Browse Source

automatic module_metadata_base.json update

Metasploit 2 months ago
parent
commit
f2579fa7a0
No account linked to committer's email address
1 changed files with 147 additions and 4 deletions
  1. 147
    4
      db/modules_metadata_base.json

+ 147
- 4
db/modules_metadata_base.json View File

@@ -15504,6 +15504,55 @@
15504 15504
     "notes": {
15505 15505
     }
15506 15506
   },
15507
+  "auxiliary_gather/rails_doubletap_file_read": {
15508
+    "name": "Ruby On Rails File Content Disclosure ('doubletap')",
15509
+    "full_name": "auxiliary/gather/rails_doubletap_file_read",
15510
+    "rank": 300,
15511
+    "disclosure_date": null,
15512
+    "type": "auxiliary",
15513
+    "author": [
15514
+      "Carter Brainerd <0xCB@protonmail.com>",
15515
+      "John Hawthorn <john@hawthorn.email>"
15516
+    ],
15517
+    "description": "This module uses a path traversal vulnerability in Ruby on Rails\n          versions =< 5.2.2 to read files on a target server.",
15518
+    "references": [
15519
+      "URL-https://hackerone.com/reports/473888",
15520
+      "URL-https://github.com/mpgn/Rails-doubletap-RCE",
15521
+      "URL-https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q",
15522
+      "URL-https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/",
15523
+      "CVE-2019-5418",
15524
+      "EDB-46585"
15525
+    ],
15526
+    "platform": "",
15527
+    "arch": "",
15528
+    "rport": 80,
15529
+    "autofilter_ports": [
15530
+      80,
15531
+      8080,
15532
+      443,
15533
+      8000,
15534
+      8888,
15535
+      8880,
15536
+      8008,
15537
+      3000,
15538
+      8443
15539
+    ],
15540
+    "autofilter_services": [
15541
+      "http",
15542
+      "https"
15543
+    ],
15544
+    "targets": null,
15545
+    "mod_time": "2019-04-18 16:10:24 +0000",
15546
+    "path": "/modules/auxiliary/gather/rails_doubletap_file_read.rb",
15547
+    "is_install_path": true,
15548
+    "ref_name": "gather/rails_doubletap_file_read",
15549
+    "check": true,
15550
+    "post_auth": false,
15551
+    "default_credential": false,
15552
+    "notes": {
15553
+      "AKA": "DoubleTap"
15554
+    }
15555
+  },
15507 15556
   "auxiliary_gather/safari_file_url_navigation": {
15508 15557
     "name": "Mac OS X Safari file:// Redirection Sandbox Escape",
15509 15558
     "full_name": "auxiliary/gather/safari_file_url_navigation",
@@ -51821,7 +51870,7 @@
51821 51870
       "Tavis Ormandy",
51822 51871
       "bcoles <bcoles@gmail.com>"
51823 51872
     ],
51824
-    "description": "This module attempts to gain root privileges on Fedora systems with\n        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n        as the crash handler.\n\n        A race condition allows local users to change ownership of arbitrary\n        files (CVE-2015-3315). This module uses a symlink attack on\n        '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,\n        then adds a new user with UID=0 GID=0 to gain root privileges.\n        Winning the race could take a few minutes.\n\n        This module has been tested successfully on ABRT packaged version\n        2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop\n        19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64.\n\n        Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.",
51873
+    "description": "This module attempts to gain root privileges on Linux systems with\n        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n        as the crash handler.\n\n        A race condition allows local users to change ownership of arbitrary\n        files (CVE-2015-3315). This module uses a symlink attack on\n        `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,\n        then adds a new user with UID=0 GID=0 to gain root privileges.\n        Winning the race could take a few minutes.\n\n        This module has been tested successfully on:\n\n        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;\n        abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;\n        abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;\n        abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;\n        abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.",
51825 51874
     "references": [
51826 51875
       "CVE-2015-3315",
