37a844bef0
Land # 9247, Add ASUS infosvr Auth Bypass Command Execution exploit
...
Merge branch 'land-9247' into upstream-master
2018-04-20 11:24:47 -05:00
fcfe927b7a
Add PHP dropper functionality and targets
2018-04-19 05:11:21 -05:00
62aca93d8b
Cache version detection and print only once
...
Oops. This is the problem with overloading methods.
2018-04-19 04:59:07 -05:00
2670d06f99
Add in-memory PHP execution using assert()
2018-04-19 02:18:56 -05:00
7a2cc991ff
Refactor once more with feeling
...
Nested conditionals are the devil. Printing should be consistent now.
2018-04-18 23:59:14 -05:00
3d116d721d
Add version detection and automatic targeting
...
I also refactored error handling. Should be cleaner now.
2018-04-18 21:40:22 -05:00
86ffbc753e
Refactor clean URL handling and remove dead code
2018-04-18 19:56:42 -05:00
1547a47026
Land #9784 , add osx high sierra APFS password disclosure post module
2018-04-18 14:27:22 +08:00
72cd97d3e4
minor documentation and comment tweaks
2018-04-18 14:22:32 +08:00
1900aa2708
Refactor module and address review comments
2018-04-17 19:05:45 -05:00
f0b9ea635a
cleanup psexec code
2018-04-16 09:04:36 +05:30
143fdde1f8
Flipped Safe and Appears in check
2018-04-15 12:10:10 -04:00
60ac89c336
Restructure some logic to make the flow more intuitive
2018-04-14 15:03:12 -04:00
36c1bf5453
Remove a missed tab
2018-04-14 10:30:49 -04:00
083f6936fd
Update for @bcoles review
...
Refactor version checking to use Gem::Version
Change the title of the exploit to fit convention
Change print statements used in check to vprint
Change fail_with Failure for connection issues to be Unknown instead
of NoAccess
Add CVE reference
Refactor how some nil checking is done for response for
send_request_cgi
Text-wrap description to 80 chars
Remove unnecessary string interpolation for cookie in payload
delivery
Change how the payload cradle is escaped and encoded; switch to HTTP
POST for stealth
Remove nil check that is redundant and also typo'd to
2018-04-14 10:24:05 -04:00
486ab7c776
Update for msftidy and contribution guidelines
2018-04-14 09:20:13 -04:00
27ded57cda
Add MSF module for EDB 6768
2018-04-14 08:51:51 -04:00
d8508b8d7d
Add Drupal Drupalgeddon 2
2018-04-14 00:22:30 -05:00
b282db3c6a
Fixing broken imports for keylog_recorder.rb and improving control chars
2018-04-12 02:08:53 -07:00
2a6acfd1d0
Land #9823 , Private IP leak via WebRTC
2018-04-11 17:37:56 -05:00
2d33320921
Added a post-exploitation module to send wireless probe requests
2018-04-11 16:43:33 +02:00
154951cd37
minor update
2018-04-11 01:45:41 +10:00
8be159bdc7
Fixing space-tab mixed
2018-04-10 20:45:38 +05:30
7cbba34c83
Parsing IP address only
...
Changed title name and description, however few things still needs to fix.
2018-04-10 20:32:52 +05:30
fc7040099c
Update Linux sock_sendpage local exploit module
2018-04-10 11:15:42 +00:00
ee6f83c281
match newfs_apfs regex
2018-04-10 14:45:14 +08:00
be18930f12
Cleaned up output, only querying for %WINDIR% if necessary
2018-04-09 15:27:50 -05:00
c07f2f1a09
Update run_as.rb
2018-04-09 21:24:16 +05:30
c34b796f13
Remove temp file from dist after cmd execution
...
https://github.com/rapid7/metasploit-framework/issues/9830
2018-04-09 20:14:01 +05:30
a473dd04a8
Land #9813 , Add etcd library and version scanner
2018-04-08 07:05:31 -04:00
b55eb9b8f2
bump payloads, add Python UDP channel support
...
