From a40429158fc526bb198b8b195ccbbbfaf552ba5f Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 28 Aug 2017 20:17:58 -0400 Subject: [PATCH] 40% done --- modules/auxiliary/spoof/dns/compare_results.rb | 2 +- .../sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb | 2 +- modules/auxiliary/sqli/oracle/dbms_export_extension.rb | 2 +- .../auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb | 2 +- modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb | 2 +- modules/auxiliary/sqli/oracle/droptable_trigger.rb | 2 +- modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb | 4 ++-- modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb | 2 +- modules/auxiliary/sqli/oracle/lt_removeworkspace.rb | 2 +- modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb | 2 +- modules/auxiliary/voip/cisco_cucdm_speed_dials.rb | 2 +- modules/auxiliary/voip/sip_deregister.rb | 2 +- modules/encoders/cmd/printf_php_mq.rb | 4 ++-- .../exploits/android/browser/stagefright_mp4_tx3g_64bit.rb | 2 +- modules/exploits/android/local/futex_requeue.rb | 2 +- modules/exploits/dialup/multi/login/manyargs.rb | 2 +- modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb | 2 +- modules/exploits/linux/ftp/proftp_telnet_iac.rb | 2 +- modules/exploits/linux/http/advantech_switch_bash_env_exec.rb | 2 +- modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb | 2 +- modules/exploits/linux/http/alienvault_exec.rb | 4 ++-- modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb | 2 +- modules/exploits/linux/http/dcos_marathon.rb | 2 +- modules/exploits/linux/http/dlink_authentication_cgi_bof.rb | 2 +- modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb | 2 +- modules/exploits/linux/http/dlink_hnap_bof.rb | 2 +- modules/exploits/linux/http/gitlist_exec.rb | 2 +- modules/exploits/linux/http/linksys_apply_cgi.rb | 2 +- modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb | 2 +- modules/exploits/linux/http/logsign_exec.rb | 2 +- modules/exploits/linux/http/railo_cfml_rfi.rb | 2 +- modules/exploits/linux/http/sophos_wpa_iface_exec.rb | 2 +- .../exploits/linux/http/symantec_messaging_gateway_exec.rb | 2 +- modules/exploits/linux/http/trend_micro_imsva_exec.rb | 2 +- modules/exploits/linux/http/trueonline_billion_5200w_rce.rb | 4 ++-- modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb | 4 ++-- modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb | 4 ++-- modules/exploits/linux/http/webcalendar_settings_exec.rb | 2 +- modules/exploits/linux/local/desktop_privilege_escalation.rb | 2 +- modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb | 4 ++-- modules/exploits/linux/local/sock_sendpage.rb | 2 +- modules/exploits/linux/misc/opennms_java_serialize.rb | 2 +- modules/exploits/linux/postgres/postgres_payload.rb | 2 +- modules/exploits/linux/samba/lsa_transnames_heap.rb | 2 +- modules/exploits/linux/smtp/exim4_dovecot_exec.rb | 2 +- .../multi/browser/adobe_flash_opaque_background_uaf.rb | 2 +- modules/exploits/multi/browser/firefox_proto_crmfrequest.rb | 2 +- modules/exploits/multi/browser/java_verifier_field_access.rb | 2 +- modules/exploits/multi/fileformat/swagger_param_inject.rb | 2 +- modules/exploits/multi/http/eventlog_file_upload.rb | 2 +- modules/exploits/multi/http/glassfish_deployer.rb | 2 +- modules/exploits/multi/http/ispconfig_php_exec.rb | 2 +- modules/exploits/multi/http/jboss_seam_upload_exec.rb | 2 +- modules/exploits/multi/http/jira_hipchat_template.rb | 4 ++-- modules/exploits/multi/http/joomla_http_header_rce.rb | 2 +- modules/exploits/multi/http/manageengine_auth_upload.rb | 2 +- modules/exploits/multi/http/mediawiki_thumb.rb | 2 +- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 2 +- modules/exploits/multi/http/nibbleblog_file_upload.rb | 2 +- modules/exploits/multi/http/openmediavault_cmd_exec.rb | 2 +- modules/exploits/multi/http/oracle_reports_rce.rb | 2 +- modules/exploits/multi/http/phptax_exec.rb | 2 +- modules/exploits/multi/http/sonicwall_gms_upload.rb | 2 +- modules/exploits/multi/http/struts2_content_type_ognl.rb | 2 +- 64 files changed, 72 insertions(+), 72 deletions(-) diff --git a/modules/auxiliary/spoof/dns/compare_results.rb b/modules/auxiliary/spoof/dns/compare_results.rb index 482d2d38f5..9374bf196a 100644 --- a/modules/auxiliary/spoof/dns/compare_results.rb +++ b/modules/auxiliary/spoof/dns/compare_results.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary This module can be used to determine differences in the cache entries between two DNS servers. This is primarily useful for detecting cache poisoning attacks, - but can also be used to detect geo-location loadbalancing. + but can also be used to detect geo-location load balancing. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb index 7f43c01027..8fc8199c4f 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4. diff --git a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb index caf95194d4..ffee9bcb8e 100644 --- a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb +++ b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2. diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb index 327c3b38aa..68b4d03eaa 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function. }, 'Author' => [ 'MC' ], diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb index 6c7f02745a..f1bd69bee4 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function. }, 'Author' => [ 'MC' ], diff --git a/modules/auxiliary/sqli/oracle/droptable_trigger.rb b/modules/auxiliary/sqli/oracle/droptable_trigger.rb index 144999861c..54b8b8f357 100644 --- a/modules/auxiliary/sqli/oracle/droptable_trigger.rb +++ b/modules/auxiliary/sqli/oracle/droptable_trigger.