51827 51876
       "EDB-36747",
@@ -51849,7 +51898,7 @@
51849 51898
     "targets": [
51850 51899
       "Auto"
51851 51900
     ],
51852
-    "mod_time": "2019-01-10 19:19:14 +0000",
51901
+    "mod_time": "2019-04-18 09:01:51 +0000",
51853 51902
     "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
51854 51903
     "is_install_path": true,
51855 51904
     "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@@ -52398,7 +52447,7 @@
52398 52447
       "Tavis Ormandy",
52399 52448
       "bcoles <bcoles@gmail.com>"
52400 52449
     ],
52401
-    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n        glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not\n        properly restrict use of the LD_AUDIT environment variable when loading\n        setuid executables which allows control over the $ORIGIN library search\n        path resulting in execution of arbitrary shared objects.\n\n        This module opens a file descriptor to the specified suid executable via\n        a hard link, then replaces the hard link with a shared object before\n        instructing the linker to execute the file descriptor, resulting in\n        arbitrary code execution.\n\n        The specified setuid binary must be readable and located on the same\n        file system partition as the specified writable directory.\n\n        This module has been tested successfully on glibc version 2.5 on CentOS\n        5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).\n\n        RHEL 5 is reportedly affected, but untested. Some versions of ld.so,\n        such as the version shipped with Ubuntu 14, hit a failed assertion\n        in dl_open_worker causing exploitation to fail.",
52450
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n        glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not\n        properly restrict use of the `LD_AUDIT` environment variable when loading\n        setuid executables which allows control over the `$ORIGIN` library search\n        path resulting in execution of arbitrary shared objects.\n\n        This module opens a file descriptor to the specified suid executable via\n        a hard link, then replaces the hard link with a shared object before\n        instructing the linker to execute the file descriptor, resulting in\n        arbitrary code execution.\n\n        The specified setuid binary must be readable and located on the same\n        file system partition as the specified writable directory.\n\n        This module has been tested successfully on:\n\n        glibc 2.5 on CentOS 5.4 (x86_64);\n        glibc 2.5 on CentOS 5.5 (x86_64);\n        glibc 2.12 on Fedora 13 (i386); and\n        glibc 2.5-49 on RHEL 5.5 (x86_64).\n\n        Some versions of `ld.so`, such as the version shipped with Ubuntu 14,\n        hit a failed assertion in `dl_open_worker` causing exploitation to fail.",
52402 52451
     "references": [
52403 52452
       "CVE-2010-3847",
52404 52453
       "BID-44154",
@@ -52422,7 +52471,7 @@
52422 52471
       "Linux x86",
52423 52472
       "Linux x64"
52424 52473
     ],
52425
-    "mod_time": "2019-01-10 19:19:14 +0000",
52474
+    "mod_time": "2019-04-18 15:35:37 +0000",
52426 52475
     "path": "/modules/exploits/linux/local/glibc_origin_expansion_priv_esc.rb",
52427 52476
     "is_install_path": true,
52428 52477
     "ref_name": "linux/local/glibc_origin_expansion_priv_esc",
@@ -53170,6 +53219,50 @@
53170 53219
     "notes": {
53171 53220
     }
53172 53221
   },
53222
+  "exploit_linux/local/systemtap_modprobe_options_priv_esc": {
53223
+    "name": "SystemTap MODPROBE_OPTIONS Privilege Escalation",
53224
+    "full_name": "exploit/linux/local/systemtap_modprobe_options_priv_esc",
53225
+    "rank": 600,
53226
+    "disclosure_date": "2010-11-17",
53227
+    "type": "exploit",
53228
+    "author": [
53229
+      "Tavis Ormandy",
53230
+      "bcoles <bcoles@gmail.com>"
53231
+    ],
53232
+    "description": "This module attempts to gain root privileges by exploiting a\n        vulnerability in the `staprun` executable included with SystemTap\n        version 1.3.\n\n        The `staprun` executable does not clear environment variables prior to\n        executing `modprobe`, allowing an arbitrary configuration file to be\n        specified in the `MODPROBE_OPTIONS` environment variable, resulting\n        in arbitrary command execution with root privileges.\n\n        This module has been tested successfully on:\n\n        systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and\n        systemtap 1.1-3.el5 on RHEL 5.5 (x64).",
