jvazquez-r7
922f0eb900
Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer
2013-11-11 17:01:09 -06:00
sinn3r
b887ed68b5
Land #2608 - Allow guest login option for psexec.
2013-11-11 10:09:41 -06:00
OJ
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
OJ
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
jvazquez-r7
40f8e80775
Fix jlee-r7's feedback
2013-11-08 14:28:19 -06:00
jvazquez-r7
d419c73488
Land #2517 , @3v0lver's exploit for cve-2008-2286
2013-11-08 08:41:04 -06:00
jvazquez-r7
fddb69edb3
Use instance variables for 1-time injections
2013-11-08 08:30:35 -06:00
jvazquez-r7
69b261a9f2
Clean post exploitation code
2013-11-07 18:11:54 -06:00
jvazquez-r7
9f51268d21
Make xp_shell_enable instance variable
2013-11-07 17:53:28 -06:00
jvazquez-r7
aa1000df72
Clean check method
2013-11-07 17:44:22 -06:00
jvazquez-r7
c2662d28e0
Move module to the misc folder
2013-11-07 17:34:22 -06:00
jvazquez-r7
b068e4beb5
Fix indentation and refactor send_update_computer
2013-11-07 17:33:35 -06:00
jvazquez-r7
b7e360922d
Update ranking
2013-11-07 15:10:26 -06:00
jvazquez-r7
decf6ff6a0
Add module for CVE-2013-3623
2013-11-07 14:59:40 -06:00
jvazquez-r7
bdba80c05c
Land #2569 , @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467
2013-11-07 12:20:42 -06:00
scriptjunkie
7615264b17
Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix
2013-11-07 10:35:00 -06:00
root
944528e633
Updated for temporal pathing with TEMP variable
2013-11-07 01:34:55 -05:00
jvazquez-r7
2d4090d9c3
Make option astGUIclient credentials
2013-11-06 20:33:47 -06:00
jvazquez-r7
24d22c96a5
Improve exploitation
2013-11-06 20:15:40 -06:00
jvazquez-r7
2b2ec1a576
Change module location
2013-11-06 15:53:45 -06:00
jvazquez-r7
b9cb8e7930
Add new options
2013-11-06 15:53:12 -06:00
scriptjunkie
61e4700832
Allow guest login option.
...
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
OJ
7dcb071f11
Remote shebang and fix pxexeploit
2013-11-06 07:10:25 +10:00
James Lee
9e30c58495
Blow away remnants of Local::Unix
2013-11-05 13:51:45 -06:00
James Lee
36f96d343e
Revert "Revert "Land #2505" to resolve new rspec fails"
...
This reverts commit e7d3206dc9
.
2013-11-05 13:45:00 -06:00
Tod Beardsley
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
root
5c923757e8
Removed generic command execution capability
2013-10-30 21:35:24 -04:00
William Vu
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
jvazquez-r7
c92e8ff98d
Delete extra space
2013-10-30 19:34:54 -05:00
Tod Beardsley
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
Tod Beardsley
98224ee89f
CVE update for vtiger issue
2013-10-30 13:48:35 -05:00
Tod Beardsley
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
Tod Beardsley
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
Tod Beardsley
17d796296c
Un-dupe References for ispconfig
2013-10-30 12:03:35 -05:00
Tod Beardsley
0d480f3a7d
Typo fix
2013-10-30 11:38:04 -05:00
Tod Beardsley
97a4ca0752
Update references for FOSS modules
2013-10-30 11:36:16 -05:00
Tod Beardsley
78381316a2
Add @brandonprry's seven new modules
...
Already reviewed privately, no associated PR.
2013-10-30 11:04:21 -05:00
Tod Beardsley
5b76947767
Add a few more modules.
2013-10-30 10:25:48 -05:00
jvazquez-r7
c8ceaa25c6
Land #2589 , @wvu-r7's exploit for OSVDB 98714
2013-10-29 14:56:30 -05:00
jvazquez-r7
9f81aeb4ad
Fix style
2013-10-29 14:55:16 -05:00
William Vu
5af42f2c28
Add short comment on why the padding is necessary
2013-10-29 11:46:10 -05:00
William Vu
e368cb0a5e
Add Win7 SP1 to WinXP SP3 target
2013-10-29 10:45:14 -05:00
jvazquez-r7
c4c171d63f
Clean processmaker_exec
2013-10-29 09:53:39 -05:00
bcoles
3eed800b85
Add ProcessMaker Open Source Authenticated PHP Code Execution
2013-10-29 23:27:29 +10:30
William Vu
ea7bba4035
Add Beetel Connection Manager NetConfig.ini BOF
2013-10-28 22:52:02 -05:00
Tod Beardsley
9045eb06b0
Various title and description updates
2013-10-28 14:00:19 -05:00
William Vu
278dff93e7
Add missing require for Msf::Exploit::Powershell
...
