7ddffc790c
Merge pull request #19460 from gardnerapp/game_overlay
...
Land #19460 , CVE-2023-2640, CVE-2023-32629 Game Overlay Ubuntu Privilege Escalation
2024-12-18 14:44:57 -06:00
59229ee612
Update payload name, fix payload escapes & quotation, add unix cmd support
2024-12-17 16:52:24 -06:00
c7f7cfd848
Land #19656 Close ssh session on error
2024-12-11 17:00:17 -08:00
136599a29a
Merge pull request #19714 from bwatters-r7/update/projectsend-cveinfo
...
Add CVE info to projectsend module
2024-12-11 13:54:06 +00:00
5311b7014e
Add CVE info to projectsend module
2024-12-11 07:37:43 -06:00
2421ca768f
Merge pull request #19705 from ostrichgolf/projectsend_rce
...
Add CVE to ProjectSend module
2024-12-07 14:24:20 +00:00
2952dbb0b8
Add CVE to module
2024-12-07 14:23:30 +01:00
be30a06af4
Land #19430 , Moodle RCE (CVE-2024-43425) Module
...
Land #19430 , Moodle RCE (CVE-2024-43425) Module
2024-12-06 12:15:35 +01:00
e8911f9129
Land #19402 vCenter Sudo LPE (CVE-2024-37081)
2024-12-04 18:25:05 -08:00
bca3626cf2
peer review
2024-12-04 18:39:43 -05:00
21cf475cbb
Land #19595 Ivanti Connect Secure auth RCE via OpenSSL (CVE-2024-37404)
2024-12-04 08:26:07 -08:00
ab2ca41eb8
Land #19629 , Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220)
...
Land #19629 , Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220)
2024-12-04 16:49:56 +01:00
fa3716408f
Add comment explaining payload architecture restraints
2024-12-03 18:33:43 -08:00
2d1af7d809
Land #19648 Add exploit module for FortiManager (CVE-2024-47575)
2024-12-02 18:31:25 -08:00
5a837d1ef6
fix a typo
2024-12-02 18:16:43 -08:00
a230a353e4
Land #19613 Asterisk authenticated rce via AMI (CVE-2024-42365)
2024-12-02 08:21:35 -08:00
a46b2f437f
Use TARGET_URI when checking the redirection URI
2024-12-02 16:45:12 +01:00
3dcb9d58ab
Code review
2024-12-02 14:02:07 +01:00
c943cc6378
Add module and documentation
2024-12-02 14:02:07 +01:00
d13bccca05
peer review
2024-11-28 20:24:25 -05:00
566e12b69e
Add error_callback to SSH Command Stream
2024-11-25 16:43:59 +00:00
68e9b39ffa
register teh Rex socket we create via add_socket. This lets teh frameowkr close the socket after we get a session, and will wait up to WfsDelay for that to happen. This lets us remove the other timeout we had, and teh user can always adjust WfsDelay if needed. (Thanks Spencer)
2024-11-22 12:42:08 +00:00
e5cdf6097d
favor File.binread over File.read
2024-11-22 12:40:19 +00:00
f59bfe98a3
remove the default payload and the default fetch command, and let the framework choose them for us.
2024-11-22 12:39:34 +00:00
2ba112a5a4
We can use OptPath here instead of OptString. Also are these are optional, and we dont specify a default, we can omit the nil default value.
2024-11-22 12:38:46 +00:00
000ffb2406
make the check routine return a message for Detected.
2024-11-22 12:37:50 +00:00
d95d549992
Land #19531 ProjectSend r1335 - r1605 RCE module
2024-11-21 09:53:36 -08:00
68eb6599fd
Create projectsend_unauth_rce
2024-11-21 09:34:58 -08:00
0f6da56a52
vcenter sudo module
2024-11-21 04:34:15 -05:00
afbbba09e8
Land #19584 Judge0 sandbox escape CVE-2024-28185, CVE-2024-28189
2024-11-20 14:35:38 -08:00
da6f8cd552
Add Judge0 module and document
2024-11-20 14:15:38 -08:00
441a3215b2
Catch up to head on other branch
2024-11-19 08:59:22 -06:00
6bd049e346
operator working
2024-11-18 20:09:13 -05:00
19770cf870
Remove unneeded file and rudocop corrections
...
