infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
51,347 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

26088 Commits (0308f80c0e19f28a7fef13c9618e3238cdd67f75)

Author SHA1 Message Date
h00die 748e1468b3 creds upgrade and apply_pot 2019-02-03 10:17:25 -05:00
Brendan Coles 6f31b1a110 Change default payload to reverse_bash 2019-02-03 06:18:31 +00:00
Brendan Coles 9c3368f325 Add Evince CBT File Command Injection module 2019-02-03 05:38:56 +00:00
Brendan Coles 28283809f9 Add nil check to enum_patches 2019-02-02 15:33:48 +00:00
Brendan Coles 787c4400e4 Add Solaris pfexec Upgrade Shell module 2019-02-01 22:58:21 +00:00
bwatters 239cce53ea
Land #11039, Add linux x64 ipv6 reverse shell 
Merge branch 'land-11039' into upstream-master
 2019-02-01 16:21:24 -06:00
William Vu 61b468ac7d Add URL reference to blog post 2019-02-01 14:49:33 -06:00
William Vu 7b88277c6f Prefer case statement over long if block 2019-02-01 14:40:09 -06:00
bwatters 2640ecb4c4
Land #11338, Add module to discover Ubiquiti devices 
Merge branch 'land-11338' into upstream-master
 2019-02-01 11:40:52 -06:00
Wei Chen ba69a0b26a
Land #11310, MSF API to zip instead of relying on system() 2019-02-01 11:32:20 -06:00
Jon Hart f0519a5af5
Minor syntax; add logging for unhandled fields 2019-01-31 18:41:27 -08:00
Jeffrey Martin 5a63e629e4
update payload sizes for mettle 0.5.4 2019-01-31 00:12:45 -06:00
h00die 0ac3004fe1 fix review comments 2019-01-30 20:27:19 -05:00
h00die 9f6b9d586b updating jtr formats in hashdumpers 2019-01-30 20:16:08 -05:00
Jon Hart 4681ed9669
Update docs, strip empty essid 2019-01-30 14:31:20 -08:00
Jon Hart 603d2a0c04
Add docs 2019-01-30 14:26:15 -08:00
Jon Hart 96d612fb40
WIP commit on module to disover Ubiquiti devices on 10001/UDP 2019-01-30 14:19:02 -08:00
h00die da27c3eeae centralize hash to jtr formatting 2019-01-30 16:24:05 -05:00
Pedro Ribeiro a0f63629b8
Check if we actually downloaded a file 2019-01-30 21:56:11 +07:00
Pedro Ribeiro 9070435603
Change to support the new nuuo lib 2019-01-30 21:32:33 +07:00
h00die e2c1d0d7fa Merge branch 'master' of https://github.com/rapid7/metasploit-framework into c2password 2019-01-29 16:37:39 -05:00
h00die febb049668 more info for c2s 2019-01-29 16:36:06 -05:00
h00die 95ae4996eb spelling and spacing 2019-01-29 16:24:35 -05:00
h00die 4c14815343 c2s dvr password disclosure 2019-01-29 16:18:30 -05:00
William Vu b7bc52d20b Fix HTTP/SMB mixin order to restore SSL option 
Mixin order matters. Mixins kinda suck.
 2019-01-29 11:09:34 -06:00
bwatters 6c9a5b3fea
Update Cache Sizes 2019-01-28 15:53:19 -06:00
h00die 9930edf704 jtr modernizations 2019-01-25 14:07:24 -05:00
William Vu c8bf8781f5 Strip e-mail 2019-01-24 13:49:22 -06:00
William Vu 156851009b Remove incorrect documentation 
The comment is a lie.
 2019-01-24 13:48:45 -06:00
William Vu 0e6fbb439f Prefer Msf::Util::EXE.to_zip over system() 2019-01-24 13:47:47 -06:00
William Vu f0aa002009
Land #10119, Linux post-exploitation metashell 2019-01-24 11:24:12 -06:00
William Vu 8cdcba81fe Fix SessionTypes 2019-01-24 11:22:19 -06:00
William Vu 006faa3d17 Fix prompt 2019-01-24 11:21:45 -06:00
Pedro Ribeiro bb9f50c771
Reverted FILE changes 2019-01-24 22:04:01 +07:00
Pedro Ribeiro f5afe98111
Add github and full disc URL 2019-01-24 22:01:02 +07:00
Pedro Ribeiro 7e592bb8a9
Add github and full disc URL 2019-01-24 22:00:41 +07:00
Pedro Ribeiro e0eb802c16
Add github and full disc urls 2019-01-24 22:00:12 +07:00
Pedro Ribeiro 2bf663cf7d
Add full disclosure URL 2019-01-24 21:59:45 +07:00
Carter Brainerd 2d1cecd4d5
Fix request pattern matching 2019-01-23 13:39:52 -05:00
Tod Beardsley daa3076d42
Add CVE-2018-1000999 to MailCleaner module 
See PR #11148

This adds the new CVE assigned by DWF for this vulnerability.

Note that [CVE-2018-10933](https://www.cvedetails.com/cve/CVE-2018-10933/)
describes a vulnerability in libssh, but this one describes the issue as
it pertains to MailCleaner specifically.
