adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
75,910 Commits 27 Branches 1,043 Tags
fe7334fae2dd797fd44aea04bd57c8f016aef439
Commit Graph

2635 Commits

Author SHA1 Message Date
jheysel-r7 e70b6c777f Merge pull request #19663 from sfewer-r7/CVE-2024-0012 
Exploit module for PAN-OS management interface unauth RCE (CVE-2024-0012 + CVE-2024-9474)
 2024-12-30 10:29:10 -08:00
sfewer-r7 edf8d186f7 use the HttpClient cookie jar. Thank you @jheysel-r7 for this improvement. 2024-12-17 17:47:00 +00:00
Stephen Fewer c25b3ceb03 typo 4 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-12-17 17:26:46 +00:00
Stephen Fewer 51908d6621 typo 3 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
 2024-12-17 17:26:31 +00:00
jheysel-r7 c7f7cfd848 Land #19656 Close ssh session on error 2024-12-11 17:00:17 -08:00
adfoster-r7 136599a29a Merge pull request #19714 from bwatters-r7/update/projectsend-cveinfo 
Add CVE info to projectsend module
 2024-12-11 13:54:06 +00:00
bwatters-r7 5311b7014e Add CVE info to projectsend module 2024-12-11 07:37:43 -06:00
adfoster-r7 2421ca768f Merge pull request #19705 from ostrichgolf/projectsend_rce 
Add CVE to ProjectSend module
 2024-12-07 14:24:20 +00:00
ostrichgolf 2952dbb0b8 Add CVE to module 2024-12-07 14:23:30 +01:00
Diego Ledda be30a06af4 Land #19430, Moodle RCE (CVE-2024-43425) Module 
Land #19430, Moodle RCE (CVE-2024-43425) Module
 2024-12-06 12:15:35 +01:00
jheysel-r7 21cf475cbb Land #19595 Ivanti Connect Secure auth RCE via OpenSSL (CVE-2024-37404) 2024-12-04 08:26:07 -08:00
Diego Ledda ab2ca41eb8 Land #19629, Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) 
Land #19629, Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220)
 2024-12-04 16:49:56 +01:00
jheysel-r7 fa3716408f Add comment explaining payload architecture restraints 2024-12-03 18:33:43 -08:00
Christophe De La Fuente a46b2f437f Use TARGET_URI when checking the redirection URI 2024-12-02 16:45:12 +01:00
Christophe De La Fuente 3dcb9d58ab Code review 2024-12-02 14:02:07 +01:00
Christophe De La Fuente c943cc6378 Add module and documentation 2024-12-02 14:02:07 +01:00
sjanusz-r7 566e12b69e Add error_callback to SSH Command Stream 2024-11-25 16:43:59 +00:00
sfewer-r7 de599a4407 rework how we calculate the chunk size, we now consume the maximum available space a chunk can take, relative to the size of teh command needed to write the chunk to disk. We also rework the logic to ensure the files are sequential. Finally as the size of a chunk may be less the more chunks we write, we impose a max Payload Space valuecalculated to be 5670 chars. 2024-11-22 10:28:27 +00:00
sfewer-r7 eda46f1a10 the check routing shoudl return Safe the first time we try to leverage teh vulnerability, if that doesnt work. But still return Unknown if the vulnerability fails the second time we leverage it. 2024-11-22 10:26:06 +00:00
jheysel-r7 d95d549992 Land #19531 ProjectSend r1335 - r1605 RCE module 2024-11-21 09:53:36 -08:00
sfewer-r7 41bcf4629f The payload we essentially being encoded twice (thanks for calling this out Brendan), we now supply a suitable BadChars and let the framewrk encode the framework paylaod. We rename the variable payload to bootstrap_payload as this was colliding with the frameworks payload variable which was not the intent. 2024-11-21 17:37:34 +00:00
ostrichgolf 68eb6599fd Create projectsend_unauth_rce 2024-11-21 09:34:58 -08:00
sfewer-r7 d2f6e0e10f As the payload option FETCH_WRITABLE_DIR may not be available if a non fetch based payload is used, we add a new option WRITABLE_DIR to account for this. Update the documentation to reflect the change. 2024-11-21 16:38:09 +00:00
sfewer-r7 f9b099a46d remove the DefaultOption PAYLOAD value, and let the framework pick one for us. Mention I tested the exploit with cmd/linux/http/x64/meterpreter_reverse_tcp 2024-11-21 16:22:02 +00:00
sfewer-r7 d40bbd047e remove the DefaultOption FETCH_COMMAND value of WGET, as the default the framework will pick, CURL, will work great. 2024-11-21 16:21:00 +00:00
Stephen Fewer b8f36628da remove an unnecessary space in the command to write a chunk to disk. 