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger', 'Description' => %q{ - This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in + This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack). }, diff --git a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb index c085d9a1e4..1e00a3cacb 100644 --- a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb +++ b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb @@ -10,8 +10,8 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting - an sql injection bug in the SYS.LT.FINDRICSET package via Evil + This module will escalate an Oracle DB user to DBA by exploiting + a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007. diff --git a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb index 1b5669ecb5..3b83207162 100644 --- a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE', 'Description' => %q{ - This module exploits an sql injection flaw in the MERGEWORKSPACE + This module exploits a sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. }, diff --git a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb index 2b54b73c1b..1cb05aac04 100644 --- a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE', 'Description' => %q{ - This module exploits an sql injection flaw in the REMOVEWORKSPACE + This module exploits a sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. }, diff --git a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb index bf3d96fd12..4d1f238c7e 100644 --- a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE', 'Description' => %q{ - This module exploits an sql injection flaw in the ROLLBACKWORKSPACE + This module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. }, diff --git a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb index 1dc0c2fdea..90b9ba751c 100644 --- a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb +++ b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM), before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This module exploits the vulnerability to make - unauthorized speeddial entity manipulations. + unauthorized speed dial entity manipulations. }, 'Author' => 'fozavci', 'References' => diff --git a/modules/auxiliary/voip/sip_deregister.rb b/modules/auxiliary/voip/sip_deregister.rb index c993bb5bba..c5b2dc6fb2 100644 --- a/modules/auxiliary/voip/sip_deregister.rb +++ b/modules/auxiliary/voip/sip_deregister.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'SIP Deregister Extension', 'Description' => %q{ - This module will will attempt to deregister a SIP user from the provider. It + This module will attempt to deregister a SIP user from the provider. It has been tested successfully when the sip provider/server doesn't use REGISTER authentication. }, diff --git a/modules/encoders/cmd/printf_php_mq.rb b/modules/encoders/cmd/printf_php_mq.rb index 3bb28364da..8d48b0cc25 100644 --- a/modules/encoders/cmd/printf_php_mq.rb +++ b/modules/encoders/cmd/printf_php_mq.rb @@ -21,9 +21,9 @@ class MetasploitModule < Msf::Encoder 'Name' => 'printf(1) via PHP magic_quotes Utility Command Encoder', 'Description' => %q{ This encoder uses the printf(1) utility to avoid restricted - characters. Some shell variable substituion may also be used + characters. Some shell variable substitution may also be used if needed symbols are blacklisted. Some characters are intentionally - left unescaped since it is assummed that PHP with magic_quotes_gpc + left unescaped since it is assumed that PHP with magic_quotes_gpc enabled will escape them during request handling. }, 'Author' => 'jduck', diff --git a/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb b/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb index 7045d3b026..7a2b69561e 100644 --- a/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb +++ b/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Android Stagefright MP4 tx3g Integer Overflow", 'Description' => %q{ - This module exploits a integer overflow vulnerability in the Stagefright + This module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. diff --git a/modules/exploits/android/local/futex_requeue.rb b/modules/exploits/android/local/futex_requeue.rb index 83a00695d6..2acd014f5e 100644 --- a/modules/exploits/android/local/futex_requeue.rb +++ b/modules/exploits/android/local/futex_requeue.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit", 'Description' => %q{ This module exploits a bug in futex_requeue in the Linux kernel, using - similiar techniques employed by the towelroot exploit. Any Android device + similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/dialup/multi/login/manyargs.rb b/modules/exploits/dialup/multi/login/manyargs.rb index 30ddbf3b93..ed10140677 100644 --- a/modules/exploits/dialup/multi/login/manyargs.rb +++ b/modules/exploits/dialup/multi/login/manyargs.