infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,889 Commits
7 Branches
556 Tags
419 MiB
Commit Graph

5662 Commits (094e7d0327c5bde904d19eca19488540e974e1fb)

Author SHA1 Message Date
Steven Seeley 9b0c211160 exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 11:07:36 +10:00
Steven Seeley 762324e286 Merge remote-tracking branch 'upstream/master' 2012-04-13 10:26:12 +10:00
sinn3r d31771d7f9 Randomize as many nops as possible without making the exploit too unstable 2012-04-12 03:45:13 -05:00
sinn3r 0d739a1a51 Module rename. Cleanup whitespace. Fix typos. 2012-04-12 03:45:12 -05:00
Steven Seeley 14f85e406f exploit for Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution 2012-04-12 03:45:12 -05:00
Steven Seeley 846be0e983 exploit for Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution 2012-04-12 13:10:18 +10:00
sinn3r 860add8dfe Code cleanup 2012-04-11 20:26:52 -05:00
James Lee 810d496ade Chmod the payload executable 
Makes native payloads work on non-windows, thanks mihi!
 2012-04-11 12:48:14 -06:00
sinn3r 443f19abcf Merge branch 'CVE-2008-5499_adobe_flashplayer_aslaunch' of https://github.com/0a2940/metasploit-framework into 0a2940-CVE-2008-5499_adobe_flashplayer_aslaunch 2012-04-11 10:04:01 -05:00
James Lee b077efb7f0 Missed one. 2012-04-11 00:30:18 -06:00
James Lee d0eb383655 Un-standardize printing in browser modules 
This is now handled by the HttpServer mixin
 2012-04-11 00:26:25 -06:00
James Lee 090566610a Make sure @shares is initialized 
Fixes a stack trace when the target isn't Windows
 2012-04-10 15:00:47 -06:00
Tod Beardsley 94cf69cdf8 Yank the ACTION option from persistence 
Other problems with this module since commit
5ba5bbf077 but this should be enough to
get it working again.
 2012-04-10 15:01:14 -05:00
0a2940 654701f1b2 new file: data/exploits/CVE-2008-5499.swf 
new file:   external/source/exploits/CVE-2008-5499/Exploit.as
	new file:   modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
 2012-04-10 20:58:22 +01:00
Tod Beardsley 03c958a9b1 ACTION on persistence.rb should be an OptEnum 
That way, upcase / downcase problems get caught on option validation,
rather than down in the module's guts.
 2012-04-10 14:45:54 -05:00
Tod Beardsley cbc12560a5 Leading tabs, not spaces 
There's a coding style in here that will make msftidy.rb cry, and
that's:

```
varfoo = %q|
    stuff
      thats
        html
|
```

Usually, you want something like

varfoo = ""
varfoo << %q|    stuff|
varfoo << %q|      thats|
varfoo << %q|        html|