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
jvazquez-r7
b69ee1fc67
[FixRM #8419 ] Add module platform to ms04_011_pct
2013-10-25 09:29:19 -05:00
jvazquez-r7
dd094eee04
Use 443 by default with SSL
2013-10-24 16:30:26 -05:00
jvazquez-r7
72f686d99a
Add module for CVE-2013-2751
2013-10-24 16:10:32 -05:00
jvazquez-r7
2ef33aabe7
Clean open_flash_chart_upload_exec
2013-10-24 10:15:28 -05:00
AverageSecurityGuy
110daa6e96
Check for nil response from request in check method.
2013-10-24 09:12:37 -04:00
bcoles
8a5d4d45b4
Add Open Flash Chart v2 Arbitrary File Upload exploit
2013-10-24 22:46:41 +10:30
AverageSecurityGuy
ecbbd7bb4b
Ran resplat.rb and retab.rb. Fixed msftidy issues.
2013-10-23 20:59:27 -04:00
AverageSecurityGuy
655e09f007
Fixed description to look better in info output.
2013-10-23 16:36:39 -04:00
AverageSecurityGuy
9f84ced00e
Fixed boilerplate text.
2013-10-23 16:13:25 -04:00
AverageSecurityGuy
58a32ebb45
Initial commit.
2013-10-23 14:47:42 -04:00
William Vu
bea04cceeb
Remove the trailing slash from the ZDI ref
2013-10-23 11:05:33 -05:00
Booboule
7d84fa487e
Correct ZDI ref to match new scheme
2013-10-23 11:44:44 +02:00
sinn3r
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
sinn3r
af174639cd
Land #2468 - Hwnd Broadcast Performance
2013-10-22 17:03:02 -05:00
sinn3r
2e8c369c69
Land #2559 - remove content-length
2013-10-22 16:03:42 -05:00
Tod Beardsley
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
Meatballs
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
sinn3r
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
root
85479f5994
removed PrependMigrate, introduced migrate -f
2013-10-22 16:11:19 -04:00
jvazquez-r7
11b2719ccc
Change module plate
2013-10-22 12:36:58 -05:00
jvazquez-r7
df42dfe863
Land #2536 , @ddouhine's exploit for ZDI-11-061
2013-10-22 12:35:40 -05:00
jvazquez-r7
c34155b8be
Clean replication_manager_exec
2013-10-22 12:34:35 -05:00
jvazquez-r7
71fab72e06
Delete duplicate content-length from axis2_deployer
2013-10-21 15:35:51 -05:00
William Vu
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
jvazquez-r7
10a4ff41de
Delete Content-Length duplicate header
2013-10-21 15:11:37 -05:00
sinn3r
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
Tod Beardsley
c1954c458c
Just warn, don't bail
...
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.
If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)
For details on this module, see #2503 . I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley
bce8d9a90f
Update license comments with resplat.
2013-10-21 13:36:15 -05:00
Tod Beardsley
c070108da6
Release-related updates
...
* Lua is not an acronym
* Adds an OSVDB ref
* credit @jvazquez-r7, not HD, for the Windows CMD thing
2013-10-21 13:33:00 -05:00
sinn3r
4c14595525
Land #2535 - Use %PATH% for notepad
2013-10-21 13:14:44 -05:00
sinn3r
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
Tod Beardsley
e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
...
This reverts commit 717dfefead
, reversing
changes made to 6430fa3354
.
2013-10-21 12:47:57 -05:00
sinn3r
cacaf40276
Land #2542 - D-Link DIR-605L Captcha Handling Buffer Overflow
2013-10-21 12:03:07 -05:00
sinn3r
9bfd98b001
Change plate
2013-10-21 11:54:42 -05:00
William Vu
717dfefead
Land #2505 , missing source fix for sock_sendpage
2013-10-21 11:47:55 -05:00
sinn3r
6430fa3354
Land #2539 - Support Windows CMD generic payload
...
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
sinn3r
45d06dd28d
Change plate
2013-10-21 11:24:30 -05:00
sinn3r
8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal
2013-10-21 11:14:22 -05:00
sinn3r
d22e4ac2f1
Check timeout condition
2013-10-21 11:13:48 -05:00
sinn3r
36dace26fa
Land #2538 - Fix redirect URLs
2013-10-21 11:08:03 -05:00
jvazquez-r7
27078eb5a6
Add support for HP imc /BIMS 5.1
2013-10-20 18:18:34 -05:00
jvazquez-r7
b0d32a308a
Update version information
2013-10-19 00:52:22 -05:00
jvazquez-r7
7d8a0fc06c
Add BID reference
2013-10-19 00:29:43 -05:00
jvazquez-r7
cf239c2234
Add module for ZDI-13-238
2013-10-19 00:05:09 -05:00
jvazquez-r7
70fced1d74
Delete unnecessary requires and make msftidy compliant
2013-10-18 16:54:20 -05:00
jvazquez-r7
dbd74bceed
Add the ARCH_CMD target
2013-10-18 16:35:22 -05:00
jvazquez-r7
2339cdc713
Land #2513 , @joev-r7's osx persistence local exploit
2013-10-18 15:13:50 -05:00
joev
83f27296d3
Fix some bugs in osx persistence.