This pulls in Python UDP channel support from
https://github.com/rapid7/metasploit-payloads/pull/276
2018-04-07 14:21:30 -05:00
3f40f43609
Make final output more readable
2018-04-07 11:05:47 -04:00
201cdfb189
Handling execption by MSFTIDY
2018-04-06 22:54:21 +05:30
37c578e16d
Update oscommerce_installer_unauth_code_exec.rb
2018-04-06 17:10:53 +01:00
4e6afd49ed
Update browser_getprivateip.rb
2018-04-06 21:10:29 +05:30
dee01189ca
Update oscommerce_installer_unauth_code_exec.rb
2018-04-06 15:41:21 +01:00
50c3f53e03
Update oscommerce_installer_unauth_code_exec.rb
2018-04-06 14:39:45 +01:00
0c829a5c6b
Update oscommerce_installer_unauth_code_exec.rb
2018-04-06 14:35:33 +01:00
cbdb3a35b2
Update oscommerce_installer_unauth_code_exec.rb
2018-04-06 14:14:11 +01:00
f6cfcefbae
Some tweaks suggested by bcoles.
2018-04-06 17:44:43 +05:30
6698f1b64b
Update oscommerce_installer_unauth_code_exec.rb
2018-04-06 13:05:40 +01:00
806c72ebcb
Update and rename oscommerce.rb to oscommerce_installer_unauth_code_exec.rb
2018-04-06 11:29:29 +01:00
3efd17a801
Rename osCommerce.rb to oscommerce.rb
2018-04-06 10:46:00 +01:00
0d254b4e5c
Update osCommerce.rb
2018-04-06 10:40:28 +01:00
582eb2e61c
Create browser_getprivateip.rb
2018-04-06 14:42:57 +05:30
b5681cb954
osCommerce Module
2018-04-05 20:28:14 +01:00
81c78a51c2
Land #9794 , Added support for regional dialects
2018-04-05 12:56:07 -05:00
0a3bcf570c
Add the scanner/smb/impacket/dcomexec module
2018-04-04 17:34:41 -04:00
63aabc00f1
etcd rubocop style
2018-04-04 11:01:38 -07:00
a8c76638d3
Rename
2018-04-04 10:54:20 -07:00
518e17118a
Add DisclosureDate
2018-04-04 10:52:47 -07:00
a6c31aceb2
Refactor common etc capabilities; add separate version scanner
2018-04-04 10:48:27 -07:00
1fa40bfe3b
Land #8539 , ProcessMaker Plugin Upload exploit
2018-04-03 20:52:17 -05:00
0faf2f4e04
Land # 8007, Added NTDSgrab module to metasploit.
...
Merge branch 'land-8007' into upstream-master
2018-04-03 15:56:37 -05:00
d9039d43ef
Land #9734 , Remove unwanted 'pop RAX' from windows/x64/reverse_(win)http
2018-04-03 14:23:41 -05:00
e17be05e6a
Land #9595 , Add post module RID Hijacking on Windows
2018-04-03 14:12:34 -05:00
8f7d9f3ac8
rename module
2018-04-03 13:44:55 -05:00
19eef59f23
add disclosure date, fix target
2018-04-03 13:39:11 -05:00
cd7831a2a3
An unforgettable luncheon
2018-04-03 13:39:11 -05:00
0806c0725f
Fix some bugs with command exits
...
Also fix a bug in check()
2018-04-03 10:35:49 -04:00
dfb3a421fe
Remove require statement
2018-04-03 12:56:06 +00:00
8c2138f13b
Land #9742 , QNX exploit improvements
2018-04-03 07:50:29 -05:00
d860d7af5b
require 'rex/tar'
2018-04-03 06:34:30 +00:00
bd3c00dfd0
Land #9726 , add simple Rex::Tar wrapper for consistency with other archive types
2018-04-02 23:35:22 -05:00
226ef160ff
Land #9748 , Convert the smbloris DoS into an external module
...
