adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77,480 Commits 27 Branches 1,043 Tags
c23c848d2eeffa5a01dfdcdafa63340002b06eb9
Commit Graph

355 Commits

Author SHA1 Message Date
bcoles 943c94774a Modules: Resolve Rubocop Lint/Syntax violations 2025-05-21 18:27:24 +10:00
jheysel-r7 08e227faca Merge pull request #19934 from sfewer-r7/bugfix-cisco-iosxe-rce 
Improve exploit/linux/misc/cisco_ios_xe_rce (CVE-2023-20198 + CVE-2023-20273)
 2025-03-27 16:51:16 -07:00
sfewer-r7 4c5137846c call fail_with upon failure rather than passing around Failure's as variables. 2025-03-13 09:41:58 +00:00
sfewer-r7 2f5758b8ed improve the logic here 2025-03-04 09:22:11 +00:00
sfewer-r7 efb0d5da4c fix typo, C1000v should be CSR1000v. Be consistant with IOS XE and not IOS-XE. 2025-03-04 09:09:32 +00:00
sfewer-r7 94606036bd typos in comments 2025-03-03 20:45:37 +00:00
sfewer-r7 9c075c7cce Previously the check routine only leveraged the first vuln in the chain, CVE-2023-20198, to perform a version based check. However the second vuln in the chain, CVE-2023-20273, was not verified as to working, so a return code of CheckCode::Vulnerable may no have been acurate if the target was vulnerable to CVE-2023-20198 but not CVE-2023-20273. Now we leverage both CVE-2023-20198 and CVE-2023-20273 to ensure the target is actually vulnerable. For example, it has been observed that the C8000v series appliance version 17.6.5 is vulnerable to CVE-2023-20198, but not vulnerable to CVE-2023-20273, even though the IOS-XE version indicates they should be vulnerable to CVE-2023-20273. As this exploit chains both CVE-2023-20198 and CVE-2023-20273 together, the check routine must verify both CVEs work as expected in order to return CheckCode::Vulnerable (i.e. we cannot solely rely on a version based check via CVE-2023-20198). 2025-03-03 20:29:20 +00:00
sfewer-r7 4a38605576 bugfix the check routine, to get a suitable response from a targets webui path, we must have the trailing slash (seen in a C8000v target, verified to work in both C8000v and C1000v targets) 2025-03-03 20:25:31 +00:00
sfewer-r7 e71a851e3f mention that the C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273. Inspecting the Lua code shows this appliance has additional command injection filtering in place (see pexec_setsid in /usr/binos/openresty/nginx/conf/pexec.lua) which prevents the injection from working 2025-03-03 20:22:46 +00:00
cgranleese-r7 0017fbdf56 Updates more dead links 2025-02-28 10:30:14 +00:00
jheysel-r7 2d1af7d809 Land #19648 Add exploit module for FortiManager (CVE-2024-47575) 2024-12-02 18:31:25 -08:00
jheysel-r7 5a837d1ef6 fix a typo 2024-12-02 18:16:43 -08:00
h00die d13bccca05 peer review 2024-11-28 20:24:25 -05:00
sfewer-r7 68e9b39ffa register teh Rex socket we create via add_socket. This lets teh frameowkr close the socket after we get a session, and will wait up to WfsDelay for that to happen. This lets us remove the other timeout we had, and teh user can always adjust WfsDelay if needed. (Thanks Spencer) 2024-11-22 12:42:08 +00:00
sfewer-r7 e5cdf6097d favor File.binread over File.read 2024-11-22 12:40:19 +00:00
sfewer-r7 f59bfe98a3 remove the default payload and the default fetch command, and let the framework choose them for us. 2024-11-22 12:39:34 +00:00
sfewer-r7 2ba112a5a4 We can use OptPath here instead of OptString. Also are these are optional, and we dont specify a default, we can omit the nil default value. 2024-11-22 12:38:46 +00:00