That said, the Description field is usually written as tab-intended
multiline %q{} enclosures, so that's what I'll do here to make
msftidy.rb happy.
 2012-04-10 14:25:00 -05:00
Tod Beardsley cdc020ba9f Trailing space on xpi bootstrap module 2012-04-10 14:24:08 -05:00
Tod Beardsley 3cb7cbe994 Adding another ref and a disclosuredate to mihi's XPI module 
Calling the disclosure date 2007 since TippingPoint published a blog
post back then about this XPI confirm-and-install vector.
 2012-04-10 13:59:21 -05:00
sinn3r 0e1fff2c4b Change the output style to comply with egyp7's expectations. 2012-04-10 13:42:52 -05:00
James Lee 28534d5f6e Merge branch 'rapid7' into bap-refactor 2012-04-10 12:42:27 -06:00
sinn3r 76c12fe7e6 Whitespace cleanup 2012-04-10 13:22:10 -05:00
Michael Schierl 705cf41858 Add firefox_xpi_bootstrapped_addon exploit 
This is similar to java_signed_applet as it does not exploit a vulnerability, but
hope that the user will trust the addon.
 2012-04-10 13:39:54 +02:00
HD Moore a9d733f9fe Fix pack order 2012-04-09 21:21:42 -05:00
James Lee 2de0c801d9 Add vulnerable version numbers to the description 2012-04-09 14:41:42 -06:00
HD Moore 2c473e3cdd Fix up koyo login 2012-04-09 15:07:47 -05:00
juan 246ebca940 added module for CVE-2012-0198 2012-04-09 20:45:27 +02:00
sinn3r a26e844ce5 Merge pull request #318 from wchen-r7/dolibarr_login 
Add an aux module to brute force Dolibarr's login interface
 2012-04-09 09:20:48 -07:00
sinn3r bef12478fc Merge branch 'bap-refactor' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-bap-refactor 2012-04-09 09:58:22 -05:00
James Lee 037fbf655e Standardize the print format for modules used by browser autopwn 2012-04-09 01:57:50 -06:00
James Lee b38933328f Send exploits that are not assocated with any browser to all of them 2012-04-09 01:53:57 -06:00
James Lee 3ca440089e Add checks for .NET requisites 
Also standardizes print_status format to look nicer with lots of cilents
 2012-04-09 01:23:44 -06:00
James Lee a6b106e867 Remove autopwn support for enjoysapgui_comp_download 
No automatic targeting, the payload doesn't execute immediately, and
requires the browser be running as Admin. Bascially just not a great
candidate for being run automatically.
 2012-04-09 01:05:37 -06:00
James Lee 409ba3139b Add bap checks for blackice exploit 2012-04-09 00:50:04 -06:00
sinn3r 5fefb47b7f Some cosmetic changes 2012-04-09 01:43:20 -05:00
sinn3r 95dbb8a818 Merge branch 'snort-dce-rpc' of https://github.com/carmaa/metasploit-framework into carmaa-snort-dce-rpc 2012-04-09 00:17:44 -05:00
James Lee da1cb2b81d ActiveX controls require IE 2012-04-08 22:07:09 -06:00
sinn3r 9cec9639c7 Add an aux module to brute force Dolibarr's login interface 2012-04-08 18:16:38 -05:00
James Lee f520af036f Move next_exploit() onto window object so it's accessible everywhere 
I swear I committed this before, not sure what happened.
 2012-04-08 17:11:15 -06:00
Carsten Maartmann-Moe ce0de02a2a Modified for 8-space tabs 2012-04-08 16:09:28 -04:00
Carsten Maartmann-Moe 89c1894e07 Minor formatting changes, tabs etc. and comments for clarity 2012-04-08 15:45:23 -04:00
sinn3r 51bdfe14fd 2012, not 2011, oops 2012-04-08 13:21:37 -05:00
sinn3r 24478e9eb5 Add Dolibarr ERP & CRM Command Injection Exploit 2012-04-08 13:20:22 -05:00
sinn3r 05eba0ab4c Cosmetic changes, mostly :-) 2012-04-07 14:47:23 -05:00
sinn3r 00ff2e3dc1 Merge branch 'CVE-2012-1195_thinkmanagement' of https://github.com/juanvazquez/metasploit-framework into juanvazquez-CVE-2012-1195_thinkmanagement 2012-04-07 14:41:19 -05:00
juan 938d5d0a75 added references for cve-2012-1196 2012-04-07 20:22:59 +02:00
juan ee7bce5995 deletion of the ASP script 2012-04-07 20:19:45 +02:00
Tod Beardsley dfe2bbc958 Use rport for modicon_password recovery, not 21. 2012-04-07 13:03:43 -05:00
juan 8761d39190 exploit module added for CVE-2012-1195 2012-04-07 19:04:17 +02:00
Carsten Maartmann-Moe b2e0acd92a Tidied up the exploit 2012-04-06 20:41:54 -04:00
andurin 4e955e5870 replace spaces with tabs 2012-04-06 10:45:10 -05:00
andurin 67e6c7b850 tomcat_mgr_deploy may report successful creds 
Using following code for 'check' as 'exploit':
               report_auth_info(
                       :host   => rhost,
                       :port   => rport,
                       :sname  => (ssl ? "https" : "http"),
                       :user   => datastore['BasicAuthUser'],
                       :pass   => datastore['BasicAuthPass'],
                       :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
                       :active => true
               )