Help reliability and performance. This some Ruby-specific external module
tooling as a result as well.
2018-04-02 23:25:10 -05:00
b445583a14
Land #9774 , use correct whitespace when patching python meterpreter
2018-04-02 23:07:36 -05:00
d6dc0a2d4f
Adjust rid_hijack.rb code style with rubocop recommendations.
2018-04-03 04:57:41 +02:00
fa34f3e0a4
Land #9718 , Add get_user_spns 'kerberoasting' module
2018-04-02 10:04:44 -05:00
c401872af6
Fix some logic flaws and other review things
...
Also make the output more reliable
2018-03-30 19:20:20 -07:00
76af9d5a15
Add apfs_encrypted_volume_passwd.rb
2018-03-29 23:47:45 -07:00
e3e12ad924
Land #9782 , CheckCode::Safe for ms_ndproxy
2018-03-29 17:07:33 -05:00
3a54f0d5f8
Land #9776 , if data is nil, stop reading the heartbleed socket
2018-03-29 11:23:08 -05:00
3aac041dcf
Return CheckCode::Safe for unsupported x64 systems
2018-03-29 12:03:33 +00:00
a1e83ce835
Land #9760 , @h00die's etcd scanner
2018-03-28 10:41:22 -07:00
5cdfadd0df
Fix more style issues
2018-03-28 09:43:30 -07:00
7767505678
Fix some style issues
2018-03-28 09:43:22 -07:00
a1fff486bc
Land #9666 , Add 2017-8917 RCE for Joomla 3.7.0
2018-03-28 11:08:38 -05:00
0fa63ae7b3
Update documentation and module
...
Included Super User in the documentation.
Implemented changes h00die suggested.
Modified sqli to generate strings used in regex.
2018-03-28 10:57:28 -05:00
c97743925f
jhart suggestions
2018-03-27 18:46:31 -04:00
288bd28d3a
if data is nil stop reading the heartbleed socket
2018-03-27 15:51:14 -05:00
94fd599756
Land #9684 , Adding ManageEngine Application Manager RCE
...
Land #9684
2018-03-27 15:17:20 -05:00
1f31bcd26f
Update telpho10_credential_dump
2018-03-27 14:57:57 -05:00
0a0bef0c4f
Land #9633 , Exodus Wallet Remote Code Execution
...
Land #9633
2018-03-27 14:51:15 -05:00
7a76593e1c
update payload size cause whitespace is more exact
2018-03-27 14:38:17 -05:00
8c88c53e5d
Land #9670 , Gitstack v2.3.10 RCE
...
Land #9670
2018-03-27 13:00:47 -05:00
26463b33a2
Land #9636 , Improve post module persistence_exe
2018-03-26 17:48:53 -05:00
57b048fbf7
Remove requires, changed in-place modification
2018-03-26 17:46:18 -05:00
c19fc4c18f
Land #9423 , PSH for jenkins_xstream_deserialize
2018-03-26 17:09:16 -05:00
862a3ff74d
Land #9618 , pipe auditing improvements
2018-03-26 17:01:48 -05:00
327b2176c0
change and
2018-03-26 17:35:58 -04:00
217dea60fc
Update blog link to up-to-date blog post
2018-03-26 15:43:10 -04:00
e462cb49a2
updated docs
2018-03-25 14:53:30 -04:00
d739a9a057
working etcd scanner
2018-03-25 13:54:55 -04:00
80c4d59560
Land #9702 exploit for clipbucket
2018-03-24 19:59:17 -04:00
0028e2c5ba
documentation update
2018-03-24 19:25:59 -04:00
9bb6e72020
Add lastore-daemon D-Bus Privilege Escalation exploit
2018-03-24 23:16:42 +00:00
fdd2af2d2a
Update tested versions
2018-03-24 00:23:12 +00:00
5ece14b064
Convert SMBLoris to an external module
2018-03-23 14:55:18 -05:00
230c0a295f
Delete playsms_uploadcsv_exec.rb
2018-03-23 12:29:07 +05:30
09cb4a52df
Update smb_ms17_010 scanner with PipeAuditor mixin
2018-03-22 15:37:45 -05:00
e4c026fffd
Update pipe_auditor module with PipeAuditor mixin
2018-03-22 15:37:45 -05:00
9d28549e84
Update qnx_qconn_exec
2018-03-22 06:25:44 +00:00
8d0e3ada74
Change option names and module type
2018-03-21 06:49:50 -05:00
fc9005df8a
Add External License Support
2018-03-21 06:26:25 -05:00
8d12118d1f
Add get_user_spns external module and documentation
2018-03-21 06:26:15 -05:00
a506efe0b6
playsms_uploadcsv_exec.rb
...
PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
2018-03-21 14:13:52 +05:30
ca7caae622
Change External Module Type Names
...
Change the a couple of external module type names
to be consistent with the template files.
2018-03-20 10:19:57 -05:00
b865d4fee2
Fix CachedSize for windows/x64/reverse_(win)http(s) payloads
2018-03-20 11:27:43 +01:00
ac9f506b45
Update tested versions
2018-03-20 02:49:56 +00:00
53eabfc1df
Update documentation and add check before exploit
2018-03-19 23:27:18 +03:00
f012916742
Delete playsms_uploadcsv_exec.rb
2018-03-18 13:57:53 +05:30
0e0fcdf727
PlaySMS 1.4 RCE
...
PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
2018-03-18 13:46:30 +05:30
4801021aba
Land #9613 , add bind_named_pipe x86
2018-03-17 15:53:06 -05:00
44d5022380
Land #9529 , Add module for HP iLO CVE-2017-12542 authentication bypass
2018-03-16 16:50:54 -05:00
d1722d507b
handle reset from the target on exploit
2018-03-16 16:46:50 -05:00
65ae1e33e1
Land #9694 , move ssh platforms to lib
2018-03-16 12:49:57 -05:00
1b2f1ced02
Land #8422 , Typo3 News Module Sql Injection exploit
2018-03-15 10:55:04 -05:00
ba0d990273
Documentation added and Error Checks
2018-03-15 10:46:08 -05:00
9e23997c3d
Added Error Handling
2018-03-14 08:16:17 -05:00
1d51cf6d24
Implement Suggested Changes
2018-03-14 06:15:49 -05:00
b55a750fa9
Fix typo and couple tiny nitpicks
2018-03-14 11:51:21 +03:00
64a51c1bd7
Save Credentials and IP
2018-03-13 08:47:08 -05:00
889c914b3d
Updating documentation and minor code changes
2018-03-13 12:05:27 +03:00
ea3378753b
syntax error fixed on 70 line
...
improve check payload was uploaded or not condition using AND condition on line 121
2018-03-13 14:15:03 +05:30
39e2cddf70
update python payload cached size
2018-03-13 15:30:54 +08:00
ec10a82c56
Make the rubocop happy
2018-03-13 09:44:13 +03:00
97dbc1273a
copy pasta
2018-03-12 20:14:08 -04:00
2fd9b0b77b
Fixing rubocop errors
2018-03-13 01:40:01 +03:00
1587b5b682
Land #9686 , add ipv6 to slowloris, rhost to non-scanner modules
2018-03-12 16:13:21 -05:00
ef515d256d
msftidy fixes
2018-03-13 00:34:25 +05:30
2c52498d4a
Update smb_ms17_010.rb
2018-03-13 00:28:37 +05:30
6e9a4916f5
scanner update
2018-03-13 00:23:18 +05:30
5e30982184
check fucktion and some words fixed
...
