Commit Graph

1336 Commits (002234993fb37f25579c55523ebcd8f523a713c5)

Author SHA1 Message Date
jvazquez-r7 ff267a64b1 Have into account the Content-Transfer-Encoding header 2014-02-12 12:40:11 -06:00
bwall 783e62ea85 Applied changes from @wchen-r7's comments 2014-02-11 10:14:52 -08:00
jvazquez-r7 51df2d8b51 Use the fixed API on the mediawiki exploit 2014-02-11 08:28:58 -06:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
bwall 13fadffe7e Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial 2014-02-10 13:44:30 -08:00
jvazquez-r7 8ece4a7750 Delete debug print 2014-02-10 08:57:45 -06:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
Meatballs dcff06eba1
More verbose failure messages 2014-02-07 23:59:28 +00:00
Meatballs 783a986a19
Windows and auto target up and running 2014-02-07 23:26:57 +00:00
Meatballs a0f47f6b2b
Correct error check logic 2014-02-07 22:06:53 +00:00
Meatballs 443a51bbf5
Undo revert from merge 2014-02-07 21:28:04 +00:00
Meatballs 56359aa99f
Merge changes from other dev machine 2014-02-07 21:22:44 +00:00
Meatballs a4cc75bf98
Potential .pdf support 2014-02-07 20:37:44 +00:00
Meatballs e13520d7fb
Handle a blank filename 2014-02-07 20:15:32 +00:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
grimmlin 2d93b38e2a Fixed java_signed_applet for Java 7u51 2014-02-07 16:29:50 +01:00
Meatballs 0a3cb3377f
AppendEncoder 2014-02-04 15:41:10 +00:00
Meatballs 26c506da42
Naming of follow method 2014-02-04 15:25:51 +00:00
Meatballs f5fa3fb5ce
Windows compat, fixed PHP-CLI 2014-02-04 14:27:10 +00:00
Meatballs 64d11e58c2
Use semicolon for win compat 2014-02-04 13:53:33 +00:00
Meatballs 2fd8257c7e
Use bperry's trigger 2014-02-04 00:51:34 +00:00
Meatballs a8ff6eb429
Refactor send_request_cgi_follow_redirect 2014-02-03 21:49:49 +00:00
Meatballs 83925da2f1
Refactor form_data code 2014-02-03 21:16:58 +00:00
Tod Beardsley d34020115a
Fix up on apache descs and print_* methods 2014-02-03 13:13:57 -06:00
Meatballs 67c18d8d2d
I had a problem, then I used regex. 2014-02-02 22:19:54 +00:00
Meatballs 57f4998568
Better failures and handle unconfigured server 2014-02-02 16:26:22 +00:00
Meatballs 9fa9402eb2
Better check and better follow redirect 2014-02-02 16:07:46 +00:00
Meatballs 0d3a40613e
Add auto 30x redirect to send_request_cgi 2014-02-02 15:03:44 +00:00
Meatballs 8b33ef1874
Not html its form-data... 2014-02-02 13:57:29 +00:00
Meatballs 7ddc6bcfa5
Final tidyup 2014-02-01 01:05:02 +00:00
Meatballs 486a9d5e19
Use msf branded djvu 2014-02-01 00:37:28 +00:00
Meatballs fd1a507fda
Rename file 2014-02-01 00:27:32 +00:00
Meatballs 700c6545f0
Polished 2014-02-01 00:26:55 +00:00
Mekanismen 5a883a4477 updated 2014-01-31 21:59:26 +01:00
Meatballs 7fa1522299
Initial commit 2014-01-31 18:51:18 +00:00
sinn3r b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution 2014-01-31 12:06:58 -06:00
sinn3r 60ead5de43 Explain why we flag the vuln as "Appears" instead of vulnerable 2014-01-31 12:05:58 -06:00
jvazquez-r7 2fca2da9f7 Add an vprint message on check 2014-01-31 11:57:20 -06:00
jvazquez-r7 356692f2f5
Land #2923, @rangercha tomcat deploy module compatible with tomcat8 2014-01-31 10:53:53 -06:00
Mekanismen f6291eb9a8 updated 2014-01-31 14:33:18 +01:00
jvazquez-r7 93db1c59af Do small fixes 2014-01-30 17:16:43 -06:00
jvazquez-r7 9daacf8fb1 Clean exploit method 2014-01-30 16:58:17 -06:00
jvazquez-r7 4458dc80a5 Clean the find_csrf mehtod 2014-01-30 16:39:19 -06:00
jvazquez-r7 697a86aad7 Organize a little bit the code 2014-01-30 16:29:45 -06:00
jvazquez-r7 50317d44d3 Do more easy clean 2014-01-30 16:23:17 -06:00
jvazquez-r7 1a9e6dfb2a Allow check to detect platform and arch 2014-01-30 15:17:20 -06:00
jvazquez-r7 b2273dce2e Delete Automatic target
It isn't usefull at all, when auto targeting is done, the payload (java platform and arch)
has been already selected.