Update modules/exploits/linux/local/gameoverlay_privesc.rb
Co-authored-by: Brendan <bwatters@rapid7.com >
Give bwatters7 credit, add docs
Experiment with randomized bash copy and Rex::File.join
remove unused line
Add missing parenthesis
fix problem with bash copy
Remove rex::join, call proper method for generating payload
add exploit::exe mixin, bash copy randomization
Rubocop changes
Remove nc
2024-11-18 17:01:08 -06:00
6e09722f67
Rubocop changes and arch tracking for payload
...
Update modules/exploits/linux/local/gameoverlay_privesc.rb
Co-authored-by: Brendan <bwatters@rapid7.com >
Rubocop changes
2024-11-18 16:59:37 -06:00
c6425f7245
Break out command building to make it easier to read
...
Update modules/exploits/linux/local/gameoverlay_privesc.rb
Co-authored-by: Brendan <bwatters@rapid7.com >
2024-11-18 16:58:56 -06:00
e506c34e13
Update modules/exploits/linux/local/gameoverlay_privesc.rb
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2024-11-18 16:57:17 -06:00
883a0f8985
Update modules/exploits/linux/local/gameoverlay_privesc.rb
...
Co-authored-by: Brendan <bwatters@rapid7.com >
2024-11-18 16:57:17 -06:00
51194ad0c9
Rebase and maintain authorship
...
Rebase and change payload delivery
Rebase and remove cmdstager
Update modules/exploits/linux/local/game_overlay_privesc.rb
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
remove CmdStager Mixin
Add PrependSetuid
Remove python from exploit
Remove generate_payload_exe and add dynamic directory to upper mount layer
Change where payload is dropped
Remove FileUtils module
Call proper method for generating payload
Seperate exploit and triggering of payload
Seperate exploit and triggering payload
test
2024-11-18 16:55:59 -06:00
c927f22d66
Update modules/exploits/linux/local/game_overlay_privesc.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-11-18 16:44:33 -06:00
5edec2525f
Rebase and Squash
...
init
Add moduel scaffolding
Add Opts, check and exploit methods
Rubocop changes
Add checks for vunerable kernel versions
Write check for distro type
Finish protoype of check add exploit
Make changes to check method
Add checkcode
Add x86 for payload compatability
remove check, add kernel version
add codenam, transform keys in vuln
Note
minor spelling change
Add description
Add cve references
Start trying to drop payloads on disk
Change description, include modules for file upload, use proper methods for writing payload
continue trying to upload
Use write_file instead of upload_and_chmodx
remove upload_dir opt
expirement w g1vi exploit
Include cmd_stage module, add generate_payload_exe, run payload in new namespace
Add missing call to setcap, fix description
Fix unterminated string, fix directory for calling python copy
Rubocop changes
Create dynamic payload
Add mkdir_p and WritableDir opts
Update modules/exploits/linux/local/game_overlay_privesc.rb
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
Revert back to python exploit, add dynamic writable dir
Add todos
Remove FileUtils
Change module name
Add checkcodes
Add more checkcodes
2024-11-18 16:41:38 -06:00
f38661d6c3
pod user working
2024-11-18 07:30:21 -05:00
4856817131
fix a typo
2024-11-18 09:44:53 +00:00
feb1ac79da
add in a suitable certificate and private key to use by default.
2024-11-15 17:41:31 +00:00
5d9add4450
Merge pull request #19640 from jheysel-r7/pyload_js2py_cve_2024_39205
...
Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)
2024-11-15 09:24:37 -05:00
e520ca7ee9
comment the intent of this code block
2024-11-15 12:29:31 +00:00
2ec5778405
get_cert_subject_item may return nil, so test for that here
2024-11-15 12:28:25 +00:00
51ad7ad0bf
improve the send_packet logic to fail gracefully if bad data is recieved
2024-11-15 12:27:33 +00:00
c3bd4792ec
rename SSLClientCert and SSLClientKey to ClientCert and ClientKey. This then matcheds up with ClientSerialNumber and ClientPlatform, which is clearer IMHO. Also, we explicitly create a Rex TCP socket, so these param names no longer collide with what a mixin would use
2024-11-15 09:44:50 +00:00
6eb15d5b66
add a helper method get_cert_subject_item
2024-11-15 09:42:59 +00:00
Brendan