Commit Graph

547 Commits (07ab53ab39b0e46a33880bd87f889df3831b1344)

Author SHA1 Message Date
Tod Beardsley e7a1f06fbc Modules shouldn't be +x 2013-05-29 15:11:35 -05:00
James Lee f3ff5b5205 Factorize and remove includes
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
Tod Beardsley 75d6c8079a Spelling, whitespace
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
jvazquez-r7 bfcd86022d Add code cleanup for nginx_chunked_size. 2013-05-22 14:37:42 -05:00
LinuxGeek247 81b690ae4b Initial check in of nginx module 2013-05-22 13:52:00 -04:00
James Lee f4498c3916 Remove $Id tags
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7 94bc3bf8eb Fix msftidy warning 2013-05-20 10:35:59 -05:00
jvazquez-r7 395aac90c2 Do minor cleanup for linksys_wrt160nv2_apply_exec 2013-05-20 10:34:39 -05:00
jvazquez-r7 08b2c9db1e Land #1801, @m-1-k-3's linksys wrt160n exploit 2013-05-20 10:33:44 -05:00
m-1-k-3 1a904ccf7d tftp download 2013-05-19 20:37:46 +02:00
jvazquez-r7 dfa19cb46d Do minor cleanup for dlink_dir615_up_exec 2013-05-19 12:43:01 -05:00
jvazquez-r7 348705ad46 Land #1800, @m-1-k-3's exploit for DLINK DIR615 2013-05-19 12:42:02 -05:00
m-1-k-3 f3a2859bed removed user,pass in request 2013-05-19 18:50:12 +02:00
m-1-k-3 aee5b02f65 tftp download check 2013-05-19 18:45:01 +02:00
m-1-k-3 4816925f83 feeback included 2013-05-19 16:19:45 +02:00
James Lee 3009bdb57e Add a few more references for those without 2013-05-16 14:32:02 -05:00
jvazquez-r7 649a8829d3 Add modules for Mutiny vulnerabilities 2013-05-15 09:02:25 -05:00
sinn3r 5e925f6629 Description update 2013-05-14 14:20:27 -05:00
jvazquez-r7 42cfa72f81 Update data after test kloxo 6.1.12 2013-05-13 19:09:06 -05:00
jvazquez-r7 58f2373171 Added module for EDB 25406 2013-05-13 18:08:23 -05:00
m-1-k-3 981cc891bc description 2013-05-12 20:07:32 +02:00
m-1-k-3 09bf23f4d6 linksys wrt160n tftp download module 2013-05-06 16:18:15 +02:00
m-1-k-3 22d850533a dir615 down and exec exploit 2013-05-06 15:33:45 +02:00
Tod Beardsley 60e0cfb17b Trivial description cleanup 2013-04-29 14:11:20 -05:00
jvazquez-r7 2b4144f20f Add module for US-CERT-VU 345260 2013-04-24 10:47:16 -05:00
Antoine 0115833724 SyntaxError fixes 2013-04-21 20:22:41 +00:00
jvazquez-r7 19a158dce9 Do final cleanup for netgear_dgn2200b_pppoe_exec 2013-04-19 15:50:23 -05:00
jvazquez-r7 c1819e6ecc Land #1700, @m-1-k-3's exploit for Netgear DGN2200B 2013-04-19 15:49:30 -05:00
m-1-k-3 2713991c64 timeout and HTTP_Delay 2013-04-17 20:25:59 +02:00
m-1-k-3 59045f97fb more testing, reworking of config restore, rework of execution 2013-04-17 18:10:27 +02:00
Tod Beardsley 513b3b1455 Minor cleanup on DLink module 2013-04-15 13:27:47 -05:00
jvazquez-r7 7e5d4bc893 Landing #1614, @jwpari nagios nrpe exploit 2013-04-11 17:53:52 +02:00
jvazquez-r7 a1605184ed Landing #1719, @m-1-k-3 dlink_diagnostic_exec_noauth exploit module 2013-04-10 11:17:29 +02:00
jvazquez-r7 4f2e3f0339 final cleanup for dlink_diagnostic_exec_noauth 2013-04-10 11:15:32 +02:00
m-1-k-3 8fbade4cbd OSVDB 2013-04-10 10:45:30 +02:00