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
 2024-11-21 16:08:33 +00:00
Stephen Fewer 077f8700b9 remove an unnecessary space in this command. 
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
 2024-11-21 16:08:09 +00:00
jheysel-r7 afbbba09e8 Land #19584 Judge0 sandbox escape CVE-2024-28185, CVE-2024-28189 2024-11-20 14:35:38 -08:00
Takah1ro da6f8cd552 Add Judge0 module and document 2024-11-20 14:15:38 -08:00
sfewer-r7 2469d4ea23 add in exploit module for the recent PAN-OS RCE, CVE-2024-0012 + CVE-2024-9474 2024-11-19 16:15:06 +00:00
Spencer McIntyre 5d9add4450 Merge pull request #19640 from jheysel-r7/pyload_js2py_cve_2024_39205 
Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)
 2024-11-15 09:24:37 -05:00
Jack Heysel 92e42a63ea Rubocop 2024-11-14 12:47:35 -08:00
Jack Heysel 4e1f33336c Ofuscation and Gemfile update 2024-11-14 12:44:19 -08:00
Jack Heysel 526451fed5 Responded to comments 2024-11-14 10:46:11 -08:00
Jack Heysel 2ba8a6c08d Responded to comments 2024-11-13 17:23:08 -08:00
Jack Heysel 497ce5e9da Linting and Rex::RandomIdentifier update 2024-11-13 08:28:52 -08:00
h4x-x0r afdddf2e43 updated 2024-11-13 03:40:22 +00:00
Jack Heysel d2ef3cb6a9 Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397) 2024-11-12 16:05:07 -08:00
Brendan 19e182ce65 Land #19557, Add Palo Alto Expedition RCE (CVE-2024-5910 & CVE-2024-9464) Module 
Palo Alto Expedition RCE (CVE-2024-5910 & CVE-2024-9464) Module
 2024-11-12 16:42:06 -06:00
h4x-x0r 6f6f92823a fixed typo 
fixed typo
 2024-11-12 15:15:15 +00:00
h4x-x0r fb102ec409 Update modules/exploits/linux/http/paloalto_expedition_rce.rb 
Co-authored-by: Brendan <bwatters@rapid7.com>
 2024-11-12 09:03:22 -06:00
bwatters-r7 03928a56bd Add staging file delete and code cleanup 2024-11-11 14:42:19 -06:00
Jack Heysel 3068511b66 CVE-2023:4220: Chamilo v1.11.24 Unrestricted File Upload 2024-11-11 11:33:34 -08:00
bwatters-r7 0308f46f74 Stage cmd payloads to a file before executing 2024-11-08 19:27:58 -06:00
h4x-x0r 661075a45c handling additional case 
handling additional case when autocheck is disabled and no credentials are provided
 2024-10-22 03:42:39 +01:00
h4x-x0r 4d7d7f2c06 updated 
using instance variables instead of updating the datastores
 2024-10-21 22:07:43 +01:00
h4x-x0r 7028b807ed linting 
linting
 2024-10-21 21:45:04 +01:00
h4x-x0r b6d3a0ef36 safety flag 
added a safety flag for the password reset in case no credentials are provided
 2024-10-21 21:43:48 +01:00
h4x-x0r 202e5e55ac Added exception handling 
Added exception handling
 2024-10-20 19:50:43 +01:00
Diego Ledda 59d026acd3 Land #19544, Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow iconv() of GLIBC (CVE-2024-2961) 2024-10-18 14:39:54 +02:00