 2019-01-23 09:27:12 -06:00
Carter Brainerd 47fd066a29
Msftidy 2019-01-22 21:06:11 -05:00
Carter Brainerd 1f56bccf31
Small improvements from review 2019-01-22 20:46:28 -05:00
Shelby Pace 2ae6142de7
Land #11243, Add ASan SUID Privesc 2019-01-22 15:50:53 -06:00
sinn3r fae1b52115
Land #11297, Fix a typo in auxiliary/dos/scada/allen_bradley_pccc 
typo fixed
 2019-01-22 11:41:29 -06:00
jdiog0 23e0389bf0 typo fixed 2019-01-22 13:33:24 +00:00
Pedro Ribeiro f4aaf6c816
Add https to msf link 2019-01-22 19:14:52 +07:00
Pedro Ribeiro e767af4533
add https to msf link 2019-01-22 19:14:24 +07:00
Pedro Ribeiro a099418bb8
Update nuuo_cms_file_download.rb 2019-01-22 19:00:26 +07:00
Pedro Ribeiro fbde697e3f
Update nuuo_cms_fu.rb 2019-01-22 18:57:02 +07:00
bcoles f6fc8a750d
Update modules/auxiliary/gather/nuuo_cms_file_download.rb 
Co-Authored-By: pedrib <pedrib@gmail.com>
 2019-01-22 18:55:09 +07:00
bcoles d45f38c88f
Update modules/auxiliary/gather/nuuo_cms_file_download.rb 
Co-Authored-By: pedrib <pedrib@gmail.com>
 2019-01-22 18:55:02 +07:00
Tim W 5fc0c66109 add version to check to safari exploit 2019-01-22 16:10:51 +08:00
Pedro Ribeiro f336f41182
Update nuuo_cms_sqli.rb 2019-01-22 12:50:02 +07:00
Pedro Ribeiro fa4c6896d2
Update nuuo_cms_file_download.rb 2019-01-22 12:49:20 +07:00
Pedro Ribeiro 49beac7010
Update nuuo_cms_bruteforce.rb 2019-01-22 12:47:09 +07:00
Pedro Ribeiro 4e1d79ac4b
Update nuuo_cms_fu.rb 2019-01-22 12:45:47 +07:00
Pedro Ribeiro da4bd2e9b8
Remove peer 2019-01-22 12:10:45 +07:00
Pedro Ribeiro 636461c363
remove peer 2019-01-22 12:10:08 +07:00
Pedro Ribeiro 4c9d5ad9a7
Remove peer 2019-01-22 12:09:39 +07:00
Pedro Ribeiro 0685ebed76
Remove peer as that is not needed 2019-01-22 12:08:41 +07:00
Pedro Ribeiro 9a068e9221
Repair CMS installation and use getsystem 2019-01-22 11:57:54 +07:00
Pedro Ribeiro 688ee3d579
Remove tested versions since that is already on the docs 2019-01-22 11:43:33 +07:00
Pedro Ribeiro 27cac0a9fe
Update nuuo_cms_file_download.rb 2019-01-21 18:10:19 +07:00
Pedro Ribeiro dc0f388b26
Update nuuo_cms_bruteforce.rb 2019-01-21 18:01:25 +07:00
Pedro Ribeiro 100fd7b80a
Make description shorter 2019-01-21 17:40:50 +07:00
Pedro Ribeiro 15d4ca9070
Add CMS link and manual ranking 2019-01-21 17:33:58 +07:00
bcoles f8de99422d
Add correct rand call 
Co-Authored-By: pedrib <pedrib@gmail.com>
 2019-01-21 17:31:23 +07:00
bcoles 5b699768fb
Add correct rand call 
Co-Authored-By: pedrib <pedrib@gmail.com>
 2019-01-21 17:31:08 +07:00
bcoles 88c74fcd40
add https for link 
Co-Authored-By: pedrib <pedrib@gmail.com>
 2019-01-21 17:30:54 +07:00
bcoles 01e510b48f
add failure tag 
Co-Authored-By: pedrib <pedrib@gmail.com>
 2019-01-21 17:30:35 +07:00
Pedro Ribeiro d0861811c2
Add files via upload 2019-01-21 17:17:36 +07:00
Pedro Ribeiro bd3d6ee6bf
Create nuuo_cms_sqli.rb 2019-01-21 17:14:41 +07:00
Pedro Ribeiro 3a3d163474
Add nuuo CMS bruteforce module 2019-01-21 17:11:27 +07:00
Pedro Ribeiro 9ffff16e95
Add Nuuo CMS file upload exploit 2019-01-21 17:06:10 +07:00
Brendan Coles 060d20694d Attribution 2019-01-20 09:18:43 +00:00
spinfoo 4ec5e7d23a msftidy cleanup 2019-01-19 18:16:26 +01:00
spinfoo 2bcdc550c6 Support to retrieve data from ListConfigFiles SAP webmethod 2019-01-19 17:36:47 +01:00
spinfoo 8dffa35f04 Support to retrieve data from ListConfigFiles webmethod 2019-01-19 14:45:34 +01:00
h00die f47060870a horde imp h3 imap_open 2019-01-18 19:43:45 -05:00
h00die 2585e4b708 horde imp h3 imap_open 2019-01-18 19:38:30 -05:00
William Vu f8af9a9e4d Merge remote-tracking branch 'upstream/master' into pr/10119 2019-01-18 10:43:34 -06:00
Carter Brainerd 1121ce1127
Change default filename to random 2019-01-17 20:12:53 -05:00
h00die 5d49f04948 not working horde imp imap_open 2019-01-17 19:55:42 -05:00
rsp3ar 2577160449 update print_error, add PrependFork and adjust timeout 2019-01-16 23:20:06 -08:00
Clément Notin 31a7b13c19
ms17_010_psexec: fix RHOST in "authenticating..." message 2019-01-16 11:23:21 +01:00
Brent Cook 1947bae45b
Land #11230, add JuicyPotato local privilege escalation 2019-01-15 21:20:25 -06:00
William Vu 06de16a36f Merge remote-tracking branch 'upstream/master' into pr/10119 2019-01-15 18:33:48 -06:00
Luis Rosa ffe5db4010 new pcom client mode that allows to read and write 
several types of operands
 2019-01-16 00:16:38 +00:00
Wei Chen 27d6fffdad
Land #11125, Import/generate `ysoserial` Java serialization objects 2019-01-15 17:09:56 -06:00
h00die a73fe9433b
land #11169 blueman priv esc on linux 2019-01-15 10:32:46 -05:00
Jacob Robles 923a4ba098
Land #11263, uppercase KoreLogic in JTR modules 2019-01-15 08:50:11 -06:00
Jacob Robles 9616a9f79d
Land #11245, doc update for chrome_cookies 2019-01-15 07:27:35 -06:00
Jacob Robles 04363b7b7e
Doc update 
post:chrome_cookies
 2019-01-15 07:19:46 -06:00