jvazquez-r7 157f25788b final cleanup for linksys_wrt54gl_apply_exec 2013-04-09 12:39:57 +02:00
jvazquez-r7 b090495ffb Landing pr #1703, m-1-k-3's linksys_wrt54gl_apply_exec exploit 2013-04-09 12:38:49 +02:00
m-1-k-3 b93ba58d79 EDB, BID 2013-04-09 11:56:53 +02:00
m-1-k-3 cbefc44a45 correct waiting 2013-04-08 21:40:50 +02:00
m-1-k-3 955efc7009 final cleanup 2013-04-07 17:59:57 +02:00
m-1-k-3 9f89a996b2 final regex, dhcp check and feedback from juan 2013-04-07 17:57:18 +02:00
jvazquez-r7 0e69edc89e fixing use of regex 2013-04-07 11:39:29 +02:00
jvazquez-r7 6a410d984d adding get_config where I forgot 2013-04-06 19:13:42 +02:00
jvazquez-r7 0c25ffb4de Landing #1695, agix's smhstart local root exploit 2013-04-06 17:32:12 +02:00
jvazquez-r7 55302ee07f Merge remote-tracking branch 'origin/pr/1695' into landing-pr1695 2013-04-06 17:30:02 +02:00
jvazquez-r7 9a2f409974 first cleanup for linksys_wrt54gl_apply_exec 2013-04-06 01:05:09 +02:00
m-1-k-3 ecaaaa34bf dlink diagnostic - initial commit 2013-04-05 19:56:15 +02:00
m-1-k-3 96b444c79e ManualRanking 2013-04-04 17:40:53 +02:00
m-1-k-3 67f0b1b6ee little cleanump 2013-04-04 17:33:46 +02:00
m-1-k-3 f07117fe7d replacement of wrt54gl auxiliary module - initial commit 2013-04-04 17:30:36 +02:00
agix b947dc71e9 english :) "must be" 2013-04-03 13:47:57 +02:00
agix 60dfece55c add opcode description 2013-04-03 13:46:56 +02:00
jvazquez-r7 ce88d8473a cleanup for netgear_dgn1000b_setup_exec 2013-04-03 12:44:04 +02:00
jvazquez-r7 3c27678168 Merge branch 'netgear-dgn1000b-exec-exploit' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-netgear-dgn1000b-exec-exploit 2013-04-03 12:43:42 +02:00
m-1-k-3 a93ec3aea3 fix name 2013-04-03 10:40:52 +02:00
m-1-k-3 2ceecabede make msftidy happy 2013-04-03 10:34:28 +02:00
m-1-k-3 91b0e5f800 netgear dgn2200b pppoe exec exploit - initial commit 2013-04-03 10:32:52 +02:00
m-1-k-3 642d8b846f netgear_dgn1000b_setup_exec - initial commit 2013-04-02 14:41:50 +02:00
m-1-k-3 7f3c6f7629 netgear_dgn1000b_setup_exec - initial commit 2013-04-02 14:39:04 +02:00
m-1-k-3 1b27d39591 netgear dgn1000b mipsbe exploit 2013-04-02 14:34:09 +02:00
agix 7359151c14 decrement esp to fix crash in the middle of shellcode 2013-04-02 13:25:31 +02:00
jvazquez-r7 6a6fa5b39e module filename changed 2013-04-02 10:50:50 +02:00
jvazquez-r7 b3feb51c49 cleanup for linksys_e1500_up_exec 2013-04-02 10:49:09 +02:00
jvazquez-r7 5e42b8472b Merge branch 'linksys_e1500_exploit' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys_e1500_exploit 2013-04-02 10:48:28 +02:00
m-1-k-3 579c499f43 Juans SRVHOST check included 2013-04-02 07:50:51 +02:00
jvazquez-r7 08ba2c70d3 update title and descr for mongod_native_helper 2013-04-01 21:44:08 +02:00
jvazquez-r7 81bca2c45a cleanup for mongod_native_helper 2013-04-01 21:35:34 +02:00
m-1-k-3 c386d54445 check SRVHOST 2013-04-01 18:12:13 +02:00
agix cc598bf977 Resolv a problem with mmap64 libc function and its unknown last argument 2013-04-01 17:38:09 +02:00
