adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74,283 Commits 27 Branches 1,043 Tags
d89df446bfde2a39773feba4f747d43d12f4e601
Commit Graph

788 Commits

Author SHA1 Message Date
Spencer McIntyre a6fd6defcb Escape LDAP query strings 2024-06-18 17:47:56 -04:00
Christophe De La Fuente 764dc89997 Update Java::HTTP::ClassLoader and CmdStager::HTTP 
- Add specific #on_request_uri, #start_service and #resource_uri methods with distinct names
 2024-06-13 16:39:24 +02:00
bcoles 4eecb8ee96 Moodle::Login.moodle_login: fix login success verification regex 2024-06-03 01:49:04 +10:00
adfoster-r7 25a1318052 Land #19170, Refactor smb lookupsid module 2024-05-17 13:43:52 +01:00
Spencer McIntyre 638ad36b12 Fixed names that were missed while refactoring 2024-05-17 10:59:37 +01:00
sjanusz-r7 34ab7d97b2 Follow MS-LSAD and MS-LSAT spec for LSARPC & LookupSids 2024-05-17 10:59:37 +01:00
sjanusz-r7 138a553b36 Add support for configurable RPORT, session & default rports to lookupsid 2024-05-17 10:59:37 +01:00
sjanusz-r7 d569077564 Refactor smb_lookupsid module to use RubySMB 2024-05-17 10:59:37 +01:00
Dean Welch 68f7334348 Fix kerberos auth and missing method error when querying with -a 2024-05-15 16:11:40 +01:00
Dean Welch 7cdea94000 Convert ldap modules to use the new ldap session type 2024-05-15 15:12:51 +01:00
Dean Welch e693b9588c Update ldap modules to support an ldap session 2024-05-15 15:12:51 +01:00
Dean Welch df32ce2db9 Add ldap query support to the ldap session 2024-05-15 15:12:51 +01:00
Dean Welch 3cedb20f75 Add initial ldap session support 2024-05-15 15:12:51 +01:00
Spencer McIntyre 69e35005ee Add TLS channel binding for kerberos 2024-05-08 16:30:24 -04:00
Spencer McIntyre cc3fd3bfa0 Update #build_gss_ap_req_checksum_value 
This updates the #build_gss_ap_req_checksum_value method to allow
control over the flags and channel binding information.
 2024-05-08 16:24:54 -04:00
Spencer McIntyre 8dabe17121 Pass the ticket storage setting 2024-05-08 16:24:54 -04:00
Spencer McIntyre 942d47bec5 Add TLS channel binding for NTLM 2024-05-08 16:24:48 -04:00
Christophe De La Fuente 8c76143a9d Land #19127, Ldap signing 2024-05-07 17:28:36 +02:00
Spencer McIntyre 5523f13394 Fix a message that should refer to LDAP::Signing 2024-05-06 09:40:28 -04:00
Spencer McIntyre 69d603e6fc Switch to an enum option for the signing 2024-05-03 10:27:10 -04:00
adfoster-r7 4c84f8830f Land #18907, add mssql_version module 2024-05-03 14:33:35 +01:00
cgranleese-r7 bb473f4004 Reimplement password_spray into login modules 2024-05-03 13:00:24 +01:00
Simon Janusz 76d7fe8dbd Land #19095, Refactor smb_enumusers 2024-04-25 15:45:23 +01:00
Jack Heysel aea95c052e Land #18723, Improve Gitlab fingerprinting 
A webpage exists that can be reached without authentication that
contains a hash that can be used to determine the approximate version of
gitlab running on the endpoint. This PR adds enhances our current GitLab
fingerprinting capabilities to include the aforementioned technique.
 2024-04-24 12:13:15 -07:00
Zach Goldman d0a714d1e8 refactor packet parsing code 2024-04-24 15:06:36 -04:00
Zach Goldman 3897b49ca6 add mssql_version module 2024-04-24 15:06:36 -04:00
Jack Heysel bc4a532cd7 Changed format of GITLAB_CSS_MAP 2024-04-24 11:38:22 -07:00
Jack Heysel f018295509 Ensure range of Rex::Version objects are always returned 2024-04-24 10:00:16 -07:00
adfoster-r7 e5cf357f9e Land #19078, ldap acceptance tests 2024-04-24 17:59:24 +01:00
Ashley Donaldson 6d915dbb55 Fix unit tests 2024-04-24 15:54:57 +10:00
Ashley Donaldson 68966b86f1 Give warning on invalid config (SSL and REQUIRE_SIGNING both set to true) 2024-04-24 15:05:03 +10:00
Ashley Donaldson a4b3c27e28 Provide more meaningful error message when signing is required 2024-04-24 13:37:27 +10:00
Ashley Donaldson b5f4dfae71 Make encrypting/signing an option 2024-04-24 13:24:05 +10:00
Ashley Donaldson 9aead31bb9 Support encrypted LDAP (ldap signing) over Kerberos and NTLM 2024-04-24 12:56:06 +10:00
jvoisin 5ff05b7cec Add more fingerprints 2024-04-24 00:12:01 +02:00
Zach Goldman 26a108aadc Land #19046, Apache Solr Backup Restore RCE [CVE-2023-50386] 2024-04-23 14:08:33 -04:00
Julien Voisin 0b1a4e2a99 Apply suggestions from code review 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-04-23 01:05:57 +02:00
jvoisin e5bb593607 Improve how we fingerprint Gitlab versions 
Since I was the one suggesting it in #18716, I kinda volunteered to implement
it. This improvement is based on [Censys's blogpost](https://censys.com/cve-2021-22205-it-was-a-gitlab-smash/)
on the topic, making use of the `/assets/application-….css` files that have
a unique name per gitlab versions.