53233
+    "references": [
53234
+      "BID-44914",
53235
+      "CVE-2010-4170",
53236
+      "EDB-15620",
53237
+      "URL-https://securitytracker.com/id?1024754",
53238
+      "URL-https://access.redhat.com/security/cve/cve-2010-4170",
53239
+      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=653604",
53240
+      "URL-https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html",
53241
+      "URL-https://bugs.launchpad.net/bugs/677226",
53242
+      "URL-https://www.debian.org/security/2011/dsa-2348"
53243
+    ],
53244
+    "platform": "Linux",
53245
+    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
53246
+    "rport": null,
53247
+    "autofilter_ports": [
53248
+
53249
+    ],
53250
+    "autofilter_services": [
53251
+
53252
+    ],
53253
+    "targets": [
53254
+      "Auto"
53255
+    ],
53256
+    "mod_time": "2019-04-19 12:54:30 +0000",
53257
+    "path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
53258
+    "is_install_path": true,
53259
+    "ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
53260
+    "check": true,
53261
+    "post_auth": false,
53262
+    "default_credential": false,
53263
+    "notes": {
53264
+    }
53265
+  },
53173 53266
   "exploit_linux/local/udev_netlink": {
53174 53267
     "name": "Linux udev Netlink Local Privilege Escalation",
53175 53268
     "full_name": "exploit/linux/local/udev_netlink",
@@ -59308,6 +59401,56 @@
59308 59401
     "notes": {
59309 59402
     }
59310 59403
   },
59404
+  "exploit_multi/http/confluence_widget_connector": {
59405
+    "name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
59406
+    "full_name": "exploit/multi/http/confluence_widget_connector",
59407
+    "rank": 600,
59408
+    "disclosure_date": "2019-03-25",
59409
+    "type": "exploit",
59410
+    "author": [
59411
+      "Daniil Dmitriev",
59412
+      "Dmitry (rrock) Shchannikov"
59413
+    ],
59414
+    "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n        allows embed online videos, slideshows, photostreams and more directly into page.\n        A _template parameter can be used to inject remote Java code into a Velocity template,\n        and gain code execution. Authentication is unrequired to exploit this vulnerability.\n        By default, Java payload will be used because it is cross-platform, but you can also\n        specify which native payload you want (Linux or Windows).\n\n        Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n        6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n        This vulnerability was originally discovered by Daniil Dmitriev\n        https://twitter.com/ddv_ua.",
59415
+    "references": [
59416
+      "CVE-2019-3396",
59417
+      "URL-https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html",
59418
+      "URL-https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/",
59419
+      "URL-https://paper.seebug.org/886/"
59420
+    ],
59421
+    "platform": "",
59422
+    "arch": "",
59423
+    "rport": 8090,
59424
+    "autofilter_ports": [
59425
+      80,
59426
+      8080,
59427
+      443,
59428
+      8000,
59429
+      8888,
59430
+      8880,
59431
+      8008,
59432
+      3000,
59433
+      8443
59434
+    ],
59435
+    "autofilter_services": [
59436
+      "http",
59437
+      "https"
59438
+    ],
59439
+    "targets": [
59440
+      "Java",
59441
+      "Windows",
59442
+      "Linux"
59443
+    ],
59444
+    "mod_time": "2019-04-19 12:35:36 +0000",
59445
+    "path": "/modules/exploits/multi/http/confluence_widget_connector.rb",
59446
+    "is_install_path": true,
59447
+    "ref_name": "multi/http/confluence_widget_connector",
59448
+    "check": true,
59449
+    "post_auth": false,
59450
+    "default_credential": false,
59451
+    "notes": {
59452
+    }
59453
+  },
59311 59454
   "exploit_multi/http/cups_bash_env_exec": {
59312 59455
     "name": "CUPS Filter Bash Environment Variable Code Injection (Shellshock)",
59313 59456
     "full_name": "exploit/multi/http/cups_bash_env_exec",

Loading…
Cancel
Save