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow', 'Description' => %q{ This exploit connects to a system's modem over dialup and exploits - a buffer overlflow vulnerability in it's System V derived /bin/login. + a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. }, 'References' => diff --git a/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb b/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb index 0cbec9629b..e3d76631bf 100644 --- a/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb +++ b/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability', 'Description' => %q{ This module exploits a vulnerability in Adobe Flash Player for Linux, - version 10.0.12.36 and 9.0.151.0 and prior. + version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. diff --git a/modules/exploits/linux/ftp/proftp_telnet_iac.rb b/modules/exploits/linux/ftp/proftp_telnet_iac.rb index c829147f7a..2c71ce0a55 100644 --- a/modules/exploits/linux/ftp/proftp_telnet_iac.rb +++ b/modules/exploits/linux/ftp/proftp_telnet_iac.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite - some attemtps failing. By making repeated requests, an attacker can eventually + some attempts failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness diff --git a/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb b/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb index f4e3b707e5..04dfbc66a9 100644 --- a/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb +++ b/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI - script, acessible through the Boa web server on Advantech switches. This module + script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98. }, 'Author' => 'hdm', diff --git a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb index 39f37163e2..fbd10a7dbe 100644 --- a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb +++ b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker - to execute arbitrary commands by specifing shell metacharaters as the + to execute arbitrary commands by specifying shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response. diff --git a/modules/exploits/linux/http/alienvault_exec.rb b/modules/exploits/linux/http/alienvault_exec.rb index edbc29e014..14ca6b3ad3 100644 --- a/modules/exploits/linux/http/alienvault_exec.rb +++ b/modules/exploits/linux/http/alienvault_exec.rb @@ -13,13 +13,13 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "AlienVault OSSIM/USM Remote Code Execution", 'Description' => %q{ - This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together. + This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together. Unauthenticated users can execute arbitrary commands under the context of the root user. By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue action and policy that enables to execute operating system commands by using captured session token. As a final step, - SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes + SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes operating system command with root user privileges. This module was tested against following product and versions: diff --git a/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb b/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb index cfcb36cfd7..37ffe7aa13 100644 --- a/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb +++ b/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is used by the application without input validation and parameter binding, which leads to SQL injection - vulnerability. Successfully exploitating this vulnerability gives a the valid session. + vulnerability. Successfully exploiting this vulnerability gives a valid session. CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. One user parameter is used by the diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb index 6b3c3893bd..c5ac9de55b 100644 --- a/modules/exploits/linux/http/dcos_marathon.rb +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote in the '/etc/cron.d/' path of the host server. *Notes: The docker image must be a valid docker image from - hub.docker.com. Further more the docker container will only + hub.docker.com. Furthermore the docker container will only deploy if there are resources available in the DC/OS cluster. }, 'Author' => 'Erik Daguerre', diff --git a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb index cd43f8d322..03b36f94d8 100644 --- a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'D-Link authentication.cgi Buffer Overflow', 'Description' => %q{ - This module exploits an remote buffer overflow vulnerability on several D-Link routers. + This module exploits a remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb index 3d11d81d46..f52e9b9ded 100644 --- a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'D-Link info.cgi POST Request Buffer Overflow', 'Description' => %q{ This module exploits an anonymous remote code execution vulnerability on different D-Link - devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component, + devices. The vulnerability is a stack based buffer overflow in the my_cgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This module has been successfully tested on D-Link DSP-W215 in an emulated environment. diff --git a/modules/exploits/linux/http/dlink_hnap_bof.rb b/modules/exploits/linux/http/dlink_hnap_bof.rb index bb7dbfdea1..d405e08279 100644 --- a/modules/exploits/linux/http/dlink_hnap_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'D-Link HNAP Request Remote Buffer Overflow', 'Description' => %q{ This module exploits an anonymous remote code execution vulnerability on different - D-Link devices. The vulnerability is due to an stack based buffer overflow while + D-Link devices. The vulnerability is due to a stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This module has been successfully tested on D-Link DIR-505 in an emulated environment. }, diff --git a/modules/exploits/linux/http/gitlist_exec.rb b/modules/exploits/linux/http/gitlist_exec.rb index 4a104e38f4..f9c29fa017 100644 --- a/modules/exploits/linux/http/gitlist_exec.rb +++ b/modules/exploits/linux/http/gitlist_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Gitlist Unauthenticated Remote Command Execution', 'Description' => %q{ This module exploits an unauthenticated remote command execution vulnerability - in version 0.4.0 of Gitlist. The problem exists in the handling of an specially + in version 0.4.0 of Gitlist. The problem exists in the handling of a specially crafted file name when trying to blame it. