adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
76,835 Commits 27 Branches 1,043 Tags
d4001ef5587f486cdc7a6019d3fe2f2cd2d94bdd
Commit Graph

4534 Commits

Author SHA1 Message Date
Takahiro Yokoyama 5945e0db0e Update modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb 
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
 2025-04-16 22:05:04 +09:00
Takah1ro edcc30699a Make user be able to specify a particular endpoint 2025-04-16 21:47:31 +09:00
Takah1ro 4463bb2ced Support a pure-python payload 2025-04-16 21:25:36 +09:00
Takah1ro 6d936a72b1 Delete ARTIFACTS_ON_DISK 2025-04-16 20:54:22 +09:00
Takah1ro e51cd24383 Add BentoML RCE module (CVE-2025-27520) 2025-04-15 22:46:42 +09:00
msutovsky-r7 fe9a0ad25b Land #20008, PandoraFMS Auth RCE module 
Pandora FMS authenticated RCE [CVE-2024-12971]
 2025-04-08 07:50:28 +02:00
h00die-gr3y 40ba981c98 update based on reviewer suggestions 2025-04-07 14:29:51 +00:00
Takah1ro 39e4093310 Rubocop formatting after applied suggestions 2025-04-07 21:03:58 +09:00
Takahiro Yokoyama 7aabe06f66 Apply suggestions from code review 
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
 2025-04-07 20:59:57 +09:00
Takah1ro ec6f4022cd Make the Ruby code error-safe 2025-04-07 20:28:57 +09:00
Takah1ro f42083db03 Increased the size of email to avoid duplicate 2025-04-07 20:23:31 +09:00
Takahiro Yokoyama 35c1ccccdb Update modules/exploits/linux/http/appsmith_rce_cve_2024_55964.rb 
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
 2025-04-07 20:06:55 +09:00
h00die-gr3y 76fb34a5db small update in description of the module and documentation 2025-04-06 10:49:03 +00:00
h00die-gr3y 8a72fd6861 init module and documentation 2025-04-06 10:33:56 +00:00
Takah1ro 139dd50333 Add Appsmith RCE module (CVE-2024-55964) 2025-04-05 14:56:04 +09:00
jheysel-r7 08e227faca Merge pull request #19934 from sfewer-r7/bugfix-cisco-iosxe-rce 
Improve exploit/linux/misc/cisco_ios_xe_rce (CVE-2023-20198 + CVE-2023-20273)
 2025-03-27 16:51:16 -07:00
Spencer McIntyre bf1f919d9f Merge pull request #19957 from msutovsky-r7/auxmodule-eramba-update 
Auxmodule eramba update
 2025-03-25 13:54:24 -04:00
Martin Sutovsky 95f9e22eff Addressing comments 2025-03-20 20:46:38 +01:00
Martin Sutovsky df027f3fdd Update documentation, adding more precise check, removing unnecessary characters 2025-03-20 15:18:55 +01:00
msutovsky-r7 741a222e9a Land #19961, fixing incorrect URL in the InvoiceNinja module 
BUGFIX invoiceninja module - fixed invalid attackerkb reference
 2025-03-14 11:15:23 +01:00
msutovsky-r7 9961bfbc58 Land #19950, module for InvoiceShelf unauthenticated PHP deserialization 
InvoiceShelf unauthenticated PHP deserialization vulnerability [CVE-2024-55556]
 2025-03-14 10:21:56 +01:00
h00die-gr3y 84012fd60c fixed invalid attackerkb reference 2025-03-14 08:23:10 +00:00
h00die-gr3y 0ca2599f48 update based on review comments 2025-03-14 08:04:22 +00:00
Martin Sutovsky 9886f78575 Upgrade Eramba RCE module 2025-03-13 12:34:50 +01:00
sfewer-r7 4c5137846c call fail_with upon failure rather than passing around Failure's as variables. 2025-03-13 09:41:58 +00:00
h00die-gr3y 1ca57c86fc added base64 encoding in php payload execution 2025-03-11 21:30:32 +00:00
h00die-gr3y e341398871 small update on module and documentation 2025-03-10 19:35:37 +00:00
h00die-gr3y 281b728000 initial module and documentation 2025-03-07 17:34:22 +00:00
msutovsky-r7 196d95b2bf Land #19944, adding dynamic session for module CVE-2025-0655 
Update dtale_rce_cve_2025_0655.rb to use dynamically generated session
 2025-03-07 14:35:51 +01:00