Resulting in:

Credentials
===========

host           port  user    pass    type      active?
----           ----  ----    ----    ----      -------
192.168.x.xxx  8080  tomcat  s3cret  password  true
 2012-04-06 10:45:10 -05:00
Tod Beardsley 461352f24f Don't need to require net/ftp anymore 
Nothing actually used it anyway.
 2012-04-06 10:35:28 -05:00
sinn3r 56b10d4d23 Merge branch 'CVE-2012-0270_csound_getnum_bof' of https://github.com/juanvazquez/metasploit-framework into juanvazquez-CVE-2012-0270_csound_getnum_bof 2012-04-06 02:28:26 -05:00
sinn3r 68c81e3ae0 Add OSVDB-80661 TRENDnet SecurView ActiveX BoF 2012-04-06 02:26:04 -05:00
Carsten Maartmann-Moe b184a6dc5c Exploit for Snort CVE-2006-5276 on Windows 2012-04-05 19:46:56 -04:00
Tod Beardsley 9c8e6ac9da Ruby 1.8 compat for the SCADA modules. 
But really, you should be using Ruby 1.9 by now.
 2012-04-05 17:05:03 -05:00
Tod Beardsley 14e3cd75dc Revert "tomcat_mgr_deploy may report successful creds" 
This reverts commit 937f8f035a.
 2012-04-05 16:17:06 -05:00
juan 5c6856539e .idea dir deleted 2012-04-05 22:46:43 +02:00
juan 955de5a68c comment fixed 2012-04-05 22:46:13 +02:00
juan c5f73d3d7a added module for CVE-2012-0270_csound_getnum_bof 2012-04-05 22:35:42 +02:00
James Lee 0c3f1aab77 Tell the user what actually went wrong when migrate.rb fails 2012-04-05 11:49:03 -06:00
Tod Beardsley 14d9953634 Adding DigitalBond SCADA modules 2012-04-05 12:35:48 -05:00
Tod Beardsley eb39b5f6aa Msftidy on netop 2012-04-05 10:33:57 -05:00
sinn3r 8628991b1d Merge pull request #305 from jlee-r7/bap-refactor 
Bap refactor
 2012-04-05 08:02:43 -07:00
andurin 937f8f035a tomcat_mgr_deploy may report successful creds 2012-04-05 11:09:56 +02:00
James Lee 40ab362e1c Store host details in the target cache 
This allows us to maintain a connection between the client and the
operating system/host where it's running.

