adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74,283 Commits 27 Branches 1,043 Tags
d89df446bfde2a39773feba4f747d43d12f4e601
Commit Graph

18551 Commits

Author SHA1 Message Date
redwaysecurity.com d89df446bf WIP - added module for CVE-2024-34102 
on-behalf-of: @redwaysecurity info@redwaysecurity.com
 2024-07-04 16:24:39 +02:00
Christophe De La Fuente 24fa34e7b9 Land #19188, Netis MW5360 unauthenticated RCE [CVE-2024-22729] 2024-06-24 13:40:51 +02:00
Spencer McIntyre 08575d0895 Land #19176, Add missing Arch parameter 
Adding Arch parameter to dnn_cookie_deserialization_rce module
 2024-06-18 17:07:08 -04:00
Spencer McIntyre 0110ed2b2a Land #19253, Corrected a mistaken CVE 
Corrected a mistaken CVE-ID in exploit references.
 2024-06-18 15:52:55 -04:00
Jack Heysel c1826cd2f3 Land #18829, Allow multiple HttpServers in module 
Adding multiple HttpServer services in a module is sometimes complex
since they share the same methods. This usually this causes issues where
on_request_uri needs to be overridden to handle requests coming from
each service. This updates the cmdstager and the Java HTTP ClassLoader
mixins, since these are commonly used in the same module. This also
updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module
to make use of these new changes
 2024-06-18 09:51:38 -07:00
Spencer McIntyre 29307b1321 Appease msftidy 2024-06-18 09:23:41 -04:00
Jack Heysel dc70aa0896 Land #19247, PHP CGI Arg injection RCE 
XAMPP installs running on Windows system configured to use Japanese or
Chinese (simplified or traditional) locales are vulnerable to a PHP CGI
argument injection vulnerability. This exploit module returns a session
running in the context of the Administrator user
 2024-06-17 11:27:38 -07:00
Jack Heysel e14dd93d6f Rebased encoder fix, removed PS paylaod dependency 2024-06-14 16:59:55 -07:00
Jack Heysel ade11a5a4b Added default options fixed Verification Steps 2024-06-14 16:41:12 -07:00
Jack Heysel 1dfd5da51e Apache OFBiz Dir Traversal RCE 2024-06-14 16:41:12 -07:00
Jack Heysel 178bb3e085 Land #19229, Junos OS PHPRC module enhancement 
The junos_phprc_auto_prepend_file module used to depend on having a user
authenticated to the J-Web application to steal the necessary session
tokens in order to exploit. With this enhancement the module will now
create a session if one doesnt exist. Also it adds datastore options to
change the hash format to be compatible with older version as well an
option to attempt to set ssh root login to true before attempting to
establish a root ssh session
 2024-06-14 11:35:15 -07:00
Christophe De La Fuente 8fc6e20cec Update other modules to use java_class_loader_start_service and cmdstager_start_service 2024-06-14 12:57:42 +02:00
softScheck d68a57f649 junos_ssh_jail: replaced asdf with alphanumeric random string 2024-06-14 10:45:19 +02:00
softScheck 0a34168906 junos_ssh_jail: revert to old get_csrf_token method with securephpsessid added 2024-06-14 10:38:24 +02:00
Christophe De La Fuente 70b21ff3f2 Update manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module 2024-06-13 16:53:07 +02:00
Stephen Fewer fb44c7e6ff fix typo in module description 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-06-13 15:10:14 +01:00
Jack Heysel b9b638dd83 Land #19196, Cacti import package RCE 
This exploit module leverages an arbitrary file write vulnerability
(CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It
abuses the Import Packages feature to upload a specially crafted package
that embeds a PHP file.
 2024-06-12 15:43:46 -07:00
bwatters c768b1e1d4 Land #19243, Add exploit for CVE-2024-1800 (Telerik Report Deserialization RCE) 
Merge branch 'land-19243' into upstream-master
 2024-06-12 15:59:07 -05:00
h00die-gr3y 4e26704d73 Update addressing cdelafuente-r7 comments 2024-06-12 18:57:29 +00:00
Christophe De La Fuente 45815a4cb5 Code review 2024-06-12 19:47:02 +02:00
Zach Goldman f67526e248 Land #19223, wp_ajax_load_more_file_upload.rb : Updated original author 2024-06-12 11:51:03 -04:00
Spencer McIntyre 18fe758416 Finish up and document the deserialization RCE 2024-06-12 08:58:37 -04:00
Spencer McIntyre cac5863e75 Update the exploit module to use the scanner 2024-06-12 08:58:37 -04:00
Spencer McIntyre 0e1e6c4fb2 Exploit improvements 
* Delete the report the exploit creates
* Report credentials that are used to authenticate
* Use the specified username and password if provided
 2024-06-12 08:58:37 -04:00
Spencer McIntyre c120a30ba4 Enumerate and select a random category 2024-06-12 08:58:37 -04:00
Spencer McIntyre b8d3cd6708 Initial module for CVE-2024-4358 2024-06-12 08:58:37 -04:00
softScheck 8a3262ae6c junos_ssh_jail: style and formatting rubocop 2024-06-12 12:14:36 +02:00
aaron f49b9ea6cf Corrected CVE in module file as well. 2024-06-11 17:35:39 -04:00
bwatters f2027784cf Land #19240, Rejetto HTTP File Server (HFS) 2.x - Unauthenticated RCE exploit module (CVE-2024-23692) 
Merge branch 'land-19240' into upstream-master
 2024-06-11 12:22:29 -05:00
Stephen Fewer ab0079c0ee Update modules/exploits/windows/http/rejetto_hfs_rce_cve_2024_23692.rb 
improve documentation guidance to mention upgrading to a newer supported version (as 2.x is no longer supported)

Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
 2024-06-11 16:26:04 +01:00
Jack Heysel 9bbb82ab55 Land #18998, VSCode exploit for ipynb integration 
VSCode allows users open a Jypiter notebook (.ipynb) file. Versions
v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and
javascript, which can then open new terminal windows within VSCode. Each
of these new windows can then execute arbitrary code at startup
 2024-06-10 14:36:57 -07:00
sfewer-r7 bf9b3f1d2a add documentation 2024-06-10 17:41:55 +01:00
sfewer-r7 c6de00968f typo 2024-06-10 17:17:39 +01:00
sfewer-r7 3a19a54c59 remove dead link 2024-06-10 17:17:28 +01:00
h00die-gr3y 6a77c2e562 Final tweaks in check method 2024-06-08 11:33:55 +00:00
h00die-gr3y 0e3471d543 Final draft 2024-06-07 19:47:06 +00:00
sfewer-r7 998724f683 first commit for cve-2024-4577 2024-06-07 15:44:05 +01:00
sfewer-r7 e325d23526 first commit for cve-2024-4577 2024-06-07 15:43:40 +01:00
h00die-gr3y 55fa94995b Updated check method 2024-06-06 22:23:35 +00:00
softScheck c7509d0a6c junos_phprc: HttpClientTimeout as default 2024-06-06 19:27:59 +02:00
sfewer-r7 c8208704be add in exploit module for CVE-2024-23692 2024-06-06 18:04:14 +01:00
softScheck GmbH 0c69968e4f junos_phprc: removed commented out line 
Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com>
 2024-06-06 16:03:35 +02:00
softScheck GmbH 769eb071cb junos_phprc: use faker IPv4 
Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com>
 2024-06-06 16:03:00 +02:00
Christophe De La Fuente 120fa0f2fe Land #19208, Add exploit module for CVE-2024-5084: WordPress Hash Form Plugin RCE 2024-06-05 10:17:02 +02:00
Christophe De La Fuente 67ec4baa66 PR-19208: Add DefaultTarget to the info hash 2024-06-05 10:14:48 +02:00
softScheck 00ff617056 junos_phprc: session creation, old version switch, allow ssh root login, working timeouts 2024-06-03 18:33:06 +02:00
PizzaHat c0e443e829 Update wp_ajax_load_more_file_upload.rb 
Updated original author
 2024-06-01 16:00:45 +02:00
Chocapikk 6b127249fa Add suggestions 2024-05-31 20:56:03 +02:00
adfoster-r7 1281f4726f Land #19209, update fileformat modules to show the default template datastore values 2024-05-31 15:12:48 +01:00
Jack Heysel 80ee458410 Land #19151, Add Flowmon Priv Esc Feature Module 
Privilege escalation module for Progress Flowmon unpatched feature
 2024-05-29 11:35:53 -04:00