...
- the RUN_NOW datastore option did not work as expected
- Adds support for OSX < 10.4 KeepAlive option
- organizes private methods alphabetically.
2013-10-18 14:12:33 -05:00
Meatballs
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
joev
681db6cb41
Use fully qualified constant in include.
2013-10-18 11:31:02 -05:00
joev
05bea41458
mkdir -p the dirname, not the file.
2013-10-18 11:27:37 -05:00
root
2e0a14d719
Introduced PrependMigrate, PPID killing and general clean-up
2013-10-18 12:24:50 -04:00
Norbert Szetei
9d6031acdb
Reverting payload_inject because of x64 shellcode
...
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
joev
7a47059e1d
Fix a couple more shellescapes.
2013-10-18 00:47:22 -05:00
joev
a2e3c6244e
Remove unnecessary Exe::Custom logic.
...
- this is handled by the exe.rb mixin.
- adds support for a RUN_NOW datastore option.
- tested working on java meterpreter and x86 shell session.
2013-10-18 00:41:18 -05:00
jvazquez-r7
7dd39ae5e6
Update ranking
2013-10-17 22:43:47 -05:00
jvazquez-r7
a00a813649
Add real device libraries base addresses
2013-10-17 22:34:54 -05:00
Meatballs
55426882d4
Further bypassuac tidyup
2013-10-18 00:08:06 +01:00
Meatballs
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
James Lee
94db3f511a
Avoid extra slash in redirect URI
...
[SeeRM #8507 ]
2013-10-17 14:10:15 -05:00
jvazquez-r7
be1d6ee0d3
Support Windows CMD generic payload
2013-10-17 14:07:27 -05:00
Tod Beardsley
22b4bf2e94
Resplat webtester_exec.rb
2013-10-17 13:30:54 -05:00
Tod Beardsley
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
jvazquez-r7
7f6dadac16
Merge for sync
2013-10-17 10:40:01 -05:00
Davy Douhine
b03783baec
minors fixes and rand for endstring
2013-10-17 17:10:05 +02:00
Davy Douhine
22eb2ba163
randstring and fixes
2013-10-17 16:51:34 +02:00
jvazquez-r7
352eca1147
Fix check method and set a big space available for payload
2013-10-17 09:30:59 -05:00
Norbert Szetei
563bf4e639
Fix bug #8502 , used %PATH% for notepad invocation
...
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
bcoles
54cf7855a2
Add WebTester 5.x Command Execution exploit module
2013-10-17 16:57:57 +10:30
jvazquez-r7
3d3a7b3818
Add support for OSVDB 86824
2013-10-17 01:08:01 -05:00
sinn3r
7a0671eba9
Land #2531 - rm deprecated mods
2013-10-16 20:02:58 -05:00
James Lee
a54b4c7370
Land #2482 , use runas when UAC is DoNotPrompt
2013-10-16 17:51:11 -05:00
Tod Beardsley
f1a67ecafe
Remove overdue deprecated modules
...
[See PT #56795804 ]
[See PT #56796034 ]
2013-10-16 17:02:28 -05:00
sinn3r
0ce221274b
Change JS comments in Ruby.
2013-10-16 16:40:54 -05:00
Tod Beardsley
ba2c52c5de
Fixed up some more weird splat formatting.
2013-10-16 16:25:48 -05:00
James Lee
4fa3b8f820
Add support for IE7 on XP
2013-10-16 15:56:34 -05:00
sinn3r
06a212207e
Put PrependMigrate on hold because of #1674
...
But I will probably still want this.
2013-10-16 09:24:46 -05:00
sinn3r
ac78f1cc5b
Use Base64 encoding for OS parameter
...
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
Tod Beardsley
5d86ab4ab8
Catch mis-formatted bracket comments.
2013-10-15 14:52:12 -05:00
Tod Beardsley
ed0b84b7f7
Another round of re-splatting.
2013-10-15 14:14:15 -05:00
Tod Beardsley
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
Tod Beardsley
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
jvazquez-r7
c68319d098
Fix author
2013-10-15 12:59:19 -05:00
jvazquez-r7
f60b29c7a6
Land #2503 , @MrXors's local exploit using VSS
2013-10-15 12:35:26 -05:00
MrXors
f345414832
Added correct spelling in info
2013-10-15 10:13:18 -07:00
jvazquez-r7
0b9cf24103
Convert vss_persistence to Local Exploit
2013-10-15 11:11:04 -05:00
William Vu
31dc7c0c08
Land #2522 , @todb-r7's pre-release module fixes
2013-10-14 15:37:23 -05:00
Tod Beardsley
63e40f9fba
Release time fixes to modules
...
* Period at the end of a description.
* Methods shouldn't be meth_name! unless the method is destructive.
* "Setup" is a noun, "set up" is a verb.
* Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
sinn3r
15e8c3bcd6
[FixRM #8470 ] - can't convert nil into String
...