Also fixes a counting problem for modules actually started.
 2012-04-05 01:33:07 -06:00
James Lee 0ddfa79a34 Move javascriptosdetect out to its own file 
Allows editors to easily highlight correctly which makes editing a
little nicer. Also makes it easier to debug because line numbers are
only off by the length of the custom_js argument.
 2012-04-04 17:07:17 -06:00
James Lee 6ad0f41479 Add the client to output 2012-04-03 18:27:16 -06:00
James Lee 974d95b175 Both of these are obsoleted by java_atomicreferencearray 2012-04-03 18:23:42 -06:00
James Lee 893430894e Tell the user how many sploits we've picked 2012-04-03 18:22:56 -06:00
sinn3r c79060915a Add Chap0's netop exploit 2012-04-03 11:51:58 -05:00
chap0 48d6157d6e New NetOp Guest msf module http://www.netop.com/ 2012-04-02 16:53:51 -07:00
Tod Beardsley 9cf896ffa1 Pre-release fixups on titles and grammar 
Fixing squid_pivot_scanning and enum_xchat
 2012-04-02 11:24:49 -05:00
Tod Beardsley 7b0ee58d9f Fixing bug spotted by troulouliou in ipv6_neighbor 
Just check for nilness, not the :symbol.
 2012-04-02 10:02:59 -05:00
sinn3r bd5f43c918 Add another good reference by @mihi42 2012-04-01 01:30:50 -05:00
sinn3r bab4cddd83 Add Jeroen Frijters for finding/reporting the bug 2012-03-31 03:01:09 -05:00
sinn3r 1853f8b0c2 Merge pull request #291 from wchen-r7/enum_xchat 
Add post module enum_xchat.rb
 2012-03-31 00:42:15 -07:00
sinn3r 543f5ebfe2 Only display the retry message when necessary 2012-03-31 02:40:24 -05:00
sinn3r 4215030eb3 Set a limit to how many times we can retry 2012-03-31 02:38:46 -05:00
sinn3r 6e4ccaae6b Add post module to collect xchat's configs and chat logs 2012-03-31 00:15:21 -05:00
James Lee cc54a260f5 Merge remote branch 'upstream/master' 2012-03-30 14:31:12 -06:00
James Lee 0547369966 Add bap support for flash mp4 and new java bug 
Also fixes a silly issue where adobe_flash_mp4_cprt was adding the
/test.mp4 resource after every request instead of just once at startup.
 2012-03-30 12:59:07 -06:00
sinn3r e723704a32 Merge pull request #289 from wchen-r7/enum_colloquy 
Add post module enum_colloquy.rb to collect chatlogs and the plist
 2012-03-30 09:24:32 -07:00
sinn3r 18a13a4bfb Correct description 2012-03-30 11:22:55 -05:00
Steve Tornio ae21c05e69 add osvdb ref 2012-03-30 07:26:07 -05:00
sinn3r e018c6604f Modify CVE-2012-0507 2012-03-30 02:06:56 -05:00
sinn3r 8d2a58dfd8 Add post module enum_colloquy.rb to collect chatlogs and the preferences list 2012-03-29 16:24:43 -05:00
Tod Beardsley f069a32223 Merge pull request #288 from wchen-r7/cve_2012_0507 
Adding sinn3r and juan's exploit for CVE-2012-0507. Blog post coming soon.
 2012-03-29 08:46:49 -07:00
sinn3r 791ebdb679 Add CVE-2012-0507 (Java) 2012-03-29 10:31:14 -05:00
Tod Beardsley bd4819e8f2 Merge pull request #238 from mak/linux-x64-find-port 
linux/x64/shell_find_port payload
 2012-03-29 05:54:54 -07:00
Tod Beardsley 220ad7875f Merge pull request #285 from wvandevanter-r7/squid_pivot_scanning 
Squid pivot scanning
 2012-03-29 05:02:05 -07:00
Willis Vandevanter f5e05461f6 changed the false positive check IP to a user set variable 2012-03-28 22:18:56 -04:00
Willis Vandevanter 0fcab521d2 fixed print_bad 2012-03-28 02:32:03 -04:00
Tod Beardsley 5248ec87b5 Fixing EDB reference 2012-03-27 16:49:47 -05:00
Tod Beardsley b1683c94ef Merge pull request #281 from jlee-r7/module-tests 
Module tests
 2012-03-27 10:23:20 -07:00
James Lee 812457fed0 Rename enum_user_dirs 2012-03-27 10:52:16 -06:00
Tod Beardsley 5f9000efb3 Merge pull request #280 from wchen-r7/osx_airport 
Add OSX Gather Airport post module