2014-01-30 15:04:08 -06:00
jvazquez-r7 cebbe71dba Do easy cleanup of exploit 2014-01-30 14:42:02 -06:00
jvazquez-r7 c336133a8e Do a first clean related to auto_target 2014-01-30 14:27:20 -06:00
jvazquez-r7 57b8b49744 Clean query_manager 2014-01-30 14:20:02 -06:00
jvazquez-r7 148e51a28b Clean metadata and use TARGETURI 2014-01-30 14:03:52 -06:00
William Vu 56287e308d Clean up unused variables 2014-01-30 11:20:21 -06:00
Mekanismen e7ab77c736 added module for Oracle Forms and Reports 2014-01-30 14:45:17 +01:00
RangerCha a49473181c Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 09:04:59 -05:00
jvazquez-r7 8fe74629fe Allow send_request_cgi to take care of the uri encoding 2014-01-26 00:06:41 -06:00
jvazquez-r7 37adf1251c Delete privileged flag because is configuration dependant 2014-01-25 18:25:31 -06:00
jvazquez-r7 038cb7a981 Add module for CVE-2012-0394 2014-01-25 18:17:01 -06:00
William Vu 7c5229e2eb Use opts hash for glassfish_deployer
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:17:02 -06:00
sinn3r cdc425e4eb Update some checks 2014-01-24 12:08:23 -06:00
sinn3r 7f560a4b41 Oops, I broke this module 2014-01-22 11:23:18 -06:00
sinn3r 646f7835a3 Saving progress 2014-01-21 17:14:55 -06:00
sinn3r 85396b7af2 Saving progress
Progress group 4: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 14:10:35 -06:00
sinn3r 689999c8b8 Saving progress
Progress group 3: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 13:03:36 -06:00
jvazquez-r7 e2fa581b8c Delete empty line 2014-01-17 22:05:14 -06:00
sinn3r 57318ef009 Fix nil bug in jboss_invoke_deploy.rb
If there is a connection timeout, the module shouldn't access the
"code" method because that does not exist.
2014-01-17 11:47:18 -06:00
sinn3r bc9c865c25
Land #2865 - js payload to firefox_svg_plugin & add BA support for FF JS exploits 2014-01-13 11:17:36 -06:00
jvazquez-r7 95a5d12345 Merge #2835, #2836, #2837, #2838, #2839, #2840, #2841, #2842 into one branch 2014-01-13 10:57:09 -06:00
Joe Vennix b3b04c4159 Fix both firefox js exploits to use browser_autopwn. 2014-01-11 17:34:38 -06:00
sinn3r cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells 2014-01-10 14:29:32 -06:00
Niel Nielsen e79ccb08cb Update rails_secret_deserialization.rb
When using aws-sdk with Ruby 2.1.0-rc1, many "Digest::Digest is deprecated; use Digest" warnings are printed.
Even in Ruby 1.8.7-p374, OpenSSL::Digest::Digest is only provided for backward compatibility.