agix 6b639ad2ee add memcpy to the ropchain due to the zeroed mmap function under ubuntu 2013-04-01 14:13:19 +02:00
agix baf1ce22b3 increase mmap RWX size 2013-03-31 21:04:39 +02:00
jvazquez-r7 0f965ddaa3 waiting for payload download on linksys_e1500_more_work 2013-03-31 16:07:14 +02:00
agix 30111e3d8b hpsmh smhstart local exploit BOF 2013-03-31 13:04:34 +02:00
m-1-k-3 1d6184cd63 fixed author details 2013-03-30 12:41:31 +01:00
m-1-k-3 cd8bc2f87d description, blind exploitation info on cmd payload 2013-03-30 12:03:14 +01:00
m-1-k-3 b0a61adc23 juans feedback included 2013-03-30 11:43:10 +01:00
jvazquez-r7 5fd996f775 added osvdb reference 2013-03-30 10:42:58 +01:00
jvazquez-r7 3bf0046e3e Merge branch 'hp_system_management' of https://github.com/agix/metasploit-framework into agix-hp_system_management 2013-03-30 10:42:06 +01:00
m-1-k-3 7965f54890 juans feedback included 2013-03-30 08:40:42 +01:00
jvazquez-r7 607b1c5c14 little cleanup for e1500_up_exec 2013-03-29 23:16:13 +01:00
m-1-k-3 1b563ad915 stop_service 2013-03-29 22:38:06 +01:00
m-1-k-3 813ff1e61e removed payload stuff 2013-03-29 22:32:57 +01:00
m-1-k-3 c5e358c9c3 compatible payloads 2013-03-29 20:54:35 +01:00
m-1-k-3 0164cc34be msftidy, generate exe, register_file_for_cleanup 2013-03-29 19:00:04 +01:00
jvazquez-r7 c55a3870a8 cleanup for hp_system_management 2013-03-29 18:02:23 +01:00
m-1-k-3 cfeddf3f34 cmd payload working, most feedback included 2013-03-29 14:43:48 +01:00
agix 4a683ec9a4 Fix msftidy WARNING 2013-03-28 13:36:35 +01:00
agix 139926a25b Fix msftidy Warning 2013-03-28 13:22:26 +01:00
agix eec386de60 fail in git usage... sorry 2013-03-28 12:05:49 +01:00
agix 4bcadaabc1 hp system management homepage DataValidation?iprange buffer overflow 2013-03-28 12:00:17 +01:00
agix 69fb465293 Put gadgets in Target 2013-03-28 11:15:13 +01:00
agix dee5835eab Create mongod_native_helper.rb
metasploit exploit module for CVE-2013-1892
2013-03-28 03:10:38 +01:00
m-1-k-3 dfd451f875 make msftidy happy 2013-03-27 17:46:02 +01:00
jvazquez-r7 cd58a6e1a1 cleanup for nagios_nrpe_arguments 2013-03-20 19:22:48 +01:00
Joel Parish 21e9f7dbd2 Added module for CVE-2013-1362
Module exploits a shell code metacharacter escaping vulnerability in
poorly configured Nagios Remote Plugin Executor installations.
2013-03-19 01:43:46 -07:00
jvazquez-r7 6ccfa0ec18 cleanup for dreambox_openpli_shell 2013-03-14 15:02:21 +01:00
m-1-k-3 9366e3fcc5 last adjustment 2013-03-14 11:18:52 +01:00
m-1-k-3 0140caf1f0 Merge branch 'master' of git://github.com/rapid7/metasploit-framework into openpli-shell 2013-03-14 10:55:52 +01:00
jvazquez-r7 4852f1b9f7 modify exploits to be compatible with the new netcat payloads 2013-03-11 18:35:44 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
David Maloney 0ae489b37b last of revert-merge snaffu 2013-02-19 23:16:46 -06:00
m-1-k-3 3ab5585107 make msftidy happy 2013-02-16 20:49:32 +01:00
m-1-k-3 121a736e28 initial commit 2013-02-16 20:42:02 +01:00
Tod Beardsley 8ddc19e842 Unmerge #1476 and #1444
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.