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.
[FixRM #8470 ]
2013-10-14 14:10:08 -05:00
jvazquez-r7
75aaded842
Land #2471 , @pyoor's exploit for CVE-2013-5743
2013-10-14 14:03:28 -05:00
jvazquez-r7
a6f17c3ba0
Clean zabbix_sqli
2013-10-14 14:01:58 -05:00
William Vu
eab90e1a2e
Land #2491 , missing platform info update
2013-10-14 10:38:25 -05:00
root
de156dc8da
new exploit module for CVE-2008-2286, Altiris DS
2013-10-13 22:39:49 -04:00
sinn3r
74f37c58b2
Land #2514 - Update CVE reference for Joomla
2013-10-13 12:58:23 -05:00
joev
e2a9339592
Add CVE to joomla media upload module.
2013-10-12 21:20:11 -05:00
joev
ea9235c506
Better whitespace.
2013-10-12 20:53:16 -05:00
joev
78b29b5f20
Bring osx persistence module to the finish line.
2013-10-12 20:50:53 -05:00
jvazquez-r7
3dbdc9f848
Land #2510 , @wchen-r7's exploit for cve-2013-3897
2013-10-12 20:06:41 -05:00
sinn3r
9725918be8
Remove junk variables/params
2013-10-12 18:51:57 -05:00
sinn3r
2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow
2013-10-12 16:55:48 -05:00
joev
5a1b099570
Make osx persistence a local exploit.
2013-10-12 16:47:35 -05:00
sinn3r
bc317760dc
Make the GET params a little bit harder to read.
2013-10-12 16:37:49 -05:00
jvazquez-r7
172c6b9b8f
Escape dots on regexs
2013-10-12 16:15:10 -05:00
joev
4fe407d7ee
Move osx persistence to a local exploit.
2013-10-12 16:08:22 -05:00
sinn3r
b139757021
Correct a typo in description
2013-10-12 13:24:36 -05:00
sinn3r
79c612cd67
Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
...
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.
This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange". During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Joe Barrett
d929bdfaab
Re-fixing 8419, consistency is important.
2013-10-12 08:09:19 -04:00
James Lee
dfe74ce36c
Factorize sock_sendpage
2013-10-11 13:40:01 -05:00
jvazquez-r7
0b93996b05
Clean and add Automatic target
2013-10-11 13:19:10 -05:00
pyoor
171b70fa7c
Zabbix v2.0.8 SQLi and RCE Module
...
Conflicts:
modules/exploits/linux/http/zabbix_sqli.rb
Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
James Lee
b9b2c82023
Add some entropy
...
* Random filename
* Stop shipping debug strings to the exploit executable
Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Meatballs
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
bcoles
276ea22db3
Add VMware Hyperic HQ Groovy Script-Console Java Execution
2013-10-11 05:07:23 +10:30
Meatballs
a843722ae3
Concurrent printing of the output no longer makes sense...
2013-10-10 19:01:19 +01:00
Meatballs
536c3c7b92
Use multi railgun call for a large performance increase.
2013-10-10 19:01:14 +01:00
William Vu
9b96351ba2
Land #2494 , OSVDB ref for flashchat_upload_exec
2013-10-10 12:58:55 -05:00
jvazquez-r7
f10078088c
Add module for ZDI-13-130
2013-10-10 10:06:17 -05:00
James Lee
947925e3a3
Use a proper main signature with arguments
...
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
James Lee
c251596f0b
Fix some bugs in preparation for factorizing
...
* Stop removing \x0a characters with String#scan, which of course breaks
the shellcode
* Fork so the original session continues to work
2013-10-09 16:03:40 -05:00
jvazquez-r7
e3014a1e91
Fix ZDI Reference
2013-10-09 14:56:42 -05:00
jvazquez-r7
4fd599b7e0
Land #2483 , @wchen-r7's patch for [SeeRM #8458 ]
2013-10-09 14:32:26 -05:00
jvazquez-r7
52574b09cb
Add OSVDB reference
2013-10-09 14:13:45 -05:00
sinn3r
1e3b84d39b
Update ie_cgenericelement_uaf
2013-10-09 13:40:48 -05:00
Winterspite
0acb170ee8
Bug #8419 - Added platform info missing on exploits
2013-10-08 22:41:50 -04:00
sinn3r
199bd20b95
Update CVE-2013-3893's Microsoft reference
...
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
Tod Beardsley
8b9ac746db
Land #2481 , deprecate linksys cmd exec module
2013-10-07 20:44:04 -05:00
sinn3r
f7f6abc1dd
Land #2479 - Add Joev to the wolfpack
2013-10-07 15:30:23 -05:00
sinn3r
f4000d35ba
Use RopDb for ms13_069
...
Target tested
2013-10-07 15:24:01 -05:00
sinn3r
7222e3ca49
Use RopDb for ms13_055_canchor.
...
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r
67228bace8
Use RopDb for ie_cgenericelement_uaf.
...