Takah1ro edb47d968c Update function name after applied suggestion 2025-03-07 08:05:00 +09:00
Takahiro Yokoyama 233c710d82 Update modules/exploits/linux/http/dtale_rce_cve_2025_0655.rb 
Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com>
 2025-03-07 07:54:50 +09:00
adfoster-r7 8604c72ef4 Merge pull request #19895 from cgranleese-r7/update-dead-module-references 
Update dead module references
 2025-03-05 16:57:05 +00:00
Takah1ro bf5ae87a3d Use dynamically generated session 2025-03-05 12:56:01 +09:00
sfewer-r7 2f5758b8ed improve the logic here 2025-03-04 09:22:11 +00:00
sfewer-r7 efb0d5da4c fix typo, C1000v should be CSR1000v. Be consistant with IOS XE and not IOS-XE. 2025-03-04 09:09:32 +00:00
sfewer-r7 94606036bd typos in comments 2025-03-03 20:45:37 +00:00
sfewer-r7 9c075c7cce Previously the check routine only leveraged the first vuln in the chain, CVE-2023-20198, to perform a version based check. However the second vuln in the chain, CVE-2023-20273, was not verified as to working, so a return code of CheckCode::Vulnerable may no have been acurate if the target was vulnerable to CVE-2023-20198 but not CVE-2023-20273. Now we leverage both CVE-2023-20198 and CVE-2023-20273 to ensure the target is actually vulnerable. For example, it has been observed that the C8000v series appliance version 17.6.5 is vulnerable to CVE-2023-20198, but not vulnerable to CVE-2023-20273, even though the IOS-XE version indicates they should be vulnerable to CVE-2023-20273. As this exploit chains both CVE-2023-20198 and CVE-2023-20273 together, the check routine must verify both CVEs work as expected in order to return CheckCode::Vulnerable (i.e. we cannot solely rely on a version based check via CVE-2023-20198). 2025-03-03 20:29:20 +00:00
sfewer-r7 4a38605576 bugfix the check routine, to get a suitable response from a targets webui path, we must have the trailing slash (seen in a C8000v target, verified to work in both C8000v and C1000v targets) 2025-03-03 20:25:31 +00:00
sfewer-r7 e71a851e3f mention that the C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273. Inspecting the Lua code shows this appliance has additional command injection filtering in place (see pexec_setsid in /usr/binos/openresty/nginx/conf/pexec.lua) which prevents the injection from working 2025-03-03 20:22:46 +00:00
msutovsky-r7 3c4d0aae2f Land #19899, D-Tale remote code execution module 
Add D-Tale RCE module (CVE-2024-3408, CVE-2025-0655)
 2025-03-03 13:04:45 +01:00
Takah1ro 47351e4959 Use FETCH_DELETE as default 2025-03-03 20:52:55 +09:00
Takah1ro 65d2b6380b Update vulnerable version 2025-03-02 12:14:25 +09:00
Takah1ro 77c3ce52e0 Improve: 
* Support the prior to 3.13.0 versions
* CVE-2024-3408 bypass for authentication
 2025-03-01 11:58:28 +09:00
Takah1ro 316ecd4d04 Use FETCH_FILELESS as default 2025-03-01 11:55:43 +09:00
cgranleese-r7 df8b0de0c8 Fixes some invalid links 2025-02-28 11:29:59 +00:00
cgranleese-r7 0017fbdf56 Updates more dead links 2025-02-28 10:30:14 +00:00
cgranleese-r7 810e7c4518 Adds scripts to find and replace dead module reference links 2025-02-28 09:20:48 +00:00
Spencer McIntyre c49b49bdcd Merge pull request #19893 from bwatters-r7/fix/loadmaster_priv_esc_cve 
Remove errant CVE reference.
 2025-02-26 14:24:09 -05:00
Takah1ro 40726d1859 Remove unnecessary & guard operator 2025-02-26 21:13:55 +09:00
Diego Ledda 8dd032e529 Land #19897, Invoice Ninja unauthenticated RCE (CVE-2024-55555) and Laravel Crypto Killer mixin 
Land #19897, Invoice Ninja unauthenticated RCE (CVE-2024-55555) and Laravel Crypto Killer mixin
 2025-02-25 13:14:18 +01:00