First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.

FixRM #7752
2013-02-11 20:49:55 -06:00
David Maloney 4c1e630bf3 BasicAuth datastore cleanup
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
sinn3r c174e6a208 Correctly use normalize_uri()
normalize_uri() should be used when you're joining URIs.  Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
sinn3r 690ef85ac1 Fix trailing slash problem
These modules require the target URI to be a directory path. So
if you remove the trailing slash, the web server might return a
301 or 404 instead of 200.

Related to: [SeeRM: #7727]
2013-01-28 13:19:31 -06:00
sinn3r f50c7ea551 A version number helps deciding which exploit to use 2013-01-23 11:43:39 -06:00
sinn3r ca144b9e84 msftidy fix 2013-01-23 11:40:12 -06:00
jvazquez-r7 dd0fdac73c fix indent 2013-01-23 18:19:14 +01:00
jvazquez-r7 9c9a0d1664 Added module for cve-2012-0432 2013-01-23 10:51:29 +01:00
Tod Beardsley 33751c7ce4 Merges and resolves CJR's normalize_uri fixes
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules

Note that this trips all kinds of msftidy warnings, but that's for another
day.

Conflicts:
	modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
	modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
Christian Mehlmauer 6654faf55e Msftidy fixes 2013-01-04 09:29:34 +01:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
James Lee 20cc2fa38d Make Windows postgres_payload more generic
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
  the ability to use generate_payload_dll() which generates a generic dll
  that spawns rundll32 and runs the shellcode in that process. This is
  basically what the linux version accomplishes by compiling the .so on
  the fly. On major advantage of this is that the resulting DLL will
  work on pretty much any version of postgres

* Adds Exploit::FileDropper to windows version as well. This gives us
  the ability to delete the dll via the resulting session, which works
  because the template dll contains code to shove the shellcode into a
  new rundll32 process and exit, thus leaving the file closed after
  Postgres calls FreeLibrary.

* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
  Windows

* Adds a check method to both Windows and Linux versions that simply
  makes sure that the given credentials work against the target service.

* Replaces the version-specific lo_create method with a generic
  technique that works on both 9.x and 8.x

* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
  gets downcased and subsequently causes postgres to error out before
  opening the DLL