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
Rob Fuller
aed2490536
add some output and fixing
2013-10-07 15:42:41 -04:00
Rob Fuller
75d2abc8c2
integrate some ask functionality into bypassuac
2013-10-07 15:14:54 -04:00
joev
4ba001d6dd
Put my short name to prevent conflicts.
2013-10-07 14:10:47 -05:00
joev
ec6516d87c
Deprecate misnamed module.
...
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
sinn3r
aea63130a4
Use RopDb for ie_cbutton_uaf.
...
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
Tod Beardsley
219bef41a7
Decaps Siemens (consistent with other modules)
2013-10-07 13:12:32 -05:00
Tod Beardsley
4266b88a20
Move author name to just 'joev'
...
[See #2476 ]
2013-10-07 12:50:04 -05:00
sinn3r
e016c9a62f
Use RopDb msvcrt ROP chain. Tested all targets.
2013-10-07 12:27:43 -05:00
trustedsec
0799766faa
Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
...
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:
Here is prior to the change on a fully patched Windows 8 machine:
msf exploit(bypassuac) > exploit
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) >
Here's the module when running with the most recent changes that are being proposed:
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400
meterpreter >
With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7
24efb55ba9
Clean flashchat_upload_exec
2013-10-05 14:50:51 -05:00
bcoles
08243b277a
Add FlashChat Arbitrary File Upload exploit module
2013-10-05 22:30:38 +09:30
sinn3r
a8de9d5c8b
Land #2459 - Add HP LoadRunner magentproc.exe Overflow
2013-10-04 19:45:44 -05:00
jvazquez-r7
113f89e40f
First set of fixes for gestioip_exec
2013-10-04 13:29:27 -05:00
jvazquez-r7
299dfe73f1
Land #2460 , @xistence's exploit for clipbucket
2013-10-04 12:26:30 -05:00
jvazquez-r7
8e0a4e08a2
Fix author order
2013-10-04 12:25:38 -05:00
James Lee
68ee692c19
Standardize prints, clean up whitespace/warnings
2013-10-04 11:58:21 -05:00
Tod Beardsley
9b79bb99e0
Add references, correct disclosure date
2013-10-04 09:59:26 -05:00
Tod Beardsley
ab786d1466
Imply authentication when a password is set
2013-10-04 09:54:04 -05:00
Brandon Perry
0112d6253c
add gestio ip module
2013-10-04 06:39:30 -07:00
xistence
81d4a8b8c1
added clipbucket_upload_exec RCE
2013-10-04 11:43:38 +07:00
jvazquez-r7
646429b4dd
Put ready to pull request
2013-10-03 22:15:17 -05:00
jvazquez-r7
5971fe87f5
Improve reliability
2013-10-03 17:19:53 -05:00
jvazquez-r7
39eb20e33a
Add module for ZDI-13-169
2013-10-03 16:52:20 -05:00
sinn3r
c87e7b3cc1
Land #2451 - Don't overwrite default timeout on get_once
2013-10-03 15:44:40 -05:00
Tod Beardsley
539a22a49e
Typo on Microsoft
2013-10-03 12:20:47 -05:00
Tod Beardsley
fcba424308
Kill off EOL spaces on astium_sqli_upload.
2013-10-03 11:01:27 -05:00
jvazquez-r7
77d0236b4e
Don't overwrite defaul timeout
2013-10-02 16:15:14 -05:00
Meatballs
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r
23b0c3b723
Add Metasploit blog references
...
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r
932ed0a939
Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln
2013-10-01 20:35:17 -05:00
jvazquez-r7
ed82be6fd8
Use RopDB
2013-10-01 13:23:09 -05:00
jvazquez-r7
6483c5526a
Add module for OSVDB 93696
2013-10-01 11:42:36 -05:00
sinn3r
9abf727fa6
Land #2439 - Update description
2013-09-30 16:03:15 -05:00
sinn3r
7118f7dc4c
Land #2422 - rm methods peer & rport
...
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Brandon Turner
3cfee5a7c0
Land #2440 , remaining tabassassin changes
2013-09-30 14:30:50 -05:00
jvazquez-r7
6c8f86883d
Land #2437 , @wchen-r7's exploit for CVE-2013-3893
2013-09-30 14:02:29 -05:00
Tab Assassin
2e8d19edcf
Retab all the things (except external/)
2013-09-30 13:47:53 -05:00
Tod Beardsley
4dc88cf60f
Expand descriptions for ease of use.
2013-09-30 13:30:31 -05:00
sinn3r
c82ed33a95
Forgot Math.cos()
2013-09-30 13:29:16 -05:00
sinn3r
d6cd0e5c67
Tweak for office 2007 setup
2013-09-30 13:27:59 -05:00
sinn3r
ecf4e923e8
Change the target address for spray 1
2013-09-30 11:57:59 -05:00
sinn3r
b9aae1c93c
Higher address seems better
2013-09-29 18:45:30 -05:00
sinn3r
a5ade93ab2
Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
...
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.
The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).
