Land #4640, @todb-r7's module cleanup
commit
1e728ca00f
|
@ -55,16 +55,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => "Huawei Datacard Information Disclosure Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits an un-authenticated information disclosure vulnerability in Huawei
|
||||
This module exploits an unauthenticated information disclosure vulnerability in Huawei
|
||||
SOHO routers. The module will gather information by accessing the /api pages where
|
||||
authentication is not required, allowing configuration changes as well as information
|
||||
disclosure including any stored SMS.
|
||||
disclosure, including any stored SMS.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Jimson K James.',
|
||||
'<tomsmaily[at]aczire.com>', # Msf module
|
||||
'Jimson K James',
|
||||
'Tom James <tomsmaily[at]aczire.com>', # Msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -14,10 +14,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Konica Minolta Password Extractor',
|
||||
'Description' => %q(
|
||||
'Description' => %q{
|
||||
This module will extract FTP and SMB account usernames and passwords
|
||||
from Konica Minolta mfp devices. Tested models include: C224, C280,
|
||||
283, C353, C360, 363, 420, C452,C452, C452, C454e, C554 ),
|
||||
from Konica Minolta multifunction printer (MFP) devices. Tested models
|
||||
include: C224, C280, 283, C353, C360, 363, 420, C452,C452, C452, C454e, C554
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Deral "Percentx" Heiland',
|
||||
|
|
|
@ -18,15 +18,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
off of the filesystem. This properties file contains an encrypted password that is set during
|
||||
installation. What is interesting about this password is that it is set as the same password
|
||||
as the database 'sa' user and of the admin user created during installation. This password
|
||||
is encrypted with a static key, and is encrypted using a weak cipher at that (ECB). By default,
|
||||
if installed with a local SQL Server instance, the SQL server is listening on all interfaces.
|
||||
is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default,
|
||||
if installed with a local SQL Server instance, the SQL Server is listening on all interfaces.
|
||||
|
||||
Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server
|
||||
user in order to achieve remote command execution with permissions of the database process. If
|
||||
the administrator has no changed the password for the initially created account since installation,
|
||||
the attacker also now has the password for this account. By default, 'admin' is recommended.
|
||||
the administrator has not changed the password for the initially created account since installation,
|
||||
the attacker will have the password for this account. By default, 'admin' is recommended.
|
||||
|
||||
Any user account can be used to exploit this, all that is needed is a pair of credentials.
|
||||
Any user account can be used to exploit this, all that is needed is a valid credential.
|
||||
|
||||
The most data that can be successfully retrieved is 255 characters due to length restrictions
|
||||
on the field used to perform the XXE attack.
|
||||
|
|
|
@ -19,7 +19,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'Misfortune Cookie' vulnerability which affects Allegro Software
|
||||
Rompager versions before 4.34 and can allow attackers to authenticate
|
||||
to the HTTP service as an administrator without providing valid
|
||||
credentials, however more specifics are not yet known.
|
||||
credentials.
|
||||
),
|
||||
'Author' => [
|
||||
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit module
|
||||
|
|
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => %q{
|
||||
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
||||
(CDM) 10 does not properly implement access control, which allows remote attackers to
|
||||
modify user information. This module exploits the vulnerability for configure unauthorized
|
||||
modify user information. This module exploits the vulnerability to configure unauthorized
|
||||
call forwarding.
|
||||
},
|
||||
'Author' => 'fozavci',
|
||||
|
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
||||
(CDM), before version 10, doesn't implement access control properly, which allows remote
|
||||
attackers to modify user information. This module exploits the vulnerability to make
|
||||
unauthorized speeddial manipulations.
|
||||
unauthorized speeddial entity manipulations.
|
||||
},
|
||||
'Author' => 'fozavci',
|
||||
'References' =>
|
||||
|
|
|
@ -20,11 +20,11 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'Description' => %q{
|
||||
This module steals the user password of an administrative user on a desktop Linux system
|
||||
when it is entered for unlocking the screen or for doing administrative actions using
|
||||
policykit. Then it escalates to root privileges using sudo and the stolen user password.
|
||||
PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password.