h00die 93f66a1f22 uppercase 2019-01-15 08:04:11 -05:00
bcoles 8c636f27d5
Update check method to confirm vulnerability 2019-01-15 11:31:31 +11:00
Wei Chen 47f8738f74 Add Imran Rashid to CVE-2018-11770 credit 2019-01-14 15:28:08 -06:00
Wei Chen 52ff0a8b75 Update exploits/linux/http/spark_unauth_rce as CVE-2018-11770 2019-01-14 15:10:29 -06:00
Carter Brainerd 8cd26b74d7
Please msftidy gods 2019-01-13 19:22:51 -05:00
Carter Brainerd 171d46db9b
Add disclosure date, more references, and authors 2019-01-13 19:11:05 -05:00
Carter Brainerd 89e8ff9c80
Update office_excel_slk.rb 2019-01-13 18:08:51 -05:00
Carter Brainerd d88d1d0f1d
Create office_excel_slk.rb 2019-01-13 17:31:34 -05:00
Brendan Coles c6f4eda7f9 Add ASan SUID Executable Privilege Escalation module 2019-01-12 09:14:20 +00:00
phra e69d509bdf
chore: update description and ranking 2019-01-12 04:32:21 +01:00
phra 3a865a0c05
feat: spawn as NT AUTHORITY\SYSTEM 2019-01-12 04:03:26 +01:00
William Vu e9a8d5708a
Land #11234, @bcoles revisionism 2019-01-11 20:15:34 -06:00
Brendan Coles fe6956d7f7 Use mixins 2019-01-11 22:46:58 +00:00
Brendan Coles 20fd6b6134 Add check for writable and nosuid WritableDir 2019-01-11 22:41:14 +00:00
phra 149f895329
feat: add LOGFILE support for debug 2019-01-11 18:21:54 +01:00
phra dca99552e6
feat: pass payload length to the dll 2019-01-11 16:28:49 +01:00
phra 7653d64c4a
fix: improve exploit check 2019-01-11 15:38:57 +01:00
Brendan Coles 24f807490f revisionism 2019-01-10 19:19:14 +00:00
Brent Cook 9f8bac59f7
Land #11215, success 2019-01-10 12:57:46 -06:00
Brent Cook 86850e7062
Land #11217, fix syntax and logic errors in badpdf module 2019-01-10 12:52:08 -06:00
sinn3r 74330f87dc
Land #11223 - ueb priv esc suggestion 
ueb priv esc suggestion.
 2019-01-10 10:35:28 -06:00
phra dc2d3c5774
feat: add juicy potato post module, fixes #11229 2019-01-10 17:20:43 +01:00
Jacob Robles 2f939481e7
Land #11206, add coldfusion ckeditor file upload 2019-01-10 07:27:38 -06:00
Jacob Robles b81f59e7b1
Fix targets and syntax changes 2019-01-10 06:39:45 -06:00
rsp3ar 71aa4c8d9e Adding respond code/body check for successful command execution 2019-01-10 00:01:19 -08:00
rsp3ar 3aabeee959 Update SSL, timeout and uid regex 2019-01-09 23:20:37 -08:00
Brendan Coles 5a956bb27b
Apply suggestions from code review 
Co-Authored-By: rsp3ar <rsp3ar@users.noreply.github.com>
 2019-01-09 21:07:01 -08:00
h00die 799a79b715 ueb priv esc suggestion 2019-01-09 20:28:53 -05:00
Luis Rosa 4bfb90ce06 new PCOM module to send admin commands 2019-01-09 20:27:15 +00:00
William Vu 913c80c352
Land #11106, Allen-Bradley legacy protocol DoS 2019-01-09 12:12:02 -06:00
William Vu 0f156140fe Clean up module 2019-01-09 12:11:50 -06:00
Jacob Robles 307cc8c107
fix comment 2019-01-09 11:12:51 -06:00
Clément Notin cf1b4b43cb
auxiliary/fileformat/badpdf: fix syntax and logic error in options handling 2019-01-09 14:30:24 +01:00
Jacob Robles 0c984fa232
Fix messages /successfuly/successfully 2019-01-09 06:32:22 -06:00
rsp3ar 24de5d6ee3 Update to use CmdStager 2019-01-08 20:07:35 -08:00
Jacob Robles 16b8cf7059
Land #11148, Adding Module MailCleaner RCE 2019-01-08 14:10:31 -06:00
Jacob Robles a0acfa79d7
Target payloads 2019-01-08 13:27:26 -06:00
Jacob Robles c2da3dbbd3
Land #11052, Add gather chrome cookies post module 2019-01-08 07:32:16 -06:00
Jacob Robles a95384e288
Additional support and code cleanup 2019-01-08 06:57:56 -06:00
rsp3ar bab651e94d Add Imperva SecureSphere module 2019-01-07 22:18:04 -08:00
William Vu f96514528b
Land #10648, auth bypass for couchdb_enum 2019-01-07 12:53:11 -06:00
William Vu 3a726554e9 Fix review comments 2019-01-07 12:51:52 -06:00
Qazeer a63c057c3a Integrate bcoles' comments (filename generation, conditional block improvement, etc.) 2019-01-06 22:50:46 +01:00
Qazeer c03466d2f2 Fixed date format issue and added Bugtraq ID 2019-01-06 14:34:40 +01:00
Qazeer 4644ad8966 Add CVE-2018-15961 Adobe ColdFusion CKEditor unrestricted file upload 2019-01-06 04:55:20 +01:00
Brent Cook e990bb31df
Land #11182, bump mettle, change debug and background options 2019-01-03 02:57:19 -06:00
Alex 811605a9b8 Cleanup headless Chrome process for meterpreter sessions 2018-12-30 18:05:41 +11:00
Brendan Coles 5957315167
Land #11141, Ensure Byte XORi Encoder uses cacheflush() 2018-12-29 10:20:07 +00:00
Brendan Coles 005b2664b8
Land #11140, Ensure MIPS Long XOR Encoder uses cacheflush() 2018-12-29 10:14:47 +00:00
bwatters 9e109c7e7c
Update cache size 2018-12-28 16:08:15 -06:00
Shelby Pace 29e7c49332
Land #10444, add Consul rexec RCE module 2018-12-28 09:14:28 -06:00
Shelby Pace fb8f06b2f5
Land #10443, add Consul service RCE module 2018-12-28 08:33:56 -06:00
Mehmet İnce 4e8ad22a7a Adding CVE number 2018-12-26 13:15:36 +03:00
Green-m 69e7956adf
Land #11174, Fix platform bug when upgrade shell. 