 2012-03-27 05:48:26 -07:00
sinn3r e44f9d06ec Remove the extra 'require' 2012-03-27 01:24:12 -05:00
sinn3r 670e15b40f Add OSX Gather Airport post module 2012-03-27 01:18:38 -05:00
Tod Beardsley fb9163caf9 Merge pull request #278 from wchen-r7/manageengine_deviceexpert 
Add OSVDB-80262 ManageEngine DeviceExpert
 2012-03-26 14:42:36 -07:00
Tod Beardsley 7a74cc7694 Quoting "Chicken of the VNC" 
Otherwise, this looks like a nonsense string to people not familiar with
this application.
 2012-03-26 16:26:40 -05:00
Tod Beardsley 8fbf4cf6d9 Grammar on dns_txt_query_exec payload name and desc 2012-03-26 16:23:54 -05:00
Tod Beardsley d95d60670e Fix up desc again on enum_dns 2012-03-26 16:20:00 -05:00
Tod Beardsley 14b45f9fb1 More fixes to enum_dns.rb 
* Should use 'and', not & (bitwise AND)
  * Made capitalization sane for Anglophones. See: http://owl.english.purdue.edu/owl/resource/592/1/
 2012-03-26 16:14:04 -05:00
Tod Beardsley dc6f76eb20 Style fixes for enum_dns.rb 
* Use a dotted.notation for note types
  * Changed title to something more descriptive
  * Expanded description
  * Other trivial changes
 2012-03-26 16:08:39 -05:00
sinn3r 79d74b8768 ADD OSVDB-80262 2012-03-26 12:58:18 -05:00
sinn3r 19fc8d9883 Add OSVDB-80262 2012-03-26 12:42:24 -05:00
Tod Beardsley 507dd423ce Rogue period, DELETED. 2012-03-26 10:54:26 -05:00
sinn3r 182f3744de Cosmetic cleanup 2012-03-26 09:23:14 -05:00
corelanc0d3r ad32911b1a probably safer to use regex 2012-03-26 09:01:40 -05:00
Kurtis Miller e2606764cb forgot to add renamed module 2012-03-25 09:08:38 -07:00
Kurtis Miller 7ea37253a0 modifications recommended by sinn3r 2012-03-25 09:04:35 -07:00
Kurtis Miller d8ddb19b56 cve-2008-0610 windows exploit module 2012-03-25 00:14:19 -07:00
Jonathan Cran 135cf7ba04 remove trailing comma, thanks troulouliou 2012-03-23 17:00:04 -05:00
Tod Beardsley e1783acd6f Adding newline to end of ricoh_dl_bof.rb 2012-03-23 16:31:11 -05:00
Tod Beardsley 2bcf259301 Setting correct LFs on freepbx_callmenum.rb 2012-03-23 16:29:42 -05:00
wchen-r7 71462bc73d Merging in freepbx_callmenum.rb and ricoh_dl_bof.rb 
[Closes #266]
 2012-03-23 16:23:36 -05:00
sinn3r fbfd308d79 This actually shouldn't go it now because it's still being code reviewed 2012-03-23 15:32:24 -05:00
Tod Beardsley 47493af103 Merge pull request #259 from todb-r7/edb-2 
Convert Exploit-DB references to first-tier "EDB-12345" references
 2012-03-23 12:09:07 -07:00
sinn3r 6f0f9041c8 Merge pull request #267 from wchen-r7/hp_data_protector_win_cmd 
Add HP Data Protector aux module for executing commands on Windows
 2012-03-23 11:06:52 -07:00
sinn3r 10733f6a1c Update description 2012-03-23 13:05:40 -05:00
sinn3r fef1e31e2a Merge branch 'olliwolli-3cdaemonsp3' 2012-03-23 08:52:19 -05:00
Tod Beardsley e30623a2c9 Merge pull request #264 from wchen-r7/ricoh_dc_exploit 
Add Ricoh DC DL-10 FTP Buffer Overflow
 2012-03-23 06:45:02 -07:00
sinn3r 20f0a58c6a Minor fixes 2012-03-23 08:23:30 -05:00
sinn3r 41bc8ded3d Add HP Data Protector aux module for executing commands on Windows 2012-03-23 07:57:13 -05:00
Oliver-Tobias Ripka 30a3d8bb96 Add Windows SP3 to targets. 2012-03-23 13:52:18 +01:00
James Lee 17a044db89 Print the full URI 
Makes everything obvious from output alone, don't need to show options
to see what RHOST is.
 2012-03-22 18:44:55 -06:00
sinn3r 6625d97599 Add Ricoh DC DL-10 FTP Buffer Overflow 2012-03-22 15:30:00 -05:00
Patrick Webster 3dc0e97998 Updating description and refs to Patrick's module 
There was some weirdness with the commit log on this module but it
should all be kosher now.