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/linksys_apply_cgi.rb b/modules/exploits/linux/http/linksys_apply_cgi.rb index 2511f147de..f17e5a921c 100644 --- a/modules/exploits/linux/http/linksys_apply_cgi.rb +++ b/modules/exploits/linux/http/linksys_apply_cgi.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to - 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected. + 4.20.7 and all WRT54GS version prior to 1.05.2 may be affected. }, 'Author' => [ 'Raphael Rigo ', 'Julien Tinnes ' ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb index e980ec7f98..73e9f55953 100644 --- a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module has been tested on - a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a + a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a controlled system could be used for testing purposes. The exploit uses the tftp client from the device to stage to native payloads from the command injection. }, diff --git a/modules/exploits/linux/http/logsign_exec.rb b/modules/exploits/linux/http/logsign_exec.rb index 5feede5733..7be1da5a3f 100644 --- a/modules/exploits/linux/http/logsign_exec.rb +++ b/modules/exploits/linux/http/logsign_exec.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Logsign Remote Command Injection', 'Description' => %q{ - This module exploits an command injection vulnerability in Logsign. + This module exploits a command injection vulnerability in Logsign. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the root user. diff --git a/modules/exploits/linux/http/railo_cfml_rfi.rb b/modules/exploits/linux/http/railo_cfml_rfi.rb index 2757aaddcd..874e28a801 100644 --- a/modules/exploits/linux/http/railo_cfml_rfi.rb +++ b/modules/exploits/linux/http/railo_cfml_rfi.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => ' This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable - line in thumbnail.cfm allows an atacker to download an + line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup to the PNG file, and have it interpreted by the server. This is diff --git a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb index ca82667545..757d663377 100644 --- a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb +++ b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment - vulnerability that allows an unprivileged authenticated user to change the admininistrator's + vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, diff --git a/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb b/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb index e4047371ba..139d8704c8 100644 --- a/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb +++ b/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote terminal command under the context of the web server user which is root. backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing - operating system command. One of the user input is being passed to the service without proper validation. That cause an command + operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. diff --git a/modules/exploits/linux/http/trend_micro_imsva_exec.rb b/modules/exploits/linux/http/trend_micro_imsva_exec.rb index 7ae12253be..5b6991a5dc 100644 --- a/modules/exploits/linux/http/trend_micro_imsva_exec.rb +++ b/modules/exploits/linux/http/trend_micro_imsva_exec.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command - without proper sanitation. However,due to improper blacklisting rule it's possible to inject + without proper sanitation. However, due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue. This module was tested against IMSVA 9.1-1600. diff --git a/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb b/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb index d856f8f1e6..0502ebe3d0 100644 --- a/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb +++ b/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection', 'Description' => %q{ - TrueOnline is a major ISP in Thailand, and it distributes a customised version of - the Billion 5200W-T router. This customised version has at least two command injection + TrueOnline is a major ISP in Thailand, and it distributes a customized version of + the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This module will attempt to exploit the unauthenticated injection first, and if that fails, it will attempt to exploit the authenticated injection. diff --git a/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb b/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb index 8f385b0052..b854cb5688 100644 --- a/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb +++ b/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection', 'Description' => %q{ - TrueOnline is a major ISP in Thailand, and it distributes