adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,905 Commits 27 Branches 1,043 Tags
d8d1ea7ffb8c1a210bffc1925bc700459823aeb4
Commit Graph

3169 Commits

Author SHA1 Message Date
Christophe De La Fuente 8c76143a9d Land #19127, Ldap signing 2024-05-07 17:28:36 +02:00
Spencer McIntyre 5523f13394 Fix a message that should refer to LDAP::Signing 2024-05-06 09:40:28 -04:00
Spencer McIntyre 69d603e6fc Switch to an enum option for the signing 2024-05-03 10:27:10 -04:00
adfoster-r7 4c84f8830f Land #18907, add mssql_version module 2024-05-03 14:33:35 +01:00
cgranleese-r7 bb473f4004 Reimplement password_spray into login modules 2024-05-03 13:00:24 +01:00
Simon Janusz 76d7fe8dbd Land #19095, Refactor smb_enumusers 2024-04-25 15:45:23 +01:00
Jack Heysel aea95c052e Land #18723, Improve Gitlab fingerprinting 
A webpage exists that can be reached without authentication that
contains a hash that can be used to determine the approximate version of
gitlab running on the endpoint. This PR adds enhances our current GitLab
fingerprinting capabilities to include the aforementioned technique.
 2024-04-24 12:13:15 -07:00
Zach Goldman d0a714d1e8 refactor packet parsing code 2024-04-24 15:06:36 -04:00
Zach Goldman 3897b49ca6 add mssql_version module 2024-04-24 15:06:36 -04:00
Jack Heysel bc4a532cd7 Changed format of GITLAB_CSS_MAP 2024-04-24 11:38:22 -07:00
Jack Heysel f018295509 Ensure range of Rex::Version objects are always returned 2024-04-24 10:00:16 -07:00
adfoster-r7 e5cf357f9e Land #19078, ldap acceptance tests 2024-04-24 17:59:24 +01:00
Ashley Donaldson 6d915dbb55 Fix unit tests 2024-04-24 15:54:57 +10:00
Ashley Donaldson 68966b86f1 Give warning on invalid config (SSL and REQUIRE_SIGNING both set to true) 2024-04-24 15:05:03 +10:00
Ashley Donaldson a4b3c27e28 Provide more meaningful error message when signing is required 2024-04-24 13:37:27 +10:00
Ashley Donaldson b5f4dfae71 Make encrypting/signing an option 2024-04-24 13:24:05 +10:00
Ashley Donaldson 9aead31bb9 Support encrypted LDAP (ldap signing) over Kerberos and NTLM 2024-04-24 12:56:06 +10:00
jvoisin 5ff05b7cec Add more fingerprints 2024-04-24 00:12:01 +02:00
Zach Goldman 26a108aadc Land #19046, Apache Solr Backup Restore RCE [CVE-2023-50386] 2024-04-23 14:08:33 -04:00
Julien Voisin 0b1a4e2a99 Apply suggestions from code review 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-04-23 01:05:57 +02:00
jvoisin e5bb593607 Improve how we fingerprint Gitlab versions 
Since I was the one suggesting it in #18716, I kinda volunteered to implement
it. This improvement is based on [Censys's blogpost](https://censys.com/cve-2021-22205-it-was-a-gitlab-smash/)
on the topic, making use of the `/assets/application-….css` files that have
a unique name per gitlab versions.

The fingerprints were acquired with this bash script:

```bash
assetdir="/opt/gitlab/embedded/service/gitlab-rails/public/assets"
tags=$(curl "https://hub.docker.com/v2/repositories/gitlab/gitlab-ce/tags?page_size=100" | jq -r '.results[].name')

for tag in $tags; do
    filename=$(docker run --quiet --rm -it --entrypoint "" gitlab/gitlab-ce:$tag ls $assetdir|egrep '^application-.*\.css' | grep -v \.gz | cut -d' ' -f1)
    echo $tag,$filename
done
```