To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs
b306415ecf
Tidy and updates to info
2013-09-29 17:32:39 +01:00
Meatballs
29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
...
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs
8b800cf5de
Merge and resolve conflicts
2013-09-27 18:19:23 +01:00
jvazquez-r7
58600b6475
Land #2423 , @TecR0c's exploit for OSVDB 96517
2013-09-27 09:48:52 -05:00
jvazquez-r7
6381bbfd39
Clean up freeftpd_pass
2013-09-27 09:47:39 -05:00
TecR0c
b02a2b9ce0
Added crash info and basic tidy up
2013-09-27 17:05:42 +10:00
TecR0c
7dbc3f4f87
changed seh address to work on freeFTPd 1.0.10 and below
2013-09-27 12:37:52 +10:00
TecR0c
5fc98481a7
changed seh address to work on freeFTPd 1.0.10 and below
2013-09-27 12:35:03 +10:00
TecR0c
a6e1bc61ec
updated version in exploit freeFTPd 1.0.10
2013-09-27 11:27:51 +10:00
TecR0c
3a3f1c0d05
updated requested comments for freeFTPd 1.0.10
2013-09-27 11:13:28 +10:00
Meatballs
3d812742f1
Merge upstream master
2013-09-26 21:27:44 +01:00
Meatballs
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
jvazquez-r7
813bd2c9a5
Land #2379 , @xistence's exploit for OSVDB 88860
2013-09-26 13:52:15 -05:00
Meatballs
a25833e4d7
Fix %TEMP% path
2013-09-26 19:22:36 +01:00
William Vu
acb2a3490c
Land #2419 , nodejs_js_yaml_load_code_exec info
2013-09-26 12:55:48 -05:00
jvazquez-r7
b618c40ceb
Fix English
2013-09-26 09:00:41 -05:00
TecR0c
0339c3ef48
added freeFTPd 1.0.10 (PASS Command)
2013-09-26 20:37:23 +10:00
xistence
c2ff5accee
stability fixes to astium_sqli_upload
2013-09-26 10:23:33 +07:00
FireFart
84ec2cbf11
remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient
2013-09-25 23:42:44 +02:00
jvazquez-r7
58d4096e0f
Resolv conflicts on #2267
2013-09-25 13:06:14 -05:00
jvazquez-r7
ff610dc752
Add vulnerability discoverer as author
2013-09-25 12:45:54 -05:00
jvazquez-r7
5c88ad41a8
Beautify nodejs_js_yaml_load_code_exec metadata
2013-09-25 12:44:34 -05:00
joev
99e46d2cdb
Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
...
Conflicts:
modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
Tod Beardsley
d91cb85a31
Not actually a typo
...
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley
ac1388368f
Typo in module name
2013-09-24 15:50:58 -05:00
jvazquez-r7
a50ab1ddd3
Land #2409 , @xistence exploit for ZeroShell
2013-09-24 15:32:55 -05:00
jvazquez-r7
6c2063c9c0
Do not get a session on every execute_command call
2013-09-24 15:31:40 -05:00
jvazquez-r7
79ca123051
Use snake_case
2013-09-24 15:16:51 -05:00
jvazquez-r7
34b84395c1
Fix References field
2013-09-24 15:16:02 -05:00
Tod Beardsley
93486a627d
Whoops on trailing commas
2013-09-24 15:14:11 -05:00
jvazquez-r7
adfacfbed1
Do not fail_with on method used from check
2013-09-24 15:08:48 -05:00
jvazquez-r7
4b6a646899
Fix typo
2013-09-24 15:06:35 -05:00
jvazquez-r7
f5cac304f4
Use default send_request_cgi timeout
2013-09-24 15:05:24 -05:00
William Vu
52a92a55ce
Land #2394 , ms13_005_hwnd_broadcast require fix
2013-09-24 13:43:21 -05:00
jvazquez-r7
ce4cf55d22
Land #2417 , @todb-r7's change to Platform field to make ruby style compliant
2013-09-24 13:30:48 -05:00
William Vu
89222f4b16
Land #2416 , OSVDB refs for arkeia_upload_exec
2013-09-24 13:22:24 -05:00
Tod Beardsley
3906d4a2ca
Fix caps that throw msftidy warnings
2013-09-24 13:03:16 -05:00
Tod Beardsley
c547e84fa7
Prefer Ruby style for single word collections
...
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley
081c279b61
Remove misleading comment
2013-09-24 11:42:31 -05:00
jvazquez-r7
d15f442e56
Add OSVDB references to arkeia_upload_exec
2013-09-24 08:48:28 -05:00
xistence
8b9adf6886
changes made to zeroshell_exec according to suggestions
2013-09-24 08:35:07 +07:00
Tod Beardsley
8db1a389eb
Land #2304 fix post module require order
...
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley
2656c63459
Knock out a Unicode character
2013-09-23 14:22:11 -05:00
Tod Beardsley
99f145cbff
Don't split the post requires
2013-09-23 14:02:43 -05:00
Tod Beardsley
4bff8f2cdc
Update descriptions for clarity.