The platform on windows powershell should be 'win', rather than
'windows', this bug leads to failure when upgrade powershell session
to meterpreter.
 2018-12-26 11:31:39 +08:00
Mehmet İnce fa542b9691 Adding platform and arch to top level 2018-12-25 15:56:25 +03:00
L ee7120d63a fixed post/multi/manage/shell_to_meterpreter 2018-12-25 15:00:39 +08:00
Quentin Kaiser 18c844623a Remove extra spaces. 2018-12-24 13:48:07 +01:00
Quentin Kaiser e10792f4e6 Remove extra space. 2018-12-24 13:30:03 +01:00
Tim W 58aebb6dec fix #11133, sleep to avoid the second stage being read too early 2018-12-24 19:26:10 +08:00
Brendan Coles 98dc59728e Add blueman set_dhcp_handler D-Bus Privilege Escalation 2018-12-24 08:03:55 +00:00
Brent Cook b9742802aa
Land #11137, Clean up linux/local/vmware_alsa_config exploit module 2018-12-21 17:04:11 -06:00
Garvit Dewan 81f4ed6db3
Add references and remove reserved function calls 2018-12-22 00:30:37 +05:30
Brendan Coles 983b39a5b3 Use @iZsh's exploit 2018-12-21 15:40:01 +00:00
Garvit Dewan 5838ad87fb
Check if directory and file exist and report accordingly 2018-12-21 19:36:01 +05:30
Jacob Robles 4bc871c499
Add CmdStager to erlang_cookie_rce 2018-12-21 07:33:37 -06:00
Garvit Dewan ba9c7039f7
Add psreadline_history module 2018-12-21 18:18:21 +05:30
Brent Cook c959c98161 add original public research author 2018-12-21 02:54:35 -06:00
Brent Cook a7e8afe760 update references, remove unused metadata, use more straightforward string operations 2018-12-21 02:54:35 -06:00
Brent Cook 0dab74a71f tweak description 2018-12-21 02:54:35 -06:00
Brent Cook 46acd7a206 simplify 2018-12-21 02:54:35 -06:00
Brent Cook 2f35695327 update web link 2018-12-21 02:54:35 -06:00
Brent Cook ac51fbd122 style fixes 2018-12-21 02:54:35 -06:00
Brent Cook dc6ae6f058 initial import, CVE-2016-4117 OSX exploit 2018-12-21 02:54:35 -06:00
Brent Cook b83c6ad496
Land #11149, fix a PTY leak in Python Meterpreter 2018-12-20 17:30:42 -06:00
Quentin Kaiser bf2de42077 Now supports all version of Consul. 2018-12-20 18:56:07 +01:00
Quentin Kaiser 2919b970cd Implement execution checks with a timeout limit so we don't leave zombie checks running in background. 2018-12-20 18:41:35 +01:00
Quentin Kaiser ba5c40db77 No need for CVE field. 2018-12-20 18:18:53 +01:00
Mehmet İnce 9481ad04f2 Adding support for ARCH_CMD and updating docs 2018-12-20 12:12:01 +03:00
William Vu 5af05ad976
Land #11143, nc -j fix for cups_root_file_read 2018-12-19 22:37:00 -06:00
Jeffrey Martin bf4bb0a5b9
bump metasploit-payloads gem 
Update metasploit-payloads gem to 1.3.57 to pick up
fix for Python Meterpreter PTY Leak from rapid7/metasploit-payloads#319
 2018-12-19 18:19:24 -06:00
Mehmet İnce 68ceb08957 Fixing minor issues such as err codes 2018-12-19 22:17:34 +03:00
asoto-r7 d601837e03
Land #10401, java_jmx_server scanner for Java JMX MBean servers 2018-12-19 13:12:03 -06:00
asoto-r7 50b7d93a18
java_jmx_scanner: Incorporate @bcoles suggestions 2018-12-19 12:56:53 -06:00
Wei Chen f7eb3452be
Land #11083, set user agent in Windows reverse_http(s) stagers 2018-12-19 11:38:12 -06:00
Mehmet İnce e5c8c18ded Adding Mailcleaner exec 2018-12-19 17:35:40 +03:00
Jacob Robles 6921b79890
Land #11089, Erlang cookie rce exploit module 2018-12-19 08:02:40 -06:00
Jacob Robles 3838be0a03
Windows Hide Chrome Window 2018-12-19 05:58:11 -06:00
William Vu 1b8b3bbb95 Update nc -j check in cups_root_file_read 2018-12-18 17:38:33 -06:00
asoto-r7 51ce96a2b4
Merge branch 'jmx_scanner' of https://github.com/sgorbaty/metasploit-framework into sgorbaty-jmx_scanner 2018-12-18 16:05:03 -06:00
asoto-r7 60f3cfbb79
ysoserial: Cleaned up ysoserial payload in `hp_imc_java_deserialize` 2018-12-18 15:17:51 -06:00
Milton-Valencia bb758f9a61 I didn't forget msftidy I swear 2018-12-18 14:55:12 -06:00
Milton-Valencia 8a2a605a99 added targets 2018-12-18 14:50:57 -06:00
Jacob Robles 0464f941a7
Add Windows Support 2018-12-18 14:17:10 -06:00
Quentin Kaiser ef8601aa71 Bail early if we receive an unexpected response. 2018-12-18 19:42:26 +01:00
Quentin Kaiser 4ee7bdee6c Merge branch 'consul_service_exec' of github.com:QKaiser/metasploit-framework into consul_service_exec 2018-12-18 19:33:51 +01:00
Quentin Kaiser b3563b1bc2 Cleaner version of check function thanks to @bcoles. 2018-12-18 19:33:30 +01:00
Brendan Coles 5e134d7d8d
Update modules/exploits/multi/misc/consul_service_exec.rb 
Co-Authored-By: QKaiser <QKaiser@users.noreply.github.com>
 2018-12-18 19:27:19 +01:00
Brendan Coles 5192c081ee
Update modules/exploits/multi/misc/consul_service_exec.rb 
Co-Authored-By: QKaiser <QKaiser@users.noreply.github.com>
 2018-12-18 19:27:08 +01:00
Quentin Kaiser 6ad40deac3 print_status will never throw a JSON::ParseError exception. 2018-12-18 19:15:13 +01:00
jdiog0 b2b410cbbe DoS Exploitation of Allen-Bradley legacy protocol (PCCC) 2018-12-18 16:49:53 +00:00
Pedro Ribeiro 1e88ce9a3d
Edit the comments to -84 2018-12-18 16:33:44 +00:00
Pedro Ribeiro 05218654f4