* Cleans up lots of rdoc in Exploit::Postgres
2012-12-22 00:30:09 -06:00
Tod Beardsley e762ca0d9b Merge remote branch 'jlee-r7/midnitesnake-postgres_payload' 2012-12-12 15:30:56 -06:00
sinn3r f5193b595c Update references 2012-12-10 11:42:21 -06:00
James Lee 17d8d3692b Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-11-27 11:14:54 -06:00
jvazquez-r7 35b3bf4aa5 back to the original Brute mixin 2012-11-19 14:13:49 +01:00
jvazquez-r7 24fe043960 Merge branch 'samba' of https://github.com/mephos/metasploit-framework into mephos-samba 2012-11-19 14:13:15 +01:00
Chris John Riley f88ec5cbc8 Add normalize_uri to modules that may have
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
James Lee ac1b60e6db Remove debug load 2012-11-07 20:00:41 -06:00
m m e170c1e3e3 typo in centos5 range 2012-10-31 18:28:26 +01:00
m m f7481b160c add centos5 target 2012-10-31 18:21:41 +01:00
m m 3e3c518753 remove SessionTypes as per egypt 2012-10-30 17:13:57 +01:00
m m 3855ba88b1 add meterpreter/command support to samba exploit using ROP 2012-10-29 17:33:00 +01:00
sinn3r 799c22554e Warn user if a file/permission is being modified during new session 2012-10-24 00:54:17 -05:00
Tod Beardsley be9a954405 Merge remote branch 'jlee-r7/cleanup/post-requires' 2012-10-23 15:08:25 -05:00
Michael Schierl 910644400d References EDB cleanup
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
James Lee 9c95c7992b Require's for all the include's 2012-10-23 13:24:05 -05:00
Michael Schierl f9ac55c221 Infohash key cleanups
Replace obvious typos in infohash keys. Note that this *does*
affect the behaviour as those keys have been ignored before.
2012-10-22 21:24:36 +02:00
Michael Schierl e9f7873afc Version cleanup
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
James Lee 768d2c5921 Go back to old behavior for unknown versions
May not be correct, but it's what we used to do, so probably better than
just raising.

Also documents things a bit better.
2012-10-18 16:57:40 -05:00
James Lee 1eccb24bf8 Raise if the version isn't what we expect
Also adds some clarifying commentation and adds todb to the list of
authors since he wrote the original module for windows upon which this
one is based.
2012-10-18 15:55:55 -05:00
James Lee 3c5c1cd86e Remove unnecessary version restrictions
Since the payload is now run in the .so constructor, there's no need to
be compatible with a particular Postgres API.

Also:
 - report the service
 - delete the payload in the payload itself to reduce forensics
	 footprint
 - randomize the created function name instead of abusing
	 postgres_create_sys_exec
2012-10-18 15:40:27 -05:00
James Lee 0221f75f39 Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-10-18 13:57:25 -05:00
James Lee 52feae2dcd Add missing require
[FixRM #7345]
2012-10-15 17:18:04 -05:00
sinn3r 529f88c66d Some msftidy fixes 2012-10-14 19:16:54 -05:00
James Lee 9c6fdbe9d7 Compile a .so instead of being version-specific
This makes it possible to use payloads for the appropriate architecture