2014-01-07 21:41:15 +01:00
Joe Vennix 1057cbafee Remove deprecated linksys module. 2014-01-07 10:22:35 -06:00
Tod Beardsley c0a82ec091
Avoid specific versions in module names
They tend to be a lie and give people the idea that only that version is
vulnerable.
2014-01-06 13:47:24 -06:00
OJ 1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path 2014-01-03 08:14:02 +10:00
Joe Vennix 06fb2139b0 Digging around to get shell_command_token to work. 2014-01-02 14:05:06 -06:00
jvazquez-r7 1b893a5c26 Add module for CVE-2013-3214, CVE-2013-3215 2014-01-02 11:25:52 -06:00
Joe Vennix 1b0e99b448 Update proto_crmfrequest module. 2014-01-02 10:48:28 -06:00
Joe Vennix 694cb11025 Add firefox platform, architecture, and payload.
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
David Maloney c3fd657bde Missing config false flag
the sshexec exploit was missing the flag
that tells net:ssh to not use the user's
local config . This can cuase ugly problem

MSP-9262
2013-12-30 14:28:15 -06:00
sinn3r 9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution 2013-12-23 02:34:01 -06:00
sinn3r 5b647ba6f8 Change description
Pre-auth is implied.
2013-12-23 02:33:17 -06:00
jvazquez-r7 4816abe63b Add module for ZDI-13-263 2013-12-19 17:48:52 -06:00
Joe Vennix 8e27e87c81 Use the right disclosure date. 2013-12-19 12:58:52 -06:00
Joe Vennix 955dfe5d29 msftidy it up. 2013-12-19 12:53:58 -06:00
Joe Vennix b50bbc2f84 Update module to use sinn3r's beautiful browserexploitserver. 2013-12-19 12:49:24 -06:00
Joe Vennix eb08a30293 Update description with new version support. 2013-12-19 02:08:55 -06:00
Joe Vennix 5ee6c77901 Add a patch for 15.x support.
* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00
Joe Vennix 2add2acc8f Use a smaller key size, harder to spot. 2013-12-18 21:02:23 -06:00
Joe Vennix 8d183d8afc Update versions, 4.0.1 does not work on windows. 2013-12-18 20:57:47 -06:00
Joe Vennix cb390bee7d Move comment. 2013-12-18 20:37:33 -06:00
Joe Vennix 23b5254ea1 Fix include reference. 2013-12-18 20:35:43 -06:00
Joe Vennix 5255f8da12 Clean up code. Test version support.
* Using #get in Object#defineProperty call makes the payload execute immediately
on all supported browsers I tested.
* Moved Ranking to Excellent since it is now 100% reliable.
2013-12-18 20:30:08 -06:00
OJ 9fb081cb2d Add getenvs, update getenv, change extract_path use
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix ca2de73879 It helps to actually commit the exploit. 2013-12-18 14:31:42 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
William Vu ff9cb481fb Land #2464, fixes for llmnr_response and friends
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
jvazquez-r7 3d5501326b
Land #2743, @Mekanismen's exploit for CVE-2013-0632 2013-12-10 10:00:30 -06:00
jvazquez-r7 30960e973f Do minor cleanup on coldfusion_rds 2013-12-10 09:59:36 -06:00
Mekanismen 9a6e504bfe fixed path error and description 2013-12-10 09:05:34 +01:00
Mekanismen 313a98b084 moved coldfusion_rds to multi directory and fixed a bug 2013-12-10 08:45:27 +01:00
jvazquez-r7 f77784cd0d
Land #2723, @denandz's module for OSVDB-100423 2013-12-06 17:32:07 -06:00
jvazquez-r7 3729c53690 Move uptime_file_upload to the correct location 2013-12-06 15:57:52 -06:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
Tod Beardsley 55847ce074
Fixup for release
Notably, adds a description for the module landed in #2709.