sfewer-r7 000ffb2406 make the check routine return a message for Detected. 2024-11-22 12:37:50 +00:00
sfewer-r7 4856817131 fix a typo 2024-11-18 09:44:53 +00:00
sfewer-r7 feb1ac79da add in a suitable certificate and private key to use by default. 2024-11-15 17:41:31 +00:00
sfewer-r7 e520ca7ee9 comment the intent of this code block 2024-11-15 12:29:31 +00:00
sfewer-r7 2ec5778405 get_cert_subject_item may return nil, so test for that here 2024-11-15 12:28:25 +00:00
sfewer-r7 51ad7ad0bf improve the send_packet logic to fail gracefully if bad data is recieved 2024-11-15 12:27:33 +00:00
sfewer-r7 c3bd4792ec rename SSLClientCert and SSLClientKey to ClientCert and ClientKey. This then matcheds up with ClientSerialNumber and ClientPlatform, which is clearer IMHO. Also, we explicitly create a Rex TCP socket, so these param names no longer collide with what a mixin would use 2024-11-15 09:44:50 +00:00
sfewer-r7 6eb15d5b66 add a helper method get_cert_subject_item 2024-11-15 09:42:59 +00:00
sfewer-r7 91587ce30b this message can be on a single line 2024-11-15 09:42:06 +00:00
sfewer-r7 e89c27fa3b fix some typos. Make msftidy happy. Add comments to the external references. 2024-11-15 08:54:32 +00:00
sfewer-r7 47f924bb8f add in the initial work on the FortiManager exploit. 2024-11-14 18:53:12 +00:00
h00die 4ebc6f1ff1 peer review 2024-11-11 17:37:33 -05:00
h00die 594c3a82ea peer review 2024-11-11 17:32:49 -05:00
h00die 0de93eedb7 asterisk ami auth rce 2024-11-04 16:27:58 -05:00
h00die 9cba5dad59 WIP for asterisk rce 2024-11-01 16:28:45 -04:00
adfoster-r7 62a3f73e70 Update rubocop target ruby version 2024-07-24 16:47:17 +01:00
Christophe De La Fuente 8fc6e20cec Update other modules to use java_class_loader_start_service and cmdstager_start_service 2024-06-14 12:57:42 +02:00
fanqiaojun 6b2bdc893b chore: remove repetitive words 
Signed-off-by: fanqiaojun <fanqiaojun@yeah.net>
 2024-04-15 11:06:50 +08:00
sfewer-r7 2a56c3f28b remove redundant \d in check regex 2023-11-07 09:21:04 +00:00
sfewer-r7 25ef7d1272 add the RCE exploit 2023-11-06 17:12:40 +00:00
Spencer McIntyre 8e8b8ad191 Update nimbus_gettopologyhistory_cmd_exec 2023-09-12 12:21:10 -04:00
Spencer McIntyre ba84c0484c Update the Nimbus module to use the Thrift client 2023-09-11 14:42:54 -04:00
sfewer-r7 27f5a789c9 rework the exploit to use the new MIPS64 fetch payload adapters. Removed the seperate command and dropper targets in favor of a single default target which can do both thanks to fetch payloads. Removed the redundant IO select() call which was bad copy pasta on my part. 2023-06-09 09:47:57 +01:00
sfewer-r7 0205bb36d3 change ranking to GreatRanking as stability is CRASH_SERVICE_RESTARTS 2023-05-22 20:09:11 +01:00
sfewer-r7 6b101b5a4d make rubocop happy 2023-05-22 18:03:58 +01:00
Jacob Baines ec5858c198 Added newly assigned CVE identifier 2023-04-27 09:54:48 -04:00
Ron Bowes 7dc1faa689 Better error handling, and fix version detection 2023-04-11 09:34:24 -07:00
Ron Bowes 1a8671311d Move the offsets into a field separate from 'targets' 2023-04-07 10:26:56 -07:00
Ron Bowes 02072418f0 Expand the comment about why we're checking for \xff (since it can't appear in the payload) 2023-04-07 10:10:13 -07:00
Ron Bowes ce111f158a Better error handling 2023-04-06 10:35:33 -07:00
Ron Bowes 523931aa4c Change target options for stack overflow exploit 2023-04-05 15:24:49 -07:00
Ron Bowes c345fe78b8 Fix up error handling and other comments from the PR 2023-04-05 15:13:35 -07:00
Ron Bowes c07ca83d6c Fix the metadata and add an in-memory target 2023-04-05 14:07:12 -07:00