NOTE: need to test windows and make sure I didn't break it
2012-10-13 15:18:25 -05:00
James Lee ad1870d819 Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-10-12 14:18:34 -05:00
James Lee db12413b09 Convert vcms_upload to use PhpEXE
Incidentally adds a Linux x86 target
2012-10-12 04:29:57 -05:00
jvazquez-r7 aba69d8438 fix indentation 2012-10-05 20:18:40 +02:00
jvazquez-r7 4c646762a5 Added target debian squeeze 2012-10-05 20:12:09 +02:00
jvazquez-r7 6679ff765a remove extra commas 2012-09-28 12:21:59 +02:00
sinn3r 4087790cf7 Oops, forgot to update the check() function 2012-09-27 18:22:57 -05:00
jvazquez-r7 9d3a1871a6 Added module for Samba CVE-2012-1182 2012-09-28 01:18:52 +02:00
jvazquez-r7 25e6990dc7 added osvdb reference 2012-09-24 21:49:32 +02:00
jvazquez-r7 ed24154915 minor fixes 2012-09-21 11:36:58 +02:00
bcoles 6ee2c32f08 add ZEN Load Balancer module 2012-09-21 17:25:20 +09:30
Ramon de C Valle 11f82de098 Update author information 2012-09-19 14:00:51 -03:00
jvazquez-r7 8b251b053e initializing msghdr a little better 2012-09-18 12:12:27 +02:00
jvazquez-r7 16c5df46fc fix while testing ubuntu intrepid 2012-09-18 11:52:50 +02:00
jvazquez-r7 0708ec72fc module moved to a more correct location 2012-09-15 15:31:21 +02:00
jvazquez-r7 0f67f8d08a target modified 2012-09-15 15:14:33 +02:00
jvazquez-r7 0061d23b37 Added module for CVE-2012-2982 2012-09-15 15:09:19 +02:00
sinn3r 1f58458073 Merge branch 'udev_netlink' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-udev_netlink 2012-09-13 10:37:52 -05:00
jvazquez-r7 12f3ef9c7c added osvdb numbers 2012-09-13 14:00:12 +02:00
Tod Beardsley fba219532c Updating BID for openfiler 2012-09-12 14:13:21 -05:00
sinn3r f5a0f74d27 Merge branch 'wanem_exec_improve' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-wanem_exec_improve 2012-09-10 13:35:48 -05:00
James Lee bbeb6cc97a Add a privilege escalation exploit for udev < 1.4.1
Also includes a new ```rm_f``` method for Post::File for deleting remote
files in a platform-independent way.
2012-09-10 12:32:14 -05:00
sinn3r 64b8696e3c Extra condition that's not actually needed
Don't actually need to check nil res, because no code will
actually try to access res when it's nil anyway. And the 'return'
at the of the function will catch it when the response times out.
2012-09-09 04:06:48 -05:00
bcoles cb95a7b520 Add openfiler_networkcard_exec exploit 2012-09-09 17:28:09 +09:30
jvazquez-r7 37c7f366f2 check function test vulnerability + minor improvements 2012-09-09 00:42:02 +02:00
bcoles f02659184a Add WANem v2.3 command execution 2012-09-08 16:01:45 +09:30
sinn3r bbab206eac Add CVE-2012-3579 - Symantec Messaging Gateway 9 Default SSH Pass
This module exploits a default misconfig flaw on Symantec Messaging
Gateway 9.5 (or older).  The "support" user has a known default
password, which can be used to login to the SSH service, and then
gain privileged access from remote.
2012-09-05 13:21:10 -05:00
sinn3r 9d97dc8327 Add Metasploit blogs as references, because they're useful. 2012-09-03 15:57:27 -05:00
midnitesnake 25ee8fd357 Run postgres.rb & postgres_payload through msftidy, and cleaned up the files 2012-08-25 01:44:49 +01:00
sinn3r ea7d7b847a Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-08-24 11:17:14 -05:00
jvazquez-r7 8f748d833a Added BID reference 2012-08-24 17:30:52 +02:00
jvazquez-r7 261a17d28a Added module for CVE-2009-4498 2012-08-23 18:29:39 +02:00
midnitesnake d0b1fa33af swapped out OptString for OptEnum 2012-08-22 02:20:13 +01:00
midnitesnake 8218a60b32 other corrections 2012-08-22 00:08:59 +01:00
midnitesnake 5cf7f22a13 corrections following on from jlee-r7 comments 2012-08-21 23:57:07 +01:00
jvazquez-r7 3106f87687 badchars fixed 2012-08-21 13:30:15 +02:00
jvazquez-r7 e21ea6999c added module for ESVA Command Injection Vulnerability 2012-08-21 13:25:03 +02:00
sinn3r a228e42630 Add new target thanks for cabetux 2012-08-15 16:06:09 -05:00
midnitesnake ad2b457fda Added linux port for postgres payload 2012-08-14 17:46:35 +01:00
HD Moore f72f334124 Fix an odd issue with search due to use of the builtin Proxies option 2012-08-12 23:22:38 -05:00
RageLtMan 3711297719 dd Opt::Proxies and opthash[:proxies] to exploits 2012-08-12 16:29:39 -04:00
Tod Beardsley 955a5af8cf Adding OSVDB ref 2012-08-07 12:56:29 -05:00
Steve Tornio 54ed27c1b3 add osvdb ref 2012-08-05 09:02:54 -05:00
bcoles 2bf0899d09 minor improvements to Zenoss showdaemonxmlconfig exploit 2012-08-01 20:15:45 +09:30
bcoles bdf8f1a543 Clean up Zenoss exploit + minor improvements
Changed send_request_raw() to send_request_cgi()
 - Removed redundant request headers 'Content-Length'