The fingerprints were acquired with this bash script:

```bash
assetdir="/opt/gitlab/embedded/service/gitlab-rails/public/assets"
tags=$(curl "https://hub.docker.com/v2/repositories/gitlab/gitlab-ce/tags?page_size=100" | jq -r '.results[].name')

for tag in $tags; do
    filename=$(docker run --quiet --rm -it --entrypoint "" gitlab/gitlab-ce:$tag ls $assetdir|egrep '^application-.*\.css' | grep -v \.gz | cut -d' ' -f1)
    echo $tag,$filename
done
```

Co-authored-by: cgranleese-r7 <69522014+cgranleese-r7@users.noreply.github.com>
 2024-04-23 01:05:57 +02:00
Spencer McIntyre 837e503170 Refactor the MsSamr mixin to split it out 2024-04-22 13:45:20 -04:00
Spencer McIntyre a008288e05 Readd support for multiple ports 2024-04-22 13:45:20 -04:00
Spencer McIntyre f5046d0c2a Fix the return value of a few methods 2024-04-19 09:06:48 -04:00
Spencer McIntyre 727849202d Land #19087, chore: remove repetitive words 2024-04-17 09:59:46 -04:00
Jack Heysel 84ea514180 Land #19026, Add pgadmin exploit CVE-2024-2044 
This adds an exploit for pgAdmin <= 8.3 which is a path traversal
vulnerability in the session management that allows a Python pickle
object to be loaded and deserialized. This also adds a new Python
deserialization gadget chain to execute the code in a new thread so the
target application doesn't block the HTTP request.
 2024-04-16 14:12:41 -07:00
fanqiaojun 6b2bdc893b chore: remove repetitive words 
Signed-off-by: fanqiaojun <fanqiaojun@yeah.net>
 2024-04-15 11:06:50 +08:00
Dean Welch 463200cfb3 Add ldap acceptance tests 2024-04-11 14:40:19 +01:00
Jack Heysel 7f62dd2143 Responded to comments 2024-04-04 13:39:22 -07:00
Jack Heysel 03fced404a Apache Solr Backup Restore RCE 
Writing file to disk working

working on linux

wip authentcaiton

Consolodated conf folders into one

Renamed conf1 to conf in msf data dir

Randomize the configuration name

Docs plus finishing touches

rubocop

Updated exploit file location

Removed unused external dir

Reduced conf folder
 2024-04-02 11:33:52 -07:00
Spencer McIntyre 2292da9164 Add the UNC loading technique too 2024-03-29 09:33:47 -04:00
Jack Heysel 31cf0e2633 Land #18764, Add unauth Jenkins file read module 
This PR adds a new module to exploit CVE-2024-23897, an unauth arbitrary
(first 2 lines) file read on Jenkins.
 2024-03-28 13:29:39 -07:00
jheysel-r7 14938a2d77 Apply suggestions from code review 2024-03-28 14:41:25 -04:00