2013-09-23 13:48:23 -05:00
William Vu
a46ac7533d
Land #2407 , require fix for current_user_psexec
2013-09-23 11:57:19 -05:00
jvazquez-r7
1fc849bdd5
Land #2188 , @m-1-k-3's module for OSVDB 90221
2013-09-23 11:44:43 -05:00
jvazquez-r7
71d74655f9
Modify description
2013-09-23 11:44:04 -05:00
xistence
6429219a1d
added ZeroShell RC2 RCE
2013-09-22 15:13:55 +07:00
jvazquez-r7
8417b916c7
Complete MS13-071 Information
2013-09-21 21:22:34 -05:00
darknight007
6b06ed0df1
Update current_user_psexec.rb
2013-09-22 03:07:17 +05:00
Joe Vennix
a08d195308
Add Node.js as a platform.
...
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
Joe Vennix
49f15fbea4
Removes PayloadType from exploit module.
2013-09-20 18:01:55 -05:00
sinn3r
8381bf8646
Land #2404 - Add powershell support for current_user_psexec
2013-09-20 17:14:55 -05:00
sinn3r
96364c78f8
Need to catch RequestError too
...
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
jvazquez-r7
59a201a8d3
Land #2334 , @tkrpata and @jvennix-r7's patch for sudo_password_bypass
2013-09-20 17:01:19 -05:00
jvazquez-r7
fb8d0dc887
Write the return
2013-09-20 17:00:07 -05:00
Meatballs
6e69fe48bf
Undo psexec changes
2013-09-20 22:30:00 +01:00
Meatballs
2591be503b
Psh support
2013-09-20 22:07:42 +01:00
Meatballs
15885e4ef6
Change static x value
2013-09-20 20:31:14 +01:00
Meatballs
ee365a6b64
Some liberal sleeping
2013-09-20 19:33:27 +01:00
jvazquez-r7
29649b9a04
Land #2388 , @dummys's exploit for CVE-2013-5696
2013-09-20 13:03:01 -05:00
jvazquez-r7
8922d0fc7f
Fix small bugs on glpi_install_rce
2013-09-20 13:01:41 -05:00
jvazquez-r7
b24ae6e80c
Clean glpi_install_rce
2013-09-20 12:58:23 -05:00
Meatballs
7d1c5c732a
Correct powershell
2013-09-20 18:36:24 +01:00
sinn3r
bb7b57cad9
Land #2370 - PCMAN FTP Server post-auth stack buffer overflow
2013-09-20 12:29:10 -05:00
sinn3r
feb76ea767
Modify check
...
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
sinn3r
2d6c76d0ad
Rename pcman module
...
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
sinn3r
6690e35761
Account for username length
...
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
sinn3r
9d67cbb4db
Retabbed
2013-09-20 11:58:53 -05:00
Meatballs
9819566d94
Nearly
2013-09-20 17:18:14 +01:00
sinn3r
85152c4281
Land #2400 - Add OSVDB reference for openemr_sqli_privesc_upload
2013-09-20 10:39:06 -05:00
jvazquez-r7
6f5e528699
Remove author, all the credits go to corelanc0der and sinn3r
2013-09-20 10:27:37 -05:00
sinn3r
83f54d71ea
Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
...
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.
The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure. The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one. Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
jvazquez-r7
bad6f2279d
Add OSVDB reference for openemr_sqli_privesc_upload
2013-09-20 09:41:23 -05:00
Meatballs
a00f3d8b8e
initial
2013-09-20 13:40:28 +01:00
dummys
032b9115a0
removed the old exploit
2013-09-20 10:53:52 +02:00
dummys
187ab16467
many change in the code and replace at the correct place the module
2013-09-20 10:45:10 +02:00
Rick Flores (nanotechz9l)
7d17eef7a7
Updated several msftidy [WARNING] Spaces at EOL issues.
2013-09-19 20:35:08 -07:00
sinn3r
955365d605
Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability
2013-09-19 22:21:09 -05:00
sinn3r
0eb838156b
Land #2390 - Use payload.encoded because BadChars are defined
2013-09-19 22:10:55 -05:00
sinn3r
9598853fee
Land #2389 - Fix use of Rex sockets from dlink modules
2013-09-19 22:09:53 -05:00
sinn3r
8d70a9d893
Add more refs
2013-09-19 22:05:23 -05:00
Joe Vennix
137b3bc6ea
Fix whitespace issues.
2013-09-19 17:29:11 -05:00
Joe Vennix
bd96c6c093
Adds module for CVE-2013-3568.