a customised version of - the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command + TrueOnline is a major ISP in Thailand, and it distributes a customized version of + the ZyXEL P660HN-T v1 router. This customized version has an unauthenticated command injection vulnerability in the remote log forwarding page. This module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as diff --git a/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb b/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb index 218f3447b0..577c36ca3b 100644 --- a/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb +++ b/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb @@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection', 'Description' => %q{ - TrueOnline is a major ISP in Thailand, and it distributes a customised version of - the ZyXEL P660HN-T v2 router. This customised version has an authenticated command injection + TrueOnline is a major ISP in Thailand, and it distributes a customized version of + the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection vulnerability in the remote log forwarding page. This can be exploited using the "supervisor" account that comes with a default password on the device. This module was tested in an emulated environment, as the author doesn't have access to the diff --git a/modules/exploits/linux/http/webcalendar_settings_exec.rb b/modules/exploits/linux/http/webcalendar_settings_exec.rb index b5bf903a02..0555dfb873 100644 --- a/modules/exploits/linux/http/webcalendar_settings_exec.rb +++ b/modules/exploits/linux/http/webcalendar_settings_exec.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection", 'Description' => %q{ - This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or + This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data. diff --git a/modules/exploits/linux/local/desktop_privilege_escalation.rb b/modules/exploits/linux/local/desktop_privilege_escalation.rb index 32043f28b4..40b430b85d 100644 --- a/modules/exploits/linux/local/desktop_privilege_escalation.rb +++ b/modules/exploits/linux/local/desktop_privilege_escalation.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Local when it is entered for unlocking the screen or for doing administrative actions using PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the - password from the keyboard to the actual password verificatition against the shadow file + password from the keyboard to the actual password verification against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under the current user account to query for the password and then pass it to a setuid-root binary diff --git a/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb b/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb index 9df1bba9e8..7cdbcfdd14 100644 --- a/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb +++ b/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb @@ -14,13 +14,13 @@ class MetasploitModule < Msf::Exploit::Local super(update_info(info, 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation', 'Description' => %q{ - This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently + This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) - 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile + 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile Kernel 4.4.0-31-generic and newer are not vulnerable. We write the ascii files and compile on target instead of locally since metasm bombs for not diff --git a/modules/exploits/linux/local/sock_sendpage.rb b/modules/exploits/linux/local/sock_sendpage.rb index 1eb643bcc6..1e27130525 100644 --- a/modules/exploits/linux/local/sock_sendpage.rb +++ b/modules/exploits/linux/local/sock_sendpage.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local 'Description' => %q{ The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being - derefenced and used as a function pointer. By using mmap(2) to map + dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. diff --git a/modules/exploits/linux/misc/opennms_java_serialize.rb b/modules/exploits/linux/misc/opennms_java_serialize.rb index a36ef01a6c..553f8375a6 100644 --- a/modules/exploits/linux/misc/opennms_java_serialize.rb +++ b/modules/exploits/linux/misc/opennms_java_serialize.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'OpenNMS Java Object Unserialization Remote Code Execution', 'Description' => %q( This module exploits a vulnerability in the OpenNMS Java object which allows - an unauthenticated attacker to run arbitary code against the system. + an unauthenticated attacker to run arbitrary code against the system. ), 'Author' => [ diff --git a/modules/exploits/linux/postgres/postgres_payload.rb b/modules/exploits/linux/postgres/postgres_payload.rb index 48fb7b2e61..28ef6eebfe 100644 --- a/modules/exploits/linux/postgres/postgres_payload.rb +++ b/modules/exploits/linux/postgres/postgres_payload.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and - may source UDF Shared Libraries's from there as well, allowing + may source UDF Shared Libraries' from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to diff --git a/modules/exploits/linux/samba/lsa_transnames_heap.rb b/modules/exploits/linux/samba/lsa_transnames_heap.rb index 906b7b2cc6..eaf9a7d747 100644 --- a/modules/exploits/linux/samba/lsa_transnames_heap.rb +++ b/modules/exploits/linux/samba/lsa_transnames_heap.