all changes done which is bcoles suggested
2018-03-12 21:03:34 +05:30
d86dcbc237
Land #9632 , owa_login and auth_brute enhancements
2018-03-12 10:31:20 -05:00
5ee50c5fab
Username and password reported as credentials
2018-03-12 07:01:03 -05:00
3d6af4c7ee
Removed mail from author section
2018-03-12 07:01:03 -05:00
b0ed8c4702
code cleanup
2018-03-12 07:01:03 -05:00
7b781d53c9
Small code refactoring, added verbose output
2018-03-12 07:01:03 -05:00
fe89e2d391
Corrected check method, warning in case of absence of news and TARGETURI parameter
2018-03-12 07:01:03 -05:00
f09d9a8994
Solved msftidy.rb issues
2018-03-12 07:01:02 -05:00
dbba27cc97
Fixed minor issues and added automatic detection of Patten1/Pattern2
2018-03-12 07:01:02 -05:00
63444a2c43
Corrected wrong label in password hash message
2018-03-12 07:01:02 -05:00
4a40f40c14
Typo3 News Module Sql Injection exploit
2018-03-12 07:00:45 -05:00
9b0ba4a6fa
clipbucket_fileupload_exec
2018-03-12 14:17:13 +05:30
dddad415a5
add Msf::Exploit::Remote::HTTP::Joomla
2018-03-11 07:59:26 -05:00
615f6b02af
varnish no auth file read
2018-03-09 11:25:13 -06:00
1fd0087a97
Land #7654 , varnish file read
2018-03-09 10:59:04 -06:00
a458cb9ebc
varnish file read msftidy fixes
2018-03-09 10:56:52 -06:00
037559023a
Update connect/disconnect varnish
...
[ticket: #7654 ]
2018-03-09 10:37:14 -06:00
37bf4d118a
Changes suggested by h00die 0803
2018-03-09 09:55:50 -05:00
ea78e21961
Documentation accuracy
2018-03-09 07:43:12 -06:00
2735ae57cb
Documentation accuracy
2018-03-09 07:31:55 -06:00
9df99e8ce3
Update smb_ms17_010.rb
2018-03-09 16:10:20 +05:30
56fe70d84b
Update smb_ms17_010.rb
2018-03-09 16:07:09 +05:30
4b483e079b
Adding assigned CVE number
2018-03-09 12:25:19 +03:00
ec7a62bc4c
move ssh platforms to lib
2018-03-08 21:23:11 -05:00
048d0d1fe4
Changes suggested by h00die
2018-03-08 20:13:01 -05:00
478f01d0d9
fix format
2018-03-09 02:25:58 +05:30
24079c345d
Style guide and grammar fixes
2018-03-08 07:30:02 -06:00
b9ad1f2872
Land #9687 , bump payloads, fix PHP meterpreter message parsing
2018-03-07 18:48:56 -06:00
26481d503e
one more payload size adjustment
2018-03-07 18:48:10 -06:00
b977b1c951
bump payload sizes
2018-03-07 17:41:58 -06:00
9a8f1ace2d
Add slowloris support for IPv6 and hostnames
...
Replace manual socket creation with `socket.create_connection` to get
auto-detection goodness.
2018-03-07 17:06:04 -06:00
611b208267
Adding ManageEngine Application Manager RCE
2018-03-07 23:54:01 +03:00
5a2f197c47
Remove redundant RPORT
2018-03-07 14:41:51 -06:00
9ce6c2ae32
Remove redundant RPORT
2018-03-07 14:31:58 -06:00
15269ec3ce
Land #9678 , Add memcached UDP version scanner
2018-03-07 10:14:29 -06:00
86dd382e6a
Land #9554 , Eclipse Equinoxe OSGi console RCE
2018-03-07 08:41:31 -06:00
e8a227b1a6
Changes as requested by jhart-r7:
...