2013-12-02 16:19:05 -06:00
jvazquez-r7 41f8a34683 Use attempts 2013-12-02 08:43:22 -06:00
jvazquez-r7 433d21730e Add ATTEMPTS option 2013-12-02 08:42:25 -06:00
jvazquez-r7 b9192c64aa Fix @wchen-r7's feedback 2013-12-01 19:55:53 -06:00
jvazquez-r7 3417c4442a Make check really better 2013-11-30 09:47:34 -06:00
jvazquez-r7 749e6bd65b Do better check method 2013-11-30 09:46:22 -06:00
jvazquez-r7 0a7c0eea78 Fix references 2013-11-29 23:13:07 -06:00
jvazquez-r7 691d47f3a3 Add module for ZDI-13-255 2013-11-29 23:11:44 -06:00
sinn3r 57f4f68559
Land #2652 - Apache Roller OGNL Injection 2013-11-25 15:14:35 -06:00
sinn3r 22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2 2013-11-21 15:30:42 -06:00
William Vu 9f45121b23 Remove EOL spaces 2013-11-20 15:08:13 -06:00
jvazquez-r7 cec4166766 Fix description 2013-11-20 12:49:22 -06:00
jvazquez-r7 18e69bee8c Make OGNL expressions compatible with struts 2.0.11.2 2013-11-20 12:42:10 -06:00
sinn3r a9de5e2846
Land #2634 - Opt browser autopwn load list 2013-11-19 15:10:29 -06:00
jvazquez-r7 14c6ab4ca5 Add module for CVE-2013-4212 2013-11-19 10:25:52 -06:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
jvazquez-r7 8771b163f0 Solve conflicts with aladdin_choosefilepath_bof 2013-11-12 23:11:42 -06:00
jvazquez-r7 004c1bac78 Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
Tod Beardsley 84572c58a8
Minor fixup for release
* Adds some new refs.
  * Fixes a typo in a module desc.
  * Fixes a weird slash continuation for string building (See #2589)
2013-11-04 12:10:38 -06:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
Tod Beardsley 98224ee89f
CVE update for vtiger issue 2013-10-30 13:48:35 -05:00
Tod Beardsley 344413b74d
Reorder refs for some reason. 2013-10-30 12:25:55 -05:00
Tod Beardsley 32794f9d37
Move OpenBravo to aux module land 2013-10-30 12:20:04 -05:00
Tod Beardsley 17d796296c
Un-dupe References for ispconfig 2013-10-30 12:03:35 -05:00
Tod Beardsley 0d480f3a7d
Typo fix 2013-10-30 11:38:04 -05:00
Tod Beardsley 97a4ca0752
Update references for FOSS modules 2013-10-30 11:36:16 -05:00
Tod Beardsley 78381316a2
Add @brandonprry's seven new modules
Already reviewed privately, no associated PR.
2013-10-30 11:04:21 -05:00
Tod Beardsley 5b76947767
Add a few more modules. 2013-10-30 10:25:48 -05:00
jvazquez-r7 c4c171d63f Clean processmaker_exec 2013-10-29 09:53:39 -05:00
bcoles 3eed800b85 Add ProcessMaker Open Source Authenticated PHP Code Execution 2013-10-29 23:27:29 +10:30
sinn3r 2e8c369c69
Land #2559 - remove content-length 2013-10-22 16:03:42 -05:00
jvazquez-r7 71fab72e06 Delete duplicate content-length from axis2_deployer 2013-10-21 15:35:51 -05:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
jvazquez-r7 10a4ff41de Delete Content-Length duplicate header 2013-10-21 15:11:37 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
William Vu eab90e1a2e Land #2491, missing platform info update 2013-10-14 10:38:25 -05:00
jvazquez-r7 0b93996b05 Clean and add Automatic target 2013-10-11 13:19:10 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
bcoles 276ea22db3 Add VMware Hyperic HQ Groovy Script-Console Java Execution 2013-10-11 05:07:23 +10:30
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
Tod Beardsley 8b9ac746db
Land #2481, deprecate linksys cmd exec module 2013-10-07 20:44:04 -05:00