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba - versions 3.0.21-3.0.24. Additonally, this module will not work + versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". }, 'Author' => diff --git a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb index 6b5b51d625..e08819eba0 100644 --- a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb +++ b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Exim and Dovecot Insecure Configuration Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability against Dovecot with - Exim using the "use_shell" option. It uses the sender's address to inject arbitary + Exim using the "use_shell" option. It uses the sender's address to inject arbitrary commands, since this is one of the user-controlled variables. It has been successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common packages. diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb index d4e810f4c0..012cbc12bb 100644 --- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb +++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203, Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, - Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203, + Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203, diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb index f0a208ad31..7176ff56ec 100644 --- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb +++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb @@ -28,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be - overriden with a function that gets called from chrome-privileged context. From here, + overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager diff --git a/modules/exploits/multi/browser/java_verifier_field_access.rb b/modules/exploits/multi/browser/java_verifier_field_access.rb index 9ad956d820..124b95a3fb 100644 --- a/modules/exploits/multi/browser/java_verifier_field_access.rb +++ b/modules/exploits/multi/browser/java_verifier_field_access.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Java Applet Field Bytecode Verifier Cache Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in HotSpot bytecode verifier where an invalid - optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent + optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. }, diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index b716b9df65..2caa9da10b 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'JSON Swagger CodeGen Parameter Injector', 'Description' => %q{ - This module generates a Open API Specification 2.0 (Swagger) compliant + This module generates an Open API Specification 2.0 (Swagger) compliant json document that includes payload insertion points in parameters. In order for the payload to be executed, an attacker must convince diff --git a/modules/exploits/multi/http/eventlog_file_upload.rb b/modules/exploits/multi/http/eventlog_file_upload.rb index e1071f2db0..628cdabe5c 100644 --- a/modules/exploits/multi/http/eventlog_file_upload.rb +++ b/modules/exploits/multi/http/eventlog_file_upload.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer. The vulnerability exists in the agentUpload servlet which accepts unauthenticated - file uploads and handles zip file contents in a insecure way. By combining both + file uploads and handles zip file contents in an insecure way. By combining both weaknesses a remote attacker can achieve remote code execution. This module has been tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server, diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index f46b3b7913..b6cecdbe60 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Sun/Oracle GlassFish Server Authenticated Code Execution", 'Description' => %q{ - This module logs in to an GlassFish Server (Open Source or Commercial) using various + This module logs in to a GlassFish Server (Open Source or Commercial) using various methods (such as authentication bypass, default credentials, or user-supplied login), and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer diff --git a/modules/exploits/multi/http/ispconfig_php_exec.rb b/modules/exploits/multi/http/ispconfig_php_exec.rb index b264121033..952b259ff6 100644 --- a/modules/exploits/multi/http/ispconfig_php_exec.rb +++ b/modules/exploits/multi/http/ispconfig_php_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ ISPConfig allows an authenticated administrator to export language settings into a PHP script which is intended to be reuploaded later to restore language settings. This feature - can be abused to run aribtrary PHP code remotely on the ISPConfig server. + can be abused to run aribitrary PHP code remotely on the ISPConfig server. This module was tested against version 3.0.5.2. }, diff --git a/modules/exploits/multi/http/jboss_seam_upload_exec.rb b/modules/exploits/multi/http/jboss_seam_upload_exec.rb index 972fa6094a..3476298175 100644 --- a/modules/exploits/multi/http/jboss_seam_upload_exec.rb +++ b/modules/exploits/multi/http/jboss_seam_upload_exec.