2013-09-19 17:26:30 -05:00
jvazquez-r7
46a241b168
Fix my own cleanup
2013-09-19 14:51:22 -05:00
dummys
08c7b49be0
corrected too much if
2013-09-19 21:47:01 +02:00
jvazquez-r7
31903be393
Land #2380 , @xistence exploit for EDB 28329
2013-09-19 14:42:27 -05:00
jvazquez-r7
cb737525b1
Final cleanup for openemr_sqli_privesc_upload
2013-09-19 14:40:57 -05:00
jvazquez-r7
76e170513d
Do first clean on openemr_sqli_privesc_upload
2013-09-19 14:36:25 -05:00
jvazquez-r7
cf0375f7e6
Fix check return value
2013-09-19 14:17:45 -05:00
dummys
862a8fb8aa
corrected indentation bug again
2013-09-19 20:27:23 +02:00
jvazquez-r7
9b486e1dbb
Add comment about the smb_* methods
2013-09-19 13:23:46 -05:00
dummys
ce8e94b5fe
corrected indentation bug
2013-09-19 20:14:07 +02:00
jvazquez-r7
bf0f4a523f
Land #2381 , @xistence exploit for EDB 28330
2013-09-19 13:06:41 -05:00
jvazquez-r7
c63423ad69
Update code comment
2013-09-19 13:03:55 -05:00
jvazquez-r7
6073e6f2dc
Fix use of normalize_uri
2013-09-19 12:59:37 -05:00
jvazquez-r7
b4fa535f2b
Fix usage of fail_with
2013-09-19 12:45:29 -05:00
jvazquez-r7
1aba7550f9
Fix check indentation
2013-09-19 12:44:11 -05:00
jvazquez-r7
1f7c3d82c1
Refactor easy methods
2013-09-19 12:42:38 -05:00
jvazquez-r7
891a54aad7
Fix metadata
2013-09-19 12:41:13 -05:00
jvazquez-r7
1a00cce8a9
Clean up
2013-09-19 11:51:07 -05:00
William Vu
628cfe8e67
Land #2393 , tape_engine_8A filename disambiguation
2013-09-19 10:31:40 -05:00
Tod Beardsley
ef72b30074
Include the post requires until #2354 lands
...
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
Tod Beardsley
fb72e7f02a
Disambiguate tape_engine_8A as tape_engine_0x8a
...
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
2013-09-19 09:35:31 -05:00
Rick Flores (nanotechz9l)
058e0fdd80
Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll
2013-09-19 07:21:51 -07:00
dummys
f9617e351d
corrected Integer()
2013-09-19 16:04:20 +02:00
jvazquez-r7
926ddf35bc
Fix possible collisions on binding port and handle rex socket
2013-09-19 08:23:25 -05:00
James Lee
8fe9132159
Land #2358 , deprecate funny names
2013-09-18 14:55:33 -05:00
Rick Flores (nanotechz9l)
766e96510d
Added minor indentation updates
2013-09-18 12:12:35 -07:00
jvazquez-r7
60d448f600
Add minor cleanup
2013-09-18 14:10:13 -05:00
Rick Flores (nanotechz9l)
db8881966e
Merge remote-tracking branch 'upstream/master'
2013-09-18 12:02:01 -07:00
jvazquez-r7
68647c7363
Add module for MS13-071
2013-09-18 13:40:35 -05:00
jvazquez-r7
accad24f31
Use payload.encoded because BadChars are defined
2013-09-18 13:03:35 -05:00
jvazquez-r7
61ab0e245c
Add Context to rex sockets plus track them with add_socket
2013-09-18 12:39:08 -05:00
jvazquez-r7
1988085a94
Fix possible port conflict
2013-09-18 12:24:36 -05:00
Tod Beardsley
8728a9a3b7
Bumping out deprecation date
...
Pray I don't alter the deprecation date further.
2013-09-18 11:00:35 -05:00
dummys
bc57c9c6ec
corrected some codes requested by Meatballs
2013-09-18 17:55:36 +02:00
dummys
3366c3aa77
CVE-2013-5696 RCE for GLPI
2013-09-18 16:11:32 +02:00
xistence
adc1bd9c65
changes made to astium_sqli_upload based on suggestions
2013-09-18 16:52:31 +07:00
xistence
65ee8c7d5c
changed openemr_sqli_privesc_upload according to suggestions
2013-09-18 12:38:20 +07:00
Rick Flores (nanotechz9l)
6cbe371381
minor change
2013-09-17 20:33:46 -07:00
xistence
d6a1182bd4
changes to arkeia_upload_exec to comply with r7 suggestions #2
2013-09-18 08:24:40 +07:00
xistence
24a671b530
changes to arkeia_upload_exec to comply with r7 suggestions
2013-09-18 08:10:58 +07:00
Rick Flores (nanotechz9l)
0052f9712b
Updated hard tabs per new requirement
2013-09-17 17:42:01 -07:00
James Lee
9a555d8701
Fix the modules added since the branch
2013-09-17 18:25:12 -05:00
James Lee
150f0f644e
Merge branch 'rapid7' into bug/osx-mods-load-order
...
Conflicts:
modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
xistence
82aa3f97b0
added Astium confweb 25399 RCE
2013-09-17 12:32:10 +07:00
Joe Vennix
5fc724bced
Kill explanatory comment.
2013-09-16 21:34:38 -05:00