17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
54f5e565fa
Land #14330 , SpamTitan Gateway Remote Code Execution
...
Merge branch 'land-14330' into upstream-master
2021-01-04 12:14:12 -06:00
7de662c807
Land #14521 , Struts2 Multi Eval OGNL RCE
2020-12-23 11:40:16 -06:00
70f8ff31f8
Update documentation to include missing extra options I forgot to document, edit the wording on the module to match the documentation, and do final touch ups.
2020-12-23 10:50:22 -06:00
d99c2ac783
linguistic fixes of 'does not exists'
2020-12-23 11:36:38 +08:00
8a932b847a
Apply RuboCop edits
2020-12-22 17:57:38 -06:00
4a449f97d3
Land #14522 , Replace hard-coded Shiro default key with ENC_KEY
2020-12-22 09:26:49 -06:00
7d0cb771a5
Apply RuboCop updates to module.
2020-12-21 17:31:24 -06:00
24e8aeffe5
Incorporate review feedback and update the associated documentation.
2020-12-21 17:29:21 -06:00
57c57a398d
Adding new check to filter out Windows 7 and Windows XP. Indeed, lab experiments has shown that BITS does not attempt to connect to WinRM port, making those systems not vulnerable.
2020-12-19 02:51:48 +01:00
dc6b67f4c6
Land #14509 , Fixes for Solr RCE
2020-12-18 21:51:06 +01:00
9b8b4621df
Land #14368 , Pulse Connect Secure gzip RCE: cve-2020-8260
2020-12-17 17:43:55 -05:00
43b1497cf6
Remove some debug info and mark bind payloads as being incompatible
2020-12-17 16:36:20 -05:00
be3a1eb9d6
Guard against empty response
2020-12-16 18:25:17 -06:00
87dacce2cd
Land #14446 , Add Oracle Solaris SunSSH PAM parse_user_name() exploit (CVE-2020-14871)
2020-12-16 16:01:32 -05:00
a939704f9d
Add an SNMPPORT options
2020-12-16 15:15:27 +01:00
60bcc95edc
Fix documentation
2020-12-16 15:15:27 +01:00
a6102bd8ac
Make rubocop happy
2020-12-16 15:15:27 +01:00
99d3f66271
Add authentication and refactor
2020-12-16 15:15:27 +01:00
08f051e959
Apply rubocop
2020-12-16 15:15:27 +01:00
56560c901b
Add SpamTitan RCE module
2020-12-16 15:15:26 +01:00
9be1e8c295
replace hard-coded shiro default key with SHIROKEY
2020-12-16 11:03:30 +08:00
941ba923f7
Add missing module notes
2020-12-15 19:58:04 -05:00
3d7ed70cec
Tweak the check method and add module docs
2020-12-15 19:49:29 -05:00
289605f532
Require that the user know the CVE since the check is questionable
2020-12-15 19:17:35 -05:00
9bdf591a98
Add a working command stager for CVE-2020-17530
2020-12-15 09:13:06 -05:00
7826cbb8de
Initial addition of the Struts2 Double Eval exploit
2020-12-15 09:13:06 -05:00
9c47803609
increase wfsdelay
2020-12-14 14:54:54 +00:00
7af996ae4c
add offsets
2020-12-14 14:54:54 +00:00
a30cdfc892
Fix #14254 , Add CVE-2020-1054, win32k DrawIconEx OOB Write LPE
2020-12-14 14:54:54 +00:00
98d6364248
Land #14482 , Use CVE-2020-5752 path traversal bypass for CVE-2019-3999
2020-12-14 15:10:09 +01:00
f255724e01
Changes to support older Solr (tested 5.3.0)
...
Use a new parameter instead of a header because older versions don't
have access to the request object.
There was an issue where the exploit would fail if the exec returned -1
despite the payload otherwise working, fixed by not trying to return
output in that case.
Also updates the documentation to reflect that we have a Java target now
and quoting is no longer a concern.
2020-12-13 19:05:47 -06:00
ba125c1c64
Merge remote-tracking branch 'upstream/master' into feature/solaris
2020-12-11 14:25:05 -06:00
1fec224bae
Adding a new check raised by an unforeseen usecase. I tested the usecase of a webserver on which a malicious user succeeded to upload a meterpreter .exe and execute it by calling its url. The meterpreter sessions belongs to IUSRS, which is not allowed to enumerate services. Thus the exploit fails, but checks pass. So added new checks for filtering this usecase.
2020-12-11 05:22:37 -05:00
d1956199aa
Updating a warning message.
2020-12-11 03:58:14 -05:00
53a12a7984
Updating doc.
2020-12-11 03:53:25 -05:00
83943adf8b
Land #14466 , add Aerospike UDF rce
2020-12-10 11:07:56 -06:00
a9e231ad0a
Use CVE-2020-5752 path traversal bypass for CVE-2019-3999
2020-12-10 12:14:47 +00:00
38cd5817d7
Updating authors.
2020-12-10 02:09:24 -05:00
c8f1dfa642
Land #14479 , enhanced CVE-2020-25592 check
2020-12-10 00:56:52 -06:00
c005492ee9
Updating doc.
2020-12-10 00:58:53 -05:00
b7bf7fcc86
Updating functions comments.
2020-12-10 04:08:49 -05:00
4883050f7f
Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001).
2020-12-10 03:53:06 -05:00
9696e709ae
Remove unused vprint_status conditional
2020-12-09 22:48:16 -06:00
e52084242f
Remove unused vprint_status conditional
2020-12-09 22:45:41 -06:00
399c8dbb79
Don't be lazy about sending the request
...
Don't telegraph our command injection _quite_ so much. We still
"complete" the initial command line to minimize disruption.
I am now backgrounding ssh-keygen to improve the speed of the exploit.
2020-12-09 22:07:08 -06:00
a33a6e6c55
Don't be lazy about checking the redirect
...
And don't be lazy about sending the request.
To trigger UnexpectedExceptionPage, we can send bogus data instead of
telegraphing our payload-less gadget chain.
God, I'm so lazy. This took like five extra minutes. :|
2020-12-09 21:09:49 -06:00
9452c1dcfa
Fix merge conflict from #14202 , in linear history
2020-12-09 17:24:29 -06:00
367c5e747f
Land #14470 , Fix ssi template for some sharepoint versions
2020-12-09 16:23:34 -05:00
d337d832b8
Land #14422 , add GitLab file read/rce
2020-12-09 11:34:14 -06:00
Christophe De La Fuente