adjust the offset to -84 2018-12-18 16:30:47 +00:00
Pedro Ribeiro af418ec7f7
Fix mipsle byte_xori too 2018-12-18 16:05:23 +00:00
Quentin Kaiser a52ffbcead Missing disclosure date. 2018-12-18 17:03:09 +01:00
Quentin Kaiser a3d020a7e2 Add support for authorization with X-Consul-Token ACL header. 2018-12-18 16:56:03 +01:00
Quentin Kaiser 1839144978 Cleaner to define this as a Hash, then call .to_json on it. 2018-12-18 16:53:49 +01:00
Pedro Ribeiro d40d6c4e3d
Update longxor.rb 
Suffers from the same problem as the mipsbe version
 2018-12-18 15:48:29 +00:00
Pedro Ribeiro 34c9555717
Fix byte_xori encoder 
The byte_xori encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

I think this is because the encoder is based of the longxori encoder, which itself is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
Linux kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive. Therefore, the whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly.

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.
 2018-12-18 15:37:47 +00:00
Quentin Kaiser 177ae2f927 fail_with is not allowed in check method. Use vprint_error and return a CheckCode instead. Cleaner response check in check function. Usage of CheckCode instead of Exploit::CheckCode. 2018-12-18 16:33:53 +01:00
Quentin Kaiser 0feadf636b Define in RPORT and SSL in register_options rather than DefaultOptions. Support for echo and printf command stager flavors + support for curl and wget command stager flavors (hence reactivation of SRVHOST, SRVPORT, URIPATH and SSLCert). 2018-12-18 16:29:36 +01:00
Quentin Kaiser 0acdcd98f2 Merge branch 'master' into consul_service_exec 2018-12-18 16:27:08 +01:00
Quentin Kaiser f487f978c2 Merge branch 'consul_exec' of github.com:QKaiser/metasploit-framework into consul_exec 2018-12-18 16:09:18 +01:00
Quentin Kaiser 08541cd7b9 Merge branch 'master' into consul_exec 2018-12-18 16:07:08 +01:00
Quentin Kaiser a1e1e4a4f4 Remove useless comment. 2018-12-18 16:05:50 +01:00
Quentin Kaiser b80e5715d4 Add support for authorization with X-Consul-Token ACL header. 2018-12-18 16:02:39 +01:00
Quentin Kaiser 551f8c5e92 Support for echo and printf command stager flavors + support for curl and wget command stager flavors (hence reactivation of SRVHOST, SRVPORT, URIPATH and SSLCert). 2018-12-18 15:48:58 +01:00
Quentin Kaiser f290221a66 Cleaner response check in check function. Usage of CheckCode instead of Exploit::CheckCode. 2018-12-18 15:36:52 +01:00
Quentin Kaiser aeec5cf23e Cleaner to define this as a Hash, then call .to_json on it. Better support of agent definition in check function. 2018-12-18 15:31:30 +01:00
Quentin Kaiser e51530688b fail_with is not allowed in check method. Use vprint_error and return a CheckCode instead. 2018-12-18 15:09:04 +01:00
Quentin Kaiser 4682cf5796 Define in register_options rather than DefaultOptions. 2018-12-18 15:04:28 +01:00
Pedro Ribeiro 86cbddf46d
fix spacing 2018-12-18 13:35:16 +00:00
Pedro Ribeiro fff850a07e
Make longxor encoder great again 
The longxor encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

The encoder previously did not setup the arguments, as it even said so in the comments:
;       addiu   $4, $16, -4       ; not checked by Linux
;       li      $5,40                   ; not checked by Linux
;       li      $6,3                    ; $6 is set above

I think this is because the encoder is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
       Linux  kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive.  Therefore, the
       whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly. 

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.

As an added bonus I have also made it compatible with toupper() restrictions, which is common in web server exploits too. This did not add any extra bytes to the encoder.
 2018-12-18 12:30:55 +00:00
Brent Cook fc2d217c0a
Land #11135, strip comments from source code before uploading it to the target 2018-12-17 21:23:29 -06:00
Brent Cook 333d44186b
Land #11138, add reverse_tcp mixin for vax payload 2018-12-17 21:17:40 -06:00
Andres Rodriguez a10a5e74c4 Use of send_request_cgi instead of raw socket(incomplete responses) and other small fixes 2018-12-17 15:10:36 -08:00
Andres Rodriguez 8072b038ed Use of send_request_cgi instead of raw socket(incomplete responses) and other small fixes 2018-12-17 15:09:08 -08:00
Andres Rodriguez 3fb723cc1b Use of send_request_cgi instead of raw socket(incomplete requests) and other small fixes 2018-12-17 15:04:55 -08:00
bwatters bf13693d37
Land #11101, temp fix for x64/xor stage encoder 
Merge branch 'land-11101' into upstream-master
 2018-12-17 14:14:55 -06:00
LouDnl 2a69fffa6b
fix for ReverseTcp error 
Update vax shell_reverse_tcp.rb to fix ReverseTcp NameError
Error:
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb:24:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)

After adding this line the error dissapeared for me and I was able to run msfconsole again.
