adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
56,474 Commits 27 Branches 1,043 Tags
ffb681cb79b20d6eb44e2a8f4fcd9e8dd67b2b2f
Commit Graph

6510 Commits

Author SHA1 Message Date
William Vu 12d4ad68e3 Fix things in ThinkPHP and ManageEngine exploits 
Current pattern is print_good instead of vprint_good for this particular
message directly or indirectly called by execute_command.

CmdStagerFlavor is checked at the top level, but it is also checked per
target. Moving this to where it's more appropriate.
 2020-05-20 22:47:03 -05:00
William Vu 655088bb0d Fix punctuation typo in exchange_ecp_viewstate 2020-05-20 09:47:11 -05:00
Alan Foster 9c249e8c91 Landing #13456, distinct_tftp_traversal: increase delay between upload requests 2020-05-15 11:14:58 +01:00
William Vu aa6624e7f8 Land #13436, service encoder fix for psexec 2020-05-14 16:43:07 -05:00
William Vu ef069ce5ef Prefer exploit.rb's rand_text_alpha 2020-05-14 16:41:54 -05:00
Brendan Coles a5250072bf distinct_tftp_traversal: increase delay between upload requests 2020-05-14 05:22:36 +00:00
Shelby Pace fc762f8a82 Land #13402, add service_exists? method 2020-05-12 13:37:54 -05:00
bwatters-r7 9b40554ec6 Land #13370, Add Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation 
Merge branch 'land-13370' into upstream-master
 2020-05-12 13:20:27 -05:00
Clément Notin b7d16b1e72 Fix regression in psexec mixing filename and encoder 
Closes #13407
 2020-05-12 00:02:52 +02:00
bwatters-r7 1a9c04c2c4 Use new method 2020-05-08 14:49:01 -05:00
Spencer McIntyre b4e2599921 Remove trailing whitespace to fix build failures 2020-05-07 09:59:34 -04:00
Spencer McIntyre 9769e04b6e Land #13322, CVE-2020-0668 Service tracing file junction overwrite 2020-05-07 09:47:20 -04:00
Spencer McIntyre 26d4cb7a47 Tweak the service tracking checks and update docs markdown 2020-05-07 09:46:19 -04:00
gwillcox-r7 a1275845ec Land #13200, CVE-2019-0808 LPE for Windows 7 x86 SP0 and SP1 2020-05-06 17:23:52 -05:00
bwatters-r7 a5fe498610 Update ARCH handling, suggested changes, and last-minute fixes 2020-05-06 15:36:53 -05:00
Brendan Coles bf16307d7f Add Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation 2020-05-06 14:09:46 +00:00
gwillcox-r7 5609a99758 Neaten up alignment and spacing on ntusermndragover.rb 2020-05-05 21:28:51 -05:00
Spencer McIntyre 30b17c6323 Remove some whitespace for msftidy compliance 2020-05-04 10:14:00 -04:00
Spencer McIntyre 7fb17ecf17 Update some module metadata for the Kentico RCE exploit 2020-05-04 10:12:21 -04:00
Spencer McIntyre c128a3ba92 Add CmdStager and Powershell targets to the Kentico RCE exploit 2020-05-04 10:07:10 -04:00
Patrick Webster 60b83d536e Update modules/exploits/windows/http/kentico_staging_syncserver.rb 
Co-Authored-By: bcoles <bcoles@gmail.com>
 2020-05-04 09:26:14 -04:00
Patrick Webster c5adcbfd43 Update modules/exploits/windows/http/kentico_staging_syncserver.rb 
Co-Authored-By: bcoles <bcoles@gmail.com>
 2020-05-04 09:26:13 -04:00
Patrick Webster 0679f1b317 Update modules/exploits/windows/http/kentico_staging_syncserver.rb 
Co-Authored-By: bcoles <bcoles@gmail.com>
 2020-05-04 09:26:13 -04:00
Patrick Webster 376c61bc46 Added exploit module kentico_staging_syncserver. 2020-05-04 09:26:13 -04:00
Tim W f2752eab00 add win32k revision check to check method 2020-05-04 15:04:43 +08:00
William Vu 0bcc473ded Rename option to HOSTINFO_NAME and update doc 2020-05-01 12:59:01 -05:00
William Vu c27269105e Rename CmdStager to psh_invokewebrequest 2020-05-01 12:31:53 -05:00
William Vu 1364b08c4f Make host info name configurable as an option 
Though it has to be recognized by the server.
 2020-05-01 12:19:12 -05:00
William Vu 96f802585a Update dropper payload to stageless 
We're using Invoke-WebRequest now. Or anything similar.
 2020-05-01 12:19:12 -05:00
William Vu 9adaa08ddd Use new PowerShell Invoke-WebRequest CmdStager 2020-05-01 12:19:12 -05:00
William Vu 9bfecbc2aa Print the responses if found but don't bail 
The responses aren't always in sync, causing unexpected failures.
 2020-05-01 12:19:12 -05:00
William Vu bb034acd7c Note reason for SERVICE_RESOURCE_LOSS 2020-05-01 12:19:12 -05:00
William Vu 309475259a Remove doubled-up command prefix from dropper 
The library prefixes "cmd /c" automatically.
 2020-05-01 12:19:12 -05:00
William Vu 84061881b8 Clarify module description 2020-05-01 12:19:12 -05:00
William Vu 9d601b50c2 Note how we trigger the deserialization vuln 2020-05-01 12:19:12 -05:00
William Vu efab4f04f7 Add Veeam ONE Agent .NET deserialization exploit 2020-05-01 12:19:12 -05:00
Tim W bcf9449b29 add basic check method 2020-05-01 19:02:21 +08:00
bwatters-r7 717223e1a9 One more fix... 2020-04-30 08:09:15 -05:00
bwatters-r7 35913c829e add mkdir and other suggested fixes 2020-04-30 07:47:57 -05:00
Tim W 8e9a162b1b fix 2020-04-30 18:05:00 +08:00
Tim W ea22e34b9c fix description 2020-04-30 17:51:28 +08:00
Tim W 3ca0472b18 fix payload size 2020-04-30 17:47:41 +08:00
Tim W 109f0a01f7 add windows 7 sp1 scenario 2020-04-30 17:19:54 +08:00
Tim W ff0704b316 code review from grant <3 2020-04-30 17:19:54 +08:00
Tim W 5ed871a110 CVE-2019-0808 2020-04-30 17:19:46 +08:00
bwatters-r7 95a942d855 Add description 2020-04-29 14:44:59 -05:00
bwatters-r7 91c317f7b5 Rubocop autocorrect 2020-04-29 11:01:29 -05:00
bwatters-r7 191044cdad Final fixes and documentation 2020-04-29 10:18:22 -05:00
William Vu e5857d5544 Comments for the comment god 2020-04-27 20:58:39 -05:00
William Vu 3e9f7d5f0a Comment the absolute path prepended to traversal 2020-04-27 20:57:02 -05:00