5e1dc05f09
Fix apache_normalize_path_rce check method
2024-05-01 20:01:38 +01:00
6055d8a005
Apply suggestions from code review
...
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com >
2024-04-29 17:37:49 -04:00
3b57fbf052
ActiveMQ fixes
2024-04-26 14:25:16 -07:00
429eaff5ca
RocketMQ fixes
2024-04-26 14:24:08 -07:00
b8675f0fd7
Land #19005 , Add Gambio Webshop Unauth RCE
...
A Remote Code Execution vulnerability in Gambio online webshop version
4.9.2.0 and lower allows remote attackers to run arbitrary commands via
unauthenticated HTTP POST request
2024-04-19 12:18:17 -07:00
3205fe9e63
Apply suggestions from code review
2024-04-19 13:44:18 -04:00
27f5ad8e05
Land #18996 , VSCode Malicious Ext module
...
This PR adds a new exploit that creates a malicious vsix file. a vsix
file is a VS and VSCode extension file. Once installed, the users
computer will call back with a shell. Its not a bug, its a feature!
2024-04-18 18:10:46 -07:00
bcaa5359da
Land #18997 , Add GitLens VSCode Extension Exploit
...
GitKraken GitLens before v.14.0.0 allows an untrusted workspace to
execute git commands. A repo may include its own .git folder including a
malicious config file to execute arbitrary code.
2024-04-18 17:19:41 -07:00
a551ef136c
remove default shells on gitlens module
2024-04-18 17:31:02 -04:00
331c961412
update module and documentation with tax country logic
2024-04-18 19:13:19 +00:00
ecac5c8fa8
vsix review
2024-04-17 16:13:44 -04:00
bae1a2e20f
gitlens review
2024-04-17 16:06:32 -04:00
84ea514180
Land #19026 , Add pgadmin exploit CVE-2024-2044
...
This adds an exploit for pgAdmin <= 8.3 which is a path traversal
vulnerability in the session management that allows a Python pickle
object to be loaded and deserialized. This also adds a new Python
deserialization gadget chain to execute the code in a new thread so the
target application doesn't block the HTTP request.
2024-04-16 14:12:41 -07:00
9cf4372f2b
Clean up some of the module's documentation
2024-04-16 13:36:21 -04:00
1174344b76
Land #18918 , Add CrushFTP Module CVE-2023-43177
...
This exploit module leverages an Improperly Controlled Modification of
Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177)
to achieve unauthenticated remote code execution. This affects CrushFTP
versions prior to 10.5.1.
2024-04-12 12:26:16 -07:00
ee891eca3a
spacing
2024-04-07 09:15:50 -04:00
ed1ae32532
sync engine requirements on vsix
2024-04-07 09:13:59 -04:00
34f0afa298
Land #19044 , Gibbon Online School Platform Authenticated RCE [CVE-2024-24725]
2024-04-05 16:20:11 +02:00
8afbbc1553
third release module based on smcintyre-r7 comments
2024-04-04 17:14:32 +00:00
8aa6d19e7d
second release module
2024-04-01 20:21:37 +00:00
d8942b27a2
first release module
2024-04-01 14:49:10 +00:00
609d356083
Extra ',' is causing ruby issues
2024-03-30 17:02:13 +03:00
43d1bd9a2e
Add docs and fix CSRF token for v7.0
2024-03-29 14:05:39 -04:00
c7976d204c
Add module metadata and clean things up
2024-03-29 10:40:43 -04:00
2292da9164
Add the UNC loading technique too
2024-03-29 09:33:47 -04:00
9dcd0e461f
Delete the file using the file manager too
2024-03-29 09:33:47 -04:00
8fa7aa6407
Initial exploit for CVE-2024-2044
2024-03-29 09:33:44 -04:00
e6e13e7b45
Fixes from code review
2024-03-29 12:18:16 +01:00
9f50f12e6e
update addressing cdelafuente-r7 comments
2024-03-28 18:16:11 +00:00
abb2eb7ffd
Land #18891 , Add RCE module for wp bricks builder
...
This PR adds the wp_bricks_builder_rce exploit module that targets a
known vulnerability in the WordPress Bricks Builder Theme, versions
prior to 1.9.6.
2024-03-26 14:46:35 -07:00
b9b4a624d9
Fix typos
2024-03-26 21:05:35 +01:00
abc39e86f9
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:40:04 +01:00
672036f53a
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:39:33 +01:00
8a1290c8a6
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:39:23 +01:00
85e27b0bc3
Update modules/exploits/multi/http/wp_bricks_builder_rce.rb
...
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com >
2024-03-26 20:39:04 +01:00
57a45a0b55
CrushFTP exploit module CVE-2023-43177 and documentation
2024-03-25 12:41:24 +01:00
0262efee8b
first release module
2024-03-24 09:32:56 +00:00
eb26b0adcc
gitlens exploit module
2024-03-22 16:22:39 -04:00
83944f7070
vsix deployment module
2024-03-22 16:14:51 -04:00
44c5422e07
Land #18922 , JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198)
2024-03-13 20:16:27 +01:00
6d84f0e898
reduce the size of teh exploit method by spinngin out two new methods create_payload_plugin and auth_new_admin_user. several if/unless blocks were flattened to be inline if/unless
2024-03-13 09:58:51 +00:00
4bd105202a
improve the readability of the XML
2024-03-13 09:29:43 +00:00
b04e84ed99
clarify we must call this a second time
2024-03-13 09:17:18 +00:00
df2c94f873
anther typo
2024-03-13 09:14:23 +00:00
b9e82375c1
typo
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:13:11 +00:00
d7bf7bc2ea
Use Failure::NoAccess as a better failure error, as we are trying to login
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:12:56 +00:00
46dd21d69d
use ||= to assign new hash if needed
...
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com >
2024-03-13 09:11:42 +00:00
1e371d0e4a
resolve teh Java payload issue on Linux by leveraging PayloadServlet, runnign teh payload in a thread, and forcing teh default optiosn for Spawn to be 0
2024-03-11 18:06:44 +00:00
0513654f10
Fix edge case for java payloads when Spawn is set to 0, all access to the plugin will block. We can still get a session if we fall through here. We cant delete the plugin as access will block because we did not spawn.
2024-03-08 17:09:14 +00:00
ab0327fb33
clarify we are using SpEL not OGNL here
2024-03-08 15:57:46 +00:00
adfoster-r7