 2018-12-17 19:28:07 +01:00
Shelby Pace 2fc501d260
Land #11112, Fix bpf_priv_esc exploit module 2018-12-17 10:00:50 -06:00
Jacob Robles 7839add2fd
Land #11123, Add module windows persistent service 2018-12-17 09:07:21 -06:00
Jacob Robles 88b7b7df4a
Fix additional path space issues 2018-12-17 07:00:23 -06:00
Andres Rodriguez b9cccc2e8f Improvements on code quality and documentation 2018-12-17 00:15:48 -08:00
Brendan Coles d973a58052 Clean up linux/local/vmware_alsa_config 2018-12-17 08:01:34 +00:00
Andres Rodriguez f05ea634a3 Improvements on code quality and documentation 2018-12-16 23:42:59 -08:00
Green-m 0aa6e5a640
Handle path with spaces correctly. 2018-12-17 10:25:06 +08:00
Andres Rodriguez 48df4be54e Improvements on code quality and documentation 2018-12-16 12:47:52 -08:00
Andres Rodriguez 1ecc5461bf Metasploit module for CVE 2017-3248, Weblogic serialization RCE RMI UnicastRef 2018-12-16 06:21:09 -08:00
Brendan Coles fcb512878c Add strip_comments method to Linux local exploits 2018-12-16 14:11:54 +00:00
Andres Rodriguez 8ce7643e41 Some improvements in code and documentation. 2018-12-15 21:07:53 -08:00
Andres Rodriguez 873d048b89 Some improvements in code and documentation. 2018-12-15 20:42:17 -08:00
Brendan Coles 4c14642b99
Update modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb 
Co-Authored-By: acamro <acamro@users.noreply.github.com>
 2018-12-15 23:23:23 -05:00
Brendan Coles 8dfd8aa4cd
Update modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb 
Co-Authored-By: acamro <acamro@users.noreply.github.com>
 2018-12-15 23:23:14 -05:00
Andres Rodriguez 29c70b8585 Some fixes of sintax errors 2018-12-15 19:44:05 -08:00
Andres Rodriguez 826c93ff8a Sintax error in an elseif 2018-12-15 19:41:35 -08:00
Andres Rodriguez 25a447fa35 Removed line at the end of file (to pass all tests) 2018-12-15 19:21:37 -08:00
Andres Rodriguez d8f19ff6c8 Removed line at the end of file (to pass all tests) 2018-12-15 19:19:47 -08:00
Andres Rodriguez a936d3f78f Metasploit module for CVE 2016-3510, Weblogic serialization RCE Marshalled Object 2018-12-15 19:12:33 -08:00
Andres Rodriguez 82db6025c9 Some fixes to pass msftidy. 2018-12-15 18:32:17 -08:00
Andres Rodriguez 446144ba8e Metasploit module for CVE 2015-4852, Weblogic serialization RCE Raw Object 2018-12-15 18:26:34 -08:00
Wei Chen 5bf28887d2
Land #11127, Fix TARGETURI support in struts2_namespace_ognl 2018-12-15 09:33:48 -06:00
Brendan Coles b8e134b95d Update version check 2018-12-15 05:39:50 +00:00
Francesco Soncina 6237740116
lint: remove spaces 2018-12-15 01:02:13 +01:00
epi cb3ea8dfed Remove binding.pry from bind payload. 
In response to
https://github.com/rapid7/metasploit-framework/pull/11039#discussion_r241890477.
 2018-12-14 16:32:19 -06:00
asoto-r7 cd2dbf0edf
ysoserial: Modified `hp_imc_java_deserialize` to use the library 2018-12-14 16:13:17 -06:00
Jacob Robles 8adfef5730
Remove Version, Fix Whitespace 2018-12-14 13:19:49 -06:00
Jacob Robles e67eaa94c9
Move code to ERB template 2018-12-14 13:13:32 -06:00
William Vu 38bdee19e8 Fix TARGETURI support in struts2_namespace_ognl 2018-12-14 13:08:50 -06:00
Auxilus 6c9fafb9d5
Delete unused variable 
I suppose the variable 'f' was for Name in 06720ee18b/modules/exploits/linux/smtp/haraka.py (L70)

I'm not sure, should it be 'f' at 06720ee18b/modules/exploits/linux/smtp/haraka.py (L70) or just the way it is atm?
 2018-12-14 22:27:11 +05:30
Jacob Robles 556d182231
Remove code that was replaced 2018-12-14 09:15:01 -06:00
Jacob Robles a057b72bd9
Use argument 2018-12-14 09:14:27 -06:00
Jacob Robles dfa84aa1af
Use exploit default exception handling 2018-12-14 09:12:32 -06:00
Jacob Robles 5fd7b82f7a
Remove unused parameter 2018-12-14 09:10:29 -06:00
Brent Cook 673cfe6889
Land #11119, Add WEBUI_PORT to hp_van_sdn_cmd_inject exploit 2018-12-13 16:15:53 -06:00
Jacob Robles 58aa16d06b
Work around snprintf 2018-12-13 14:29:54 -06:00
bwatters-r7 f00118851a Revert "Land #10886, Bypassuac computerdefault" 
This reverts commit 14b2cdc120, reversing
changes made to a79b936e09.
 2018-12-13 13:56:16 -06:00
Wei Chen cc7cb7302e
Land #10944, Add macOS Safari exploit from pwn2own2018 2018-12-13 13:50:19 -06:00
Jacob Robles 92feeea0ca
Minor syntax change 2018-12-13 13:46:40 -06:00
William Vu cb5648a1c7 Add WEBUI_PORT to hp_van_sdn_cmd_inject exploit 2018-12-13 12:22:36 -06:00
Milton-Valencia 3f1aa425b4 msftidy....lol 2018-12-13 11:03:41 -06:00
Milton-Valencia 2e26ceac8f added comments 2018-12-13 10:55:09 -06:00
bwatters-r7 89e4e8bdea Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2018-12-13 09:30:10 -06:00
William Vu 8b79634338 Update a few stragglers 
And since eaton_xpert_backdoor was copied from my fortinet_backdoor
module, update the error handling there, too.