|
||||
It exploits the design weakness that there is no trusted channel for transferring the
|
||||
password from the keyboard to the actual password verificatition against the shadow file
|
||||
(which is running as root since /etc/shadow is only readable to the root user). Both
|
||||
screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under
|
||||
screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under
|
||||
the current user account to query for the password and then pass it to a setuid-root binary
|
||||
to do the password verification. Therefore, it is possible to inject a password stealer
|
||||
after compromising the user account. Since sudo requires only the user password (and not
|
||||
|
|
|
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
|
||||
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
|
||||
the upload does not handle correctly '../' sequences, which can be abused to write
|
||||
in the file system. Authentication is needed to exploit this vulnerability, but this module
|
||||
to the file system. Authentication is needed to exploit this vulnerability, but this module
|
||||
will attempt to login using the default credentials for the administrator and guest
|
||||
accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
|
||||
combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
|
||||
accounts. Alternatively, you can provide a pre-authenticated cookie or a username / password.
|
||||
For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All
|
||||
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
|
||||
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
|
||||
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
|
||||
|
|
|
@ -13,9 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
|
||||
'Name' => "Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability in Pandora v3.1 as
|
||||
This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as
|
||||
disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
|
||||
upload which allows a user to upload arbitrary files to the '/images/' directory.
|
||||
|
||||
|
|
|
@ -15,17 +15,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(
|
||||
info,
|
||||
'Name' => 'WordPress WP Symposium 14.11 Shell Upload',
|
||||
'Description' => %q{WP Symposium Plugin for WordPress contains a
|
||||
flaw that allows a remote attacker to execute
|
||||
arbitrary PHP code. This flaw exists because the
|
||||
/wp-symposium/server/file_upload_form.php script
|
||||
does not properly verify or sanitize
|
||||
user-uploaded files. By uploading a .php file,
|
||||
the remote system will place the file in a
|
||||
user-accessible path. Making a direct request to
|
||||
the uploaded file will allow the attacker to
|
||||
execute the script with the privileges of the
|
||||
web server.},
|
||||
'Description' => %q{
|
||||
WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker
|
||||
to execute arbitrary PHP code. This flaw exists because the
|
||||
/wp-symposium/server/file_upload_form.php script does not properly verify or
|
||||
sanitize user-uploaded files. By uploading a .php file, the remote system will
|
||||
place the file in a user-accessible path. Making a direct request to the
|
||||
uploaded file will allow the attacker to execute the script with the privileges
|
||||
of the web server.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
GetGo Download Manager version 4.9.0.1982 and earlier, caused by an
|
||||
overly long HTTP response header.
|
||||
|
||||
By persuading the victim to download a file from a malicious server, a
|
||||
remote attacker could execute arbitrary code on the system or cause
|
||||
the application to crash. This module has been tested successfully on
|
||||
|
|
|
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
BulletProof FTP Client 2010, caused by an overly long hostname.
|
||||
|
||||
By persuading the victim to open a specially-crafted .BPS file, a
|
||||
remote attacker could execute arbitrary code on the system or cause
|
||||
the application to crash. This module has been tested successfully on
|
||||
|
|
|
@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
i-Ftp v2.20, caused by a long time value set for scheduled download.
|
||||
|
||||
By persuading the victim to place a specially-crafted Schedule.xml file
|
||||
in the i-FTP folder, a remote attacker could execute arbitrary code on
|
||||
the system or cause the application to crash. This module has been
|
||||
|
|
|
@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
|
||||
A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
|
||||
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.
|
||||
A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated
|
||||
attacker to upload arbitrary files, including arbitrary JSP code. This module has been
|
||||
tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
|
||||
},
|
||||
|
|
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
specifically against Windows MySQL servers. This module abuses the FILE
|
||||
privilege to write a payload to Microsoft's All Users Start Up directory
|
||||
which will execute every time a user logs in. The default All Users Start
|
||||
Up directory used by the module is Windows 7 friendly.
|
||||
Up directory used by the module is present on Windows 7.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -24,7 +24,7 @@ module Metasploit3
|
|||
'Description' => 'Listen for a connection. First, the port will need to be knocked from
|
||||
the IP defined in KHOST. This IP will work as an authentication method
|
||||
(you can spoof it with tools like hping). After that you could get your
|
||||
shellcode from any IP. The socket will appear as "closed" helping us to
|
||||
shellcode from any IP. The socket will appear as "closed," thus helping to
|
||||
hide the shellcode',
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -21,7 +21,7 @@ module Metasploit3
|
|||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Hidden Bind TCP Stager',
|
||||
'Description' => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host',
|
||||
'Description' => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host.',
|
||||
'Author' =>
|
||||
[
|
||||
'hdm', # original payload module (stager bind_tcp)
|
||||
|
|
Loading…
Reference in New Issue