[Closes #260]
 2012-03-22 10:30:25 -05:00
James Lee 2d29184adc Use interpolation to ensure LPORT is a string for gsub 
[Fixes #6542]
 2012-03-21 21:05:05 -06:00
sinn3r ddacf1dde8 Merge pull request #258 from wchen-r7/ms10_002_ie 
Add CVE-2010-0248 Internet Explorer Object Handling Use After Free
 2012-03-21 17:20:27 -07:00
sinn3r 0a24c354db Update ms10-002 with dyphens 2012-03-21 19:19:20 -05:00
Tod Beardsley 7d12a3ad3a Manual fixup on remaining exploit-db references 2012-03-21 16:43:21 -05:00
Tod Beardsley 2f3bbdc00c Sed replacement of exploit-db links with EDB refs 
This is the result of:

find modules/ -name \*.rb -exec sed -i -e 's#\x27URL\x27,
\x27http://www.exploit-db.com/exploits/\([0-9]\+\).*\x27#\x27EDB\x27,
\1#' modules/*.rb {} \
 2012-03-21 16:43:21 -05:00
sinn3r 2c16eb29b6 Add CVE-2010-0248 Internet Explorer Object Handling Use After Free exploit 2012-03-21 16:11:26 -05:00
Tod Beardsley 31228ed65a Comment indentation 2012-03-21 15:21:10 -05:00
Tod Beardsley 482a1a8511 Merge pull request #253 from corelanc0d3r/dnspayload 
rewrote DNS TXT query out-of-band payload delivery shellcode
 2012-03-21 13:19:55 -07:00
Tod Beardsley 8f17cc3f5c MS12-020 not MS12-002 2012-03-21 13:58:18 -05:00
Tod Beardsley 23c9c51014 Fixing CVE format on sit_file_upload. 2012-03-21 09:59:20 -05:00
Tod Beardsley b09d91d1c7 Removing enum_bing_url 
Moving this over to unstable until the described http request problem
gets resolved.
 2012-03-21 09:33:31 -05:00
Peter Van Eeckhoutte 89d7363a8f fixed crash 2012-03-21 10:39:05 +01:00
sinn3r c64226f4b8 Fix regex 2012-03-21 04:31:49 -05:00
sinn3r 056985625d damn comma 2012-03-21 04:06:54 -05:00
sinn3r e973da7c6d Add Chicken of the VNC client profile collector module 2012-03-21 04:04:35 -05:00
Peter Van Eeckhoutte f81730a7e1 changes to the way jmp to payload is done 2012-03-21 09:52:22 +01:00
corelanc0d3r 45ef7fc35d reset author 2012-03-20 20:43:56 +01:00
sinn3r ed542e2b6c Change dns_enum to enum_dns for naming style consistency 2012-03-20 14:11:04 -05:00
sinn3r b8b5c79957 No need for net/http 2012-03-20 14:09:40 -05:00
sinn3r 777e221232 Add Bing URL enumerator by Royce (Feature #6499) 2012-03-20 14:07:42 -05:00
Tod Beardsley da963fc8b2 Adding OSVDB for dell_webcam_crazytalk.rb 2012-03-20 07:52:50 -05:00