Co-authored-by: cgranleese-r7 <69522014+cgranleese-r7@users.noreply.github.com>
 2024-04-23 01:05:57 +02:00
Spencer McIntyre 837e503170 Refactor the MsSamr mixin to split it out 2024-04-22 13:45:20 -04:00
Spencer McIntyre a008288e05 Readd support for multiple ports 2024-04-22 13:45:20 -04:00
Spencer McIntyre f5046d0c2a Fix the return value of a few methods 2024-04-19 09:06:48 -04:00
Spencer McIntyre 727849202d Land #19087, chore: remove repetitive words 2024-04-17 09:59:46 -04:00
Jack Heysel 84ea514180 Land #19026, Add pgadmin exploit CVE-2024-2044 
This adds an exploit for pgAdmin <= 8.3 which is a path traversal
vulnerability in the session management that allows a Python pickle
object to be loaded and deserialized. This also adds a new Python
deserialization gadget chain to execute the code in a new thread so the
target application doesn't block the HTTP request.
 2024-04-16 14:12:41 -07:00
fanqiaojun 6b2bdc893b chore: remove repetitive words 
Signed-off-by: fanqiaojun <fanqiaojun@yeah.net>
 2024-04-15 11:06:50 +08:00
Dean Welch 463200cfb3 Add ldap acceptance tests 2024-04-11 14:40:19 +01:00
Jack Heysel 7f62dd2143 Responded to comments 2024-04-04 13:39:22 -07:00
Jack Heysel 03fced404a Apache Solr Backup Restore RCE 
Writing file to disk working

working on linux

wip authentcaiton

Consolodated conf folders into one

Renamed conf1 to conf in msf data dir

Randomize the configuration name

Docs plus finishing touches

rubocop

Updated exploit file location

Removed unused external dir

Reduced conf folder
 2024-04-02 11:33:52 -07:00
Spencer McIntyre 2292da9164 Add the UNC loading technique too 2024-03-29 09:33:47 -04:00
Jack Heysel 31cf0e2633 Land #18764, Add unauth Jenkins file read module 
This PR adds a new module to exploit CVE-2024-23897, an unauth arbitrary
(first 2 lines) file read on Jenkins.
 2024-03-28 13:29:39 -07:00
jheysel-r7 14938a2d77 Apply suggestions from code review 2024-03-28 14:41:25 -04:00
Dean Welch f132bdbe30 Enforce single module stance 2024-03-25 11:53:23 +00:00
adfoster-r7 55dd5aa9c0 Land #18899, update ysoserial viewstate tool 2024-03-14 00:12:38 +00:00
Spencer McIntyre 9b8b7045ff Land #18715, Add Splunk library 2024-03-05 16:17:30 -05:00
Gaurav Jain 985b0ba47f Add reviewed changes to splunk library 2024-03-06 01:32:57 +05:30
Spencer McIntyre b30f264630 Land #18844, fix #file_dropper_exist? for Window 
Bugfix Msf::Exploit::FileDropper#file_dropper_exist? for Windows sessions
 2024-03-05 15:01:20 -05:00
sjanusz-r7 3c8f43e23e Align SQL sessions peerhost and peerport 2024-03-04 13:11:32 +00:00
adfoster-r7 d8abd2bcc2 Land #18898, Add rex proto mysql client wrapper 2024-02-29 10:13:47 +00:00
dwelch-r7 a4543b0f41 Land #18897, Update smb login to support additional configuration 2024-02-29 10:07:02 +00:00
adfoster-r7 131585235b Update SMB Login to support additional configuration 2024-02-28 20:24:06 +00:00
sjanusz-r7 b423241e6b Use Rex Post MySQL Client for lib, specs & modules 2024-02-28 18:19:50 +00:00
sjanusz-r7 55a8d6732f Add Rex Proto MySQL Client 2024-02-28 18:19:46 +00:00
Spencer McIntyre 8bc6705557 Move viewstate signing logic into Rex 2024-02-27 14:37:55 -05:00
Spencer McIntyre 4a51e028d8 Print multiple attributes on individual rows 2024-02-26 17:28:41 -05:00
Spencer McIntyre 4b7f4e2b0d Just show the DN, commas and all 
This way the DN can just be copy-pasted into locations where a DN is
expected.
 2024-02-22 17:36:30 -05:00
sjanusz-r7 1b7c2bbaec SQL sessions consolidation 2024-02-21 16:16:14 +00:00
sfewer-r7 60bc412026 file_dropper_exist? needs to test if teh path if either a file or a directory, the logic for shell sessions on wqindows is testing if a path if a file and not a directory. this is wrong. Origionally FileDropper only supported cleaningup files, so this logic made sense (it was copied over from teh File post moduile) but FileDropper has since supported directories so teh logic here neds to reflect that. 2024-02-19 09:12:17 +00:00
sjanusz-r7 fc963bd8bb Add Proxies support to creating a session with postgres_login 2024-02-16 14:45:17 +00:00