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'JBoss Seam 2 File Upload and Execute', 'Description' => %q{ - Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly + Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This module leverages RCE to upload and execute diff --git a/modules/exploits/multi/http/jira_hipchat_template.rb b/modules/exploits/multi/http/jira_hipchat_template.rb index 02f4e74df2..cf434701df 100644 --- a/modules/exploits/multi/http/jira_hipchat_template.rb +++ b/modules/exploits/multi/http/jira_hipchat_template.rb @@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection", 'Description' => %q{ Atlassian Hipchat is a web service for internal instant messaging. A plugin is available - for Jira that allows team collibration at real time. A message can be used to inject Java - code into a Velocity template, and gain code exeuction as Jira. Authentication is required + for Jira that allows team collaboration at real time. A message can be used to inject Java + code into a Velocity template, and gain code execution as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). diff --git a/modules/exploits/multi/http/joomla_http_header_rce.rb b/modules/exploits/multi/http/joomla_http_header_rce.rb index b5e1e5e8ad..7c2effef87 100644 --- a/modules/exploits/multi/http/joomla_http_header_rce.rb +++ b/modules/exploits/multi/http/joomla_http_header_rce.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read - from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. + from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb index 43d06e0237..89dd9e9495 100644 --- a/modules/exploits/multi/http/manageengine_auth_upload.rb +++ b/modules/exploits/multi/http/manageengine_auth_upload.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this - module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been + module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been tested successfully in Windows and Linux on several versions. }, 'Author' => diff --git a/modules/exploits/multi/http/mediawiki_thumb.rb b/modules/exploits/multi/http/mediawiki_thumb.rb index 26729a49f4..bebc6eff52 100644 --- a/modules/exploits/multi/http/mediawiki_thumb.rb +++ b/modules/exploits/multi/http/mediawiki_thumb.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'MediaWiki Thumb.php Remote Command Execution', 'Description' => %q{ MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, - when DjVu or PDF file upload support is enabled, allows remote unauthenticated + when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation. diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 18bedbd89f..daaebfc86b 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote 1. This script may be invoked remotely without requiring authentication to any MT instance. 2. Through a crafted POST request, it is possible to invoke particular - database migration functions (i.e functions that bring the existing + database migration functions (i.e. functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters. 3. A particular migration function, core_drop_meta_for_table, allows diff --git a/modules/exploits/multi/http/nibbleblog_file_upload.rb b/modules/exploits/multi/http/nibbleblog_file_upload.rb index 913e0227e3..4e1dfa9d03 100644 --- a/modules/exploits/multi/http/nibbleblog_file_upload.rb +++ b/modules/exploits/multi/http/nibbleblog_file_upload.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'Nibbleblog File Upload Vulnerability', 'Description' => %q{ - Nibbleblog contains a flaw that allows a authenticated remote + Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3. }, diff --git a/modules/exploits/multi/http/openmediavault_cmd_exec.rb b/modules/exploits/multi/http/openmediavault_cmd_exec.rb index 2cf8fe4ae0..f02ae13f40 100644 --- a/modules/exploits/multi/http/openmediavault_cmd_exec.rb +++ b/modules/exploits/multi/http/openmediavault_cmd_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'OpenMediaVault Cron Remote Command Execution', 'Description' => %q{ - OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system. + OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system (including root). }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/multi/http/oracle_reports_rce.rb b/modules/exploits/multi/http/oracle_reports_rce.rb index 6e6579a61b..77614ef7c2 100644 --- a/modules/exploits/multi/http/oracle_reports_rce.rb +++ b/modules/exploits/multi/http/oracle_reports_rce.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. - The local path being accessable from an URL allows an attacker to perform the remote code + The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. diff --git a/modules/exploits/multi/http/phptax_exec.rb b/modules/exploits/multi/http/phptax_exec.rb index 9eb8631641..d8ea1aae0c 100644 --- a/modules/exploits/multi/http/phptax_exec.rb +++ b/modules/exploits/multi/http/phptax_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php - does not properly handle the pfilez parameter, which will be used in a exec() + does not properly handle the pfilez parameter, which will be used in an exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability. diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 978eb6f6d4..0c4b3d8e38 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run - successfully while testing, shell payload have been used. + successfully while testing, shell payload has been used. }, 'Author' => [ diff --git a/modules/exploits/multi/http/struts2_content_type_ognl.rb b/modules/exploits/multi/http/struts2_content_type_ognl.rb index 91b89ffea4..1b4ba5e634 100644 --- a/modules/exploits/multi/http/struts2_content_type_ognl.rb +++ b/modules/exploits/multi/http/struts2_content_type_ognl.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', 'Description' => %q{ - This module exploits a remote code execution vunlerability in Apache Struts + This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header.