Added rescue error message for connection failures

Changed username to the default 'admin' account
2012-07-30 18:04:14 +09:30
bcoles 8d3700cc3c Add Zenoss <= 3.2.1 exploit and Python payload
- modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
 - modules/payloads/singles/cmd/unix/reverse_python.rb
2012-07-30 01:24:27 +09:30
sinn3r e483af64e4 Random text 2012-07-26 15:14:02 -05:00
sinn3r 6c3b05f1c4 Add CVE-2012-2953 Symantec Web Gateway proxy_file() cmd exec bug 2012-07-26 13:11:05 -05:00
sinn3r 3cb60fb42a Fix 1.8-specific regexp syntax bug
The bug was:
line 343: warning: regexp has invalid interval
line 343: warning: regexp has '}' without escape
2012-07-26 02:19:13 -05:00
sinn3r b662881613 Enforce a check before firing the exploit 2012-07-19 16:43:52 -05:00
James Lee d238debb2f Add disclo date, discoverers, and better description 2012-07-18 16:14:32 -06:00
James Lee ebe48ecf16 Add Rank for schelevator, update sock_sendpage's 2012-07-18 11:16:29 -06:00
James Lee 7091d1c65b Add an exploit for sock_sendpage
Unfortunately, adds a dep on bionic for runtime compilation.

Gets ring0, sets the (res)uid to 0 and jumps to the payload.  Still some
payload issues because linux stagers don't mprotect(2) the buffer they
read(2) into.  Single payloads work fine, though.

Also cleans up and improves local exploits' ability to compile C.

[SEERM #3038]
2012-07-15 20:29:48 -06:00
James Lee 6d6b4bfa92 Merge remote branch 'rapid7/master' into omg-post-exploits 2012-07-08 17:32:39 -06:00
sinn3r e5dd6fc672 Update milw0rm references.
milw0rm.com is long gone, so all milw0rm references are just
a bunch of broken links.  Change to exploit-db instead.
2012-06-28 14:27:12 -05:00
James Lee 6913440d67 More progress on syscall wrappers
Something is still broken, my socket() is returning EAFNOSUPPORT whereas
what looks like the same syscall in wunderbar_emporium's exploit.c is
returning a socket. Similarly, my __mmap2() is returning EFAULT when
trying to map anything, not just NULL.
2012-06-22 17:45:49 -06:00
James Lee fd8b1636b9 Add the first bits of a sock_sendpage exploit
This can currently build an executable that creates a socket, opens a
temporary file, truncates that file with ftruncate(2) and calls
sendfile. Still needs to mmap NULL and figure out ring0 shellcode.

Baby steps.
2012-06-22 00:03:29 -06:00
HD Moore d40e39b71b Additional exploit fail_with() changes to remove raise calls 2012-06-19 19:43:41 -05:00
HD Moore fb7f6b49f0 This mega-diff adds better error classification to existing modules 2012-06-19 12:59:15 -05:00
James Lee 7eebc671ba Put the curly braces back and drop a comma
The curly braces make extra commas at the end ok in 1.8. So fe39642e
broke this module for 1.8. Having braces doesn't hurt anything and
protects against syntax errors if a module author is not dilligent with
their commas, especially after copy-pasting another module.
2012-06-16 01:17:33 -06:00
Tod Beardsley fe39642e27 Dropping extra curly braces on f5 module
Also dropping extra whitespace.
2012-06-15 12:23:34 -05:00