adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55,838 Commits 27 Branches 1,043 Tags
baae9db092a4eaa4e6f3df65d22eded18d5fd20c
Commit Graph

55838 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
William Vu baae9db092 Fix some more things 2020-04-15 15:47:50 -05:00
William Vu 6275b16b04 Fix some things 2020-04-15 15:47:50 -05:00
wvu-r7 1ce6c310ba Escape double quotes in EL payload 2020-04-15 15:47:50 -05:00
wvu-r7 143d8463ec Prefer include? for NXSESSIONID= 
Co-Authored-By: bcoles <bcoles@gmail.com>
 2020-04-15 15:47:50 -05:00
William Vu 387c6fc8d2 Add module doc 2020-04-15 15:47:50 -05:00
William Vu 45263b8aa5 Add Nexus Repository Manager Java EL Injection RCE 2020-04-15 15:47:50 -05:00
Metasploit 3f1601c8e4 automatic module_metadata_base.json update 2020-04-15 11:34:56 -05:00
bwatters-r7 b17e10cd39 Land #13256, bump ruby versions 
Merge branch 'land-13256' into upstream-master
 2020-04-15 11:24:17 -05:00
bwatters-r7 77ddf2b761 Land #13208, Archer a7 c7 lan 
Merge branch 'land-13208' into upstream-master
 2020-04-15 11:15:02 -05:00
bwatters-r7 00de145eda Land #13250, YAML warnings are very unnecessary, they can only do harm 
Merge branch 'land-13250' into upstream-master
 2020-04-15 09:50:40 -05:00
Brent Cook 2b0c4cf758 bump ruby versions 
Address a some recent Ruby vulns by bumping suggested versions to the latest release.
 2020-04-15 07:57:49 -05:00
Alan Foster 06cbf2bc60 Landing #13223, add additional autoamted label actions 2020-04-15 11:54:35 +01:00
Metasploit 88aef963b9 automatic module_metadata_base.json update 2020-04-14 23:46:00 -05:00
gwillcox-r7 be4c66d04c Land #13213, Liferay Portal Unmarshalling RCE 2020-04-14 23:35:29 -05:00
William Vu a73a542399 Add a comment to appease the @gwillcox-r7 god 2020-04-14 23:10:28 -05:00
William Vu c02f74637f Update print and comments 2020-04-14 23:06:38 -05:00
William Vu 0dedf9225e s/for/of/ 2020-04-14 22:56:09 -05:00
William Vu 6d57857cd1 Switch back to options (show options) in doc 2020-04-14 22:24:01 -05:00
William Vu c95823d71d Comment convenience method 2020-04-14 22:07:13 -05:00
William Vu 8f4aa7b761 Comment more comments 2020-04-14 22:04:25 -05:00
William Vu 99c5912cc7 Comment another comment and move stuff around 2020-04-14 21:59:43 -05:00
William Vu b9382230f6 Comment my comments to myself 2020-04-14 21:41:51 -05:00
William Vu 45cd0ef9f5 Reword sentence to avoid "too" many "to"s 2020-04-14 21:28:41 -05:00
William Vu a51f9368aa Add note about installing Docker 2020-04-14 21:24:10 -05:00
William Vu 9452ff0e06 Add note to doc about Liferay being a memory hog 2020-04-14 16:08:29 -05:00
Metasploit 47ddb90ac2 automatic module_metadata_base.json update 2020-04-14 15:10:55 -05:00
Brent Cook 8e701e4956 warnings are warnings, errors are errors 
Since MSF5 we've said 'WARNING' with print_error about an issue a lot of
users don't really care about (whether there's a database.yaml). While
they lose some functionality, it anecodtally doesn't seem to make a
whole lot of difference in anyone's behavior. Save a few bits and switch
these warning messages to be logged as warnings (which are quiet by
default).
 2020-04-14 15:08:58 -05:00
Spencer McIntyre 5ca934bbad Land #13249, add a note and cleanup files for the VestaCP RCE 2020-04-14 16:01:28 -04:00
William Vu c9c3f87203 Note tested version in module 2020-04-14 14:01:59 -05:00
William Vu 5fbaf87c96 Move ClassLoader to HTTP::ClassLoader 
Also note the SSL workaround.
 2020-04-14 14:01:18 -05:00
William Vu 9b59a8e194 Be more verbose and validate classloader server 2020-04-14 14:01:18 -05:00
William Vu 06f54765c3 Remove res.code == 200 check again 
It really isn't necessary when we're looking for just the header.
 2020-04-14 14:01:18 -05:00
William Vu 6f77f27ed5 Move deregister_options from module to mixin 
Whoops, forgot this.
 2020-04-14 14:01:18 -05:00
William Vu c21bb7e9dd Bump a CheckCode to Detected 
We get the Liferay-Portal header.
 2020-04-14 14:01:18 -05:00
William Vu 69e1714d9a Don't be lazy anymore and pack lengths as shorts 2020-04-14 14:01:18 -05:00
William Vu 41480a2d88 Clarify classloading is over HTTP 
HTTPS isn't supported by the clients I've tested.
 2020-04-14 14:01:18 -05:00
William Vu db15baa257 Rename to Msf::Exploit::Remote::Java::ClassLoader 2020-04-14 14:01:18 -05:00
William Vu 673e13d8cb Unzero the lengths I zeroed so it works 2020-04-14 14:01:18 -05:00
William Vu 950a0d57db Fix bad regex in Liferay module, too, duh 2020-04-14 14:01:18 -05:00
William Vu 89610a6325 Add a comment header to the new mixin 2020-04-14 14:01:18 -05:00
William Vu 5904745072 Prefer Java variant of K&R, oops 2020-04-14 14:01:18 -05:00
William Vu 559a79726f Reformat copied Java code 2020-04-14 14:01:18 -05:00
William Vu d7cf08d5f3 Convert Java classloading code into a mixin 2020-04-14 14:01:18 -05:00
William Vu d920bb4615 Fix bad regex on length of "Metasploit" string 
It won't match a char because it's a newline. While sticking "m" on the
end of the regex would work, there is zero reason we can't hardcode the
length, since the string is fixed.

irb(main):001:0> "\nhi" =~ /.hi/
=> nil
irb(main):002:0> "\nhi" =~ /.hi/m
=> 0
irb(main):003:0>
 2020-04-14 14:01:17 -05:00
William Vu 83d5a673ac Rename exploit_class to constructor_class 2020-04-14 14:01:17 -05:00
William Vu a98215d27e Relax regex in case of Enterprise Edition (EE) 
I don't know what the regex would be, since I don't have EE.
 2020-04-14 14:01:17 -05:00
William Vu 5e65bb2a6a Document remote classloading files 2020-04-14 14:01:17 -05:00
William Vu 96242a99a1 Document the magic 2020-04-14 14:01:17 -05:00
William Vu d220c1045e Refactor check for precision 2020-04-14 14:01:17 -05:00
William Vu 8297f77d0a Update vuln discoverer to Markus Wulftange 
Wasn't in the original blog post, but it's in the vendor advisory.
 2020-04-14 14:01:17 -05:00