 2018-12-12 15:47:18 -06:00
William Vu e69f006992 Remove CommandShell mixin in exploits 
This was cargo culting. Exploits use handler instead of start_session.
 2018-12-12 15:43:13 -06:00
William Vu 6e77ae7e3e Update my SSH scanner modules 
Especially with proper error handling for Net::SSH::CommandStream.
 2018-12-12 15:36:54 -06:00
Stephen Haywood 7cffbac65b Update additional scanner modules. 2018-12-12 15:32:31 -06:00
Stephen Haywood fa2164ebb9 Update to match coding style. 2018-12-12 15:32:31 -06:00
Stephen Haywood eceb47a9da Move CREATE_SESSION option to advanced option CreateSession 2018-12-12 15:32:31 -06:00
Stephen Haywood 8a7187ad79 Add CREATE_SESSION option to CommanShell 
Register the CREATE_SESSION option in command_shell_options so it
can be used with all modules that use start_session.
Modify ssh_login.rb, ssh_login_pubkey.rb, and telnet_login.rb to
use the new CREATE_SESSION option.
When CREATE_SESSION is set to true (default) a new session is
created with each successful login. When set to false a new session
is not created but the successful login is still registered in the
credentials database.
 2018-12-12 15:32:31 -06:00
Stephen Haywood 904f342848 Option to not create shell on login. 2018-12-12 15:32:30 -06:00
Wei Chen 8ffd9e47b0 Up to date PR10429 2018-12-12 13:30:58 -06:00
Wei Chen 96c281daef Add send_not_found and module documentation for webdav_delivery 2018-12-12 13:26:46 -06:00
Brendan Coles 68d451711b Fix bpf_priv_esc module 2018-12-12 17:23:12 +00:00
Jacob Robles ea724dec46
Merge in upstream/master 2018-12-12 11:00:31 -06:00
William Vu aa0c206b4b
Land #11107, double negative logic cleanup 2018-12-11 20:29:53 -06:00
Shelby Pace ae089ce573
Land #10960, add wp duplicator code inject module 2018-12-11 12:02:07 -06:00
Shelby Pace b82e3469a2
renamed module and doc 2018-12-11 11:59:19 -06:00
Julien Legras 7e953e34b9 Added the clean_up function 2018-12-11 18:13:46 +01:00
bwatters b109321b44
Kill `unless not` 2018-12-11 10:16:16 -06:00
bwatters ac88c604fd Remove copy/pasta'd funtion that was never called 2018-12-11 10:02:36 -06:00
Jacob Robles 1ab69c221c
Land #11040, Add CyberLink LabelPrint Local BOF 2018-12-11 08:19:51 -06:00
Jacob Robles 165f082160
Fix syntax, minor edits 2018-12-11 07:55:20 -06:00
Francesco Soncina ff2d048530
fixes: update x86/xor_dynamic for #11100 2018-12-10 22:45:45 +01:00
Francesco Soncina a94e52ca31
fixes: updates x64/xor_dynamic for #11100 2018-12-10 22:42:31 +01:00
Imran E. Dawoodjee 9cc5569ca2
Cleaned up module per @bcoles's recommendations. 2018-12-11 02:56:56 +08:00
William Vu 3f18ffa224
Land #10318, Oracle function-based index privesc 2018-12-10 11:32:39 -06:00
William Vu d0f1f72426 Clean up module 2018-12-10 11:21:16 -06:00
Brent Cook bc6356a2cd
Land #11090, update code and style for exploit/linux/local/glibc_origin_expansion_priv_esc 2018-12-10 09:59:03 -06:00
Imran E. Dawoodjee bbd0c8be32
Greatly improved check and tidied up documentation. 2018-12-10 21:02:51 +08:00
Milton-Valencia 565f2e3e38 wait wrong 2018-12-09 19:23:54 -06:00
Milton-Valencia ee2ed46143 added date based on man page 2018-12-09 19:17:22 -06:00
Milton-Valencia f6bfbddb8d twks 2018-12-09 15:59:58 -06:00
Milton-Valencia 2beddf1012 req changes 2018-12-09 15:01:09 -06:00
Imran E. Dawoodjee 91d0c8f283
Removed offending code, added warning for users, 
and updated documentation.
 2018-12-10 01:57:44 +08:00
Brendan Coles b8dd147d49 Add FreeBSD 9 Intel SYSRET Privilege Escalation module 2018-12-09 16:04:38 +00:00
Brendan Coles 237d3c86c4 Code cleanup and update style 2018-12-09 07:26:51 +00:00
Milton-Valencia 39229125b7 tweak 2018-12-09 00:22:49 -06:00
Milton-Valencia 02f3d4688f changes 2018-12-09 00:10:54 -06:00
Milton-Valencia 69ed80f685 varys -> varies 2018-12-08 22:51:52 -06:00
Milton-Valencia fcad3f0c8f erlang cookie rce exploit module 2018-12-08 22:36:56 -06:00
Brendan Coles a9c0a5d53d Use ::File::binread for exploit_data file read 2018-12-09 04:09:56 +00:00
Alex c5015c62b8 Simplify Chrome Gather Cookies 
Module now uses Chrome itself as a websocket client, reading websockets
via js. It no longer downloads and executes `websocat`.
 2018-12-09 09:52:45 +11:00
Brent Cook d3fc707c98
Land #11080, update mettle payloads 2018-12-08 09:51:37 -06:00
Brent Cook 3768f79568
Land #11085, add lkrg_installed? checks to various modules 2018-12-08 09:19:33 -06:00
Brent Cook 733c2f637d
Land #11081, Add Msf::Post::Linux::Kernel.lkrg_installed? method 2018-12-08 09:14:57 -06:00
Brendan Coles d8ab6a552b Add lkrg_installed? checks 2018-12-08 13:37:12 +00:00
Brent Cook 2e5e392085
Land #11079, add kernel configuration checks to local exploits 2018-12-08 06:58:48 -06:00
Brent Cook 0ce05f0c07 update payload sizes 2018-12-08 06:24:02 -06:00
Imran E. Dawoodjee fdb0a80442
Improved version check, made requests more organic, 
and improved made PowerShell work on version 6.0.2.
