate reader/writer IOs. Technically,
a TTY session works out of the box here as well.
Implement a pair of showcase Ruby payloads using net/ssh to call
back to the handler, create a shell channel, and loop piping I/O
between framework session and client via the Ruby backtick exec.
Next Steps:
Command payloads need to be written for every major interpreted
language as well as some sort of bashism a la openssl_double if
it comes to that, but preferably single socket implementation.
Testing:
Very minimal, needs a good run through by the community and R7
2019-06-23 05:20:04 -04:00
d2dc5f6077
Review changes
2019-06-22 00:18:44 -04:00
54aff89563
add requests to create, remove, clean db backups
2019-06-21 16:00:56 -05:00
d90dba5d6e
Hopefully final msftidy fixes
2019-06-20 17:03:38 -04:00
358ff635dd
Renamed modules per @wvu's offline suggestion
2019-06-20 15:08:30 -05:00
e43fc2d921
added skeleton, check method
2019-06-20 14:05:41 -05:00
1a877abe09
Msftidy was not happy
2019-06-20 14:50:56 -04:00
534e2bc405
Make the darn thing work
2019-06-20 14:40:46 -04:00
fded7fb922
Create bypassuac_silentcleanup.rb
2019-06-20 13:53:54 -04:00
8920152eca
Add a ZDI reference for CVE-2019-5420 Rails exploit
2019-06-20 10:43:21 -05:00
d818a27a7c
added check, path for diaghub exploit
2019-06-19 16:14:02 -05:00
e1b982dfa9
Land #11993 , Explicitly require 'rc4' in the BlueKeep scanner.
2019-06-19 14:42:01 -05:00
a93a520c3a
Land #11960 , Add LPE for Cisco Prime Infrastructure's runrshell exe
2019-06-19 10:49:17 -05:00
c637755ebd
Land #11956 - Add Cisco Prime Infrastructure Health Monitor Tar RCE
2019-06-19 10:46:35 -05:00
4d7d807025
Land #11983 , add Webmin package update rce
2019-06-19 08:35:01 -05:00
ddf7eadeee
modified version check
2019-06-19 08:31:48 -05:00
3f0810502e
Explicitly require 'rc4' in the BlueKeep scanner.
...
Appears to still operate as-expected:
msf5 > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts <target>
rhosts => <target>
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run
[+] <target>:3389 - The target is vulnerable.
[*] <target>:3389 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Fixes MS-4291.
2019-06-19 08:27:04 -05:00
efeb0a5f5c
Land #11971 , zip extraction from modbus pcap
2019-06-18 16:25:27 -05:00
384cfc7db5
update checkcode
2019-06-18 15:58:57 -05:00
16cfd3f4ac
Fix typos
2019-06-18 15:49:40 -05:00
585a4340b2
Add exploit for CVE-2019-0232: Apache Tomcat CGIServlet RCE
2019-06-18 15:28:11 -05:00
66c3c6a94b
Remove unused mixin, update save loot logic
...
Capture mixin was not used. Loot was being
saved when a zip file wasn't found. Updated
file path so the module is under analyze.
2019-06-18 14:08:47 -05:00
36eeba4e37
Address code review from @jrobles-r7. Thanks!
2019-06-17 16:19:45 -05:00
d4d2eab770
removed some whitespace, added a check
2019-06-17 15:29:08 -05:00
850951e261
Fix a bug in MFA output, and also try to fix Travis complaintsy
2019-06-17 15:01:51 -05:00
a5020b8f30
Fix spaces at EOL
2019-06-17 13:16:56 +03:00
b5e34cb783
Converting version check request to vars_get
...
We also need to add the "testing = 1" cookie to the login request. Otherwise, the browser displays a No-Cookie error.
2019-06-17 10:46:46 +03:00
e13456ce0d
Add root to the filename
2019-06-16 23:32:57 +01:00
17f686a87d
Adding module documentation
2019-06-16 18:27:01 -04:00
8faa138289
Change targets and default http delay
2019-06-16 23:13:45 +01:00
3d463a1e20
Adding correction of Check and Payload definitions
2019-06-16 17:58:31 -04:00
863beaea92
First commit for module Nagios XI RCE
2019-06-16 22:10:32 +01:00
414c614b55
CVE-2019-12840 - Add Webmin 1.910 RCE Module
2019-06-16 11:26:00 -04:00
791da38fe4
update instructions
2019-06-16 11:39:03 +01:00
b7137ea426
update module flow
2019-06-15 20:03:17 +01:00
46ebae8231
implemented rubocop suggestions
2019-06-15 11:06:38 +01:00
379caff828
Land #11932 , TLS and doc'd packets for BlueKeep
2019-06-14 21:10:08 -05:00
3d8b474632
Clean up module
2019-06-14 21:09:57 -05:00
6646295d51
modbus zip
...
Co-Authored-By: @shellfail <jrobles@rapid7.com >
2019-06-14 19:27:54 +01:00
e2d4dc5f41
Initial concept for AWS IAM enumeration
2019-06-14 13:23:20 -05:00
1d800a5d9a
Move error handling method up, in preparation for making a library, maybe
2019-06-13 18:40:34 -05:00
54a17e0a51
Initial concept for AWS S3 enumeration
2019-06-13 18:40:16 -05:00
b9cefe1b79
Land #11958 , abrt_raceabrt_priv_esc: Fix abrt package version check
...
Merge branch 'land-11958' into upstream-master
2019-06-13 14:02:15 -05:00
aed504c0a9
Land #11944 , Implement bind TCP with RC4 decryption for x64
...
Merge branch 'land-11944' into upstream-master
2019-06-13 12:09:31 -05:00
a11d6221d9
Update the session to die after callback
...
Remove stale old file
2019-06-13 09:08:14 -05:00
RageLtMan