- Default Username / Password are now random
- Doc fixed
- REST typo fixed
2018-03-07 10:48:05 +01:00
a69c2e29d2
Correct comment
2018-03-06 18:16:22 -08:00
1e04fa009f
Fix style
2018-03-06 18:13:50 -08:00
74ec9f00e7
Add WIP memcached UDP version scanner
2018-03-06 17:54:00 -08:00
e72372d6d8
Add disclosure date and correct CVE for memcached amp
2018-03-06 16:04:00 -08:00
d6871f5733
Land #9614 , Juniper post enum module
2018-03-06 10:29:56 -06:00
f6ebce2440
Update User List
2018-03-06 06:38:06 -06:00
5fde6bf5d3
Update Code
2018-03-05 22:39:16 -06:00
4ace73a3f9
Added references, fixed code
2018-03-05 22:00:28 -06:00
e878e19bbd
Land #9665 , Add missing reverse_tcp_rc4 payload tests.
...
Merge branch 'land-9665' into upstream-master
2018-03-05 17:18:04 -06:00
176fb13c84
Fix #9650 , missed code from TelnetEnable refactor
...
1. Functionality was added incrementally, and I missed an opportunity to
consolidate a few methods under @do_exploit.
2. The Capture mixin can raise RuntimeError for a number of different
reasons, not just a lack of root privileges.
tl;dr Fix my incompetence and laziness. :-)
I don't think EDB and friends usually get these updates. :(
2018-03-05 14:46:27 -06:00
57118e1265
msftidy fix
2018-03-05 13:37:32 -06:00
a4f48eb80f
Add GitStack v2.3.10 RCE
2018-03-05 13:25:41 -06:00
3028dccd7a
Land #9644 , @xistence's memcached stats amplification scanner
2018-03-05 09:02:28 -08:00
d945734f43
Add 2017-8917 RCE for Joomla 3.0.7
2018-03-04 22:17:49 -05:00
eac7cc63fc
add missing payload tests
2018-03-04 17:54:52 -06:00
f2de2a7f21
Appease most of rubocop's concerns
2018-03-04 07:17:25 -08:00
2edb2dd8d0
Add CVE; clarify vuln name
2018-03-04 07:13:28 -08:00
ea62497385
Land #9658 spelling and grammar fixes
2018-03-04 06:24:59 -05:00
3925686173
Fixed error in my correction
...
Changed from `an username` to `a username`
2018-03-03 10:16:44 +05:30
6dbf9445c9
Add MAC address discovery
2018-03-02 19:18:30 -06:00
107512498c
Add check method
2018-03-02 19:16:37 -06:00
25f36fb926
Refactor code into new methods
2018-03-02 19:16:37 -06:00
109bc87ffb
Check for nil, EOFError, and zero-length response
2018-03-02 19:15:20 -06:00
bcdfebf93c
Add a vprint for creds we chose
2018-03-02 19:15:19 -06:00
4418a0de02
Enhance detection of telnetenabled vs. telnetd
2018-03-02 19:15:19 -06:00
fba30d47a2
Use default creds specific to protocol
2018-03-02 19:15:18 -06:00
1f40afea9c
Add automatic target for detection of TCP or UDP
2018-03-02 19:15:18 -06:00
a5e5b618fd
Add print statements I forgot
2018-03-02 19:15:17 -06:00
e87681f2c4
Add NETGEAR TelnetEnable
2018-03-02 19:15:17 -06:00
0d07d44b14
ReLand #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
...
This reverts commit 7964868fcd
2018-03-02 16:09:52 -06:00
7964868fcd
Revert "Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm"
...
This reverts commit fcc579377f95cd149378
2018-03-02 08:29:48 -06:00
bwatters-r7
William Vu
Tim W
Auxilus
Lars Sorenson
Chris Long
Adam Cammack
Borja Merino
Brendan Coles
Dhiraj Mishra
Aaron Soto
h00die
Brent Cook
thecarterb
Daniel Teixeira
Spencer McIntyre
Jon Hart
Chris Higgins
r4wd3r
Jacob Robles
Jeffrey Martin
Wei Chen
Andrew Morris
Touhid M Shaikh
Summus6
Mehmet İnce
Mzack9999
Luis Hernandez
Fab
Biswajit Roy