 2018-12-08 19:48:26 +08:00
Brent Cook df76521100
Land #11066, add rpc output locking, fix logging 2018-12-07 13:49:10 -06:00
Brent Cook 7f4d97ef46 don't embed status characters in messages, use correct logging instead 2018-12-07 13:29:56 -06:00
Imran E. Dawoodjee 2918acc0d2
Added links to functionality and cleaned up `check` 
to make it much cleaner per @bcoles's recommendations.
 2018-12-08 03:17:52 +08:00
Brendan Coles 80d83720df Add Msf::Post::Linux::Kernel.lkrg_installed? method 2018-12-07 14:42:16 +00:00
Imran E. Dawoodjee 29627331cf
Implemented @bcole's recommendations. 2018-12-07 18:48:57 +08:00
Imran E. Dawoodjee 0573caafc3
Improved check method. 2018-12-07 17:21:38 +08:00
Brendan Coles 275c043cfd Add kernel_config checks 2018-12-07 03:28:17 +00:00
Brent Cook 0345c8f66c update mettle payloads 
This is a large update to mettle payloads including:

 * Adds globbing support to the `ls` command (https://github.com/rapid7/mettle/pull/139)
 * Fixes crashes on iOS platforms when cryptTLV is enabled (https://github.com/rapid7/mettle/pull/142)
 * Fixes display of the OS version on macOS and iOS (https://github.com/rapid7/mettle/pull/143)
 * Fixes the local port handling for pivoted client network connections (https://github.com/rapid7/mettle/pull/144)
 * Fixes an unaligned memory access in TLV packet handling, needed for some CPUs (https://github.com/rapid7/mettle/pull/145)
 * Fixes some compatibility issues building on Solaris (https://github.com/rapid7/mettle/pull/147)
 * Updated libpcap, mbedtls, and libcurl to the latest versions (https://github.com/rapid7/mettle/pull/146)
 2018-12-06 21:16:41 -06:00
Brent Cook 7d8458d8d4
Land #11076, Prevent storing empty config files as loot 2018-12-06 20:30:08 -06:00
epi c3a40d3752 Remove trailing whitespace at EOL. 2018-12-06 20:18:21 -06:00
Brent Cook 71f84fe6a7
Land #11060, Add checks to post/linux/gather/enum_protections 2018-12-06 20:17:50 -06:00
epi 392ad18dba Implement reverse_ipv6 shellcode via metasm in lib. 
Per the linked request
    https://github.com/rapid7/metasploit-framework/pull/11039#issuecomment-443915955
Rewrote previous version of payload module to make use of metasm for
more reusable shellcode.
 2018-12-06 20:10:07 -06:00
epi f728b46a80 WIP on add-linux-x64-ipv6-bind-shell: 87fa3af6b9 Implement shellcode via metasm in lib. 2018-12-06 16:23:20 -06:00
Tod Beardsley 140833215f
Add CVE as issued by DWF 
See discussion on #10987.

Now that I said that out loud, I realize that the original PR for this
module is a really funny PR number.
 2018-12-06 14:59:05 -06:00
Imran E. Dawoodjee 92c56472ba
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
Brendan Coles eecc5d60e0 Prevent storing empty config files as loot 2018-12-06 13:06:50 +00:00
Berk Dusunur f94559a36a
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 07:09:44 +03:00
Berk Dusunur 9d7389b448
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 07:04:24 +03:00
Berk Dusunur cbe3f0eec9
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:36:29 +03:00
Berk Dusunur 4880dcbda8
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:34:13 +03:00
Berk Dusunur ca558d4b14
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:26:34 +03:00
Berk Dusunur c72065987b
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:19:16 +03:00
Berk Dusunur 3ac5096e1a
Create nuuo_nvrmini_upgrade_rce.rb 2018-12-06 05:51:10 +03:00
Christopher Lee b0560c1ec8 Centralize logging sync, fix minor logging issues 2018-12-05 12:42:44 -06:00
epi 87fa3af6b9 Implement shellcode via metasm in lib. 
Per the linked request
    https://github.com/rapid7/metasploit-framework/pull/11039#issuecomment-443915955
Rewrote previous payload module to make use of metasm for more reusable
shellcode.
 2018-12-05 06:14:31 -06:00
Julien Legras 224e782772 Cleaned the create_wp_config_file function 2018-12-05 10:56:22 +01:00
Julien Legras 2774c17ca1 Replaced print_error and return with a fail_with 2018-12-05 10:11:09 +01:00
Thomas Gregory 1bc024eaa7 Update cyberlink_lpp_bof.rb 
Update includes all suggestions and new targets (Win8.1 x64 and Win10 x64)
 2018-12-05 14:53:10 +07:00
Julien Legras 2735c71bda Fixed typos, removed not working cleaning 2018-12-04 18:42:54 +01:00
Brent Cook 55a9a12670
Land #10964, add initial golang modules for enumerating owa/o365 2018-12-04 10:33:37 -06:00
Brendan Coles 40906e0b36 Add checks to post/linux/gather/enum_protections 2018-12-04 11:57:24 +00:00
Julien Legras b58342843b Refactored check 2018-12-04 12:03:49 +01:00
asoto-r7 c27c149a4d
Land #10947, HPE Intelligent Management Center Java Deserialization RCE 2018-12-03 17:07:31 -06:00
asoto-r7 0f82b207c4
hp_imc_java_deserialize: Repro steps for JSONSS ysoserial payload sections 2018-12-03 17:03:04 -06:00
asoto-r7 3f930ff141
hp_imc_java_deserialize: Default WfsDelay to 10 seconds to increase reliability 2018-12-03 16:36:37 -06:00
Brent Cook ffb57387b4
Land #11049, Add Emacs movemail local exploit 2018-12-03 12:43:56 -06:00
William Vu 4242de3468 Refactor check method 2018-12-03 12:22:40 -06:00
bwatters-r7 df9c3da47e
Land #10842, Add Windows Post Module to roll back Windows Defender signatures 
Merge branch 'land-10842' into upstream-master
 2018-12-03 10:57:38 -06:00