b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
57449ac719
Adds working shellcode exec local exploit.
2014-02-17 15:31:45 -06:00
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec
2014-02-14 17:16:27 -06:00
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
745f313413
Remove @nmonkee as author per twitter convo
2014-02-13 14:41:10 -06:00
371f23b265
Unbreak the URL refs add nmonkee as ref and author
...
While @nmonkee didn't actually contribute to #2942 , he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.
Also added a ref to @nmonkee's thing.
@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
ff267a64b1
Have into account the Content-Transfer-Encoding header
2014-02-12 12:40:11 -06:00
45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb
2014-02-12 11:14:25 -06:00
a59ce95901
Land #2970 , @sgabe exploit for CVE-2010-2343
2014-02-12 08:10:53 -06:00
9845970e12
Use pop#ret to jump over the overwritten seh
2014-02-12 08:10:14 -06:00
11513d94f5
Add Juan as author
2014-02-12 12:17:02 +01:00
3283880d65
Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
...
This partially reverts commit 12471660e9
2014-02-12 12:09:16 +01:00
7195416a04
Increase the size of the NOP sled
2014-02-12 02:35:53 +01:00
3f09456ce8
Minor code formatting
2014-02-11 23:53:04 +01:00
7fc3511ba9
Remove unnecessary NOPs
2014-02-11 23:48:54 +01:00
12471660e9
Replace unnecessary NOP sled with random text
2014-02-11 23:48:04 +01:00
184ccb9e1e
Fix payload size
2014-02-11 23:42:58 +01:00
783e62ea85
Applied changes from @wchen-r7's comments
2014-02-11 10:14:52 -08:00
3717374896
Fix and improve reliability
2014-02-11 10:44:58 -06:00
51df2d8b51
Use the fixed API on the mediawiki exploit
2014-02-11 08:28:58 -06:00
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
e8a3984c85
Fix ROP NOP address and reduce/remove NOPs
2014-02-11 00:29:37 +01:00
e6905837eb
Land #2960 , rand_text_alpha for amaya_bdo
2014-02-10 16:44:11 -06:00
13fadffe7e
Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial
2014-02-10 13:44:30 -08:00
a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-10 21:43:56 +00:00
1236a4eb07
Fixup on description and some option descrips
2014-02-10 14:41:59 -06:00
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
08b6f74fb4
Add module for CVE-2010-2343
2014-02-10 20:46:09 +01:00
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
8ece4a7750
Delete debug print
2014-02-10 08:57:45 -06:00
57320a59f1
Do small clean up for mediawiki_thumb pr
2014-02-10 08:57:09 -06:00
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
c96116b193
Land #2949 - Add module Kloxo SQLi
2014-02-08 13:45:11 -06:00
32c02dd56a
Added some randomness
2014-02-08 11:27:25 +08:00
dcff06eba1
More verbose failure messages
2014-02-07 23:59:28 +00:00
66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec
2014-02-07 17:41:35 -06:00
bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell)
2014-02-07 17:39:06 -06:00
783a986a19
Windows and auto target up and running
2014-02-07 23:26:57 +00:00
a0f47f6b2b
Correct error check logic
2014-02-07 22:06:53 +00:00
443a51bbf5
Undo revert from merge
2014-02-07 21:28:04 +00:00
56359aa99f
Merge changes from other dev machine
2014-02-07 21:22:44 +00:00
a4cc75bf98
Potential .pdf support
2014-02-07 20:37:44 +00:00
e13520d7fb
Handle a blank filename
2014-02-07 20:15:32 +00:00
103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-07 20:07:04 +00:00
c679b1001b
Make pring_warning verbose
2014-02-07 10:23:07 -06:00
2d93b38e2a
Fixed java_signed_applet for Java 7u51
2014-02-07 16:29:50 +01:00
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
a18de35fa7
Add module for ZDI-14-011
2014-02-06 18:25:36 -06:00
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
4b37cc7243
Land #2927 , PandoraFMS anyterm exploit
2014-02-06 15:22:23 -06:00
4236abe282
Better SIGHUP handling
2014-02-06 15:21:54 -06:00
19fff3c33e
Land #2942 , @jvennix-r7's Android awesomesauce
...
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
362e937c8d
Forgot to push local changes.
2014-02-06 11:47:35 -06:00
0dc2ec5c4d
Use BrowserExploitServer mixin.
...
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
fdb954fdfb
Report credentials
2014-02-05 14:37:33 -06:00
631559a2e8
Add module for Kloco SQLi
2014-02-05 14:18:56 -06:00
553616b6cc
Add URL for browser exploit.
2014-02-04 17:04:06 -06:00
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
23fc73924e
Msftidy it up.
2014-02-04 14:24:36 -06:00
a58698c177
Land #2922 , multithreaded check command
2014-02-04 11:21:05 -06:00
0a3cb3377f
AppendEncoder
2014-02-04 15:41:10 +00:00
26c506da42
Naming of follow method
2014-02-04 15:25:51 +00:00
f5fa3fb5ce
Windows compat, fixed PHP-CLI
2014-02-04 14:27:10 +00:00
64d11e58c2
Use semicolon for win compat
2014-02-04 13:53:33 +00:00
700e09f386
Wording tweak.
2014-02-04 02:55:10 -06:00
bbabd72b0e
Whitespace tweaks.
2014-02-04 02:52:52 -06:00
eb6a5a4c19
Tweak checks.
2014-02-04 02:49:44 -06:00
4923a93974
Tweak description.
2014-02-04 02:47:49 -06:00
37479884a5
Add browserautopwn support.
2014-02-04 02:32:12 -06:00
eba3a5aab0
More accurate description.
2014-02-04 01:44:39 -06:00
177bd35552
Add webview HTTP exploit.
2014-02-04 01:37:09 -06:00
2fd8257c7e
Use bperry's trigger
2014-02-04 00:51:34 +00:00
a8ff6eb429
Refactor send_request_cgi_follow_redirect
2014-02-03 21:49:49 +00:00
83925da2f1
Refactor form_data code
2014-02-03 21:16:58 +00:00
7e2a9a7072
More desc fixes, add a vprint to give a hint
2014-02-03 13:18:52 -06:00
d34020115a
Fix up on apache descs and print_* methods
2014-02-03 13:13:57 -06:00
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
50f860757b
Changes made to pandora_fms_exec module as requested
2014-02-03 14:10:27 +07:00
67c18d8d2d
I had a problem, then I used regex.
2014-02-02 22:19:54 +00:00
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
57f4998568
Better failures and handle unconfigured server
2014-02-02 16:26:22 +00:00
9fa9402eb2
Better check and better follow redirect
2014-02-02 16:07:46 +00:00
0d3a40613e
Add auto 30x redirect to send_request_cgi
2014-02-02 15:03:44 +00:00
8b33ef1874
Not html its form-data...
2014-02-02 13:57:29 +00:00
7ddc6bcfa5
Final tidyup
2014-02-01 01:05:02 +00:00
486a9d5e19
Use msf branded djvu
2014-02-01 00:37:28 +00:00
fd1a507fda
Rename file
2014-02-01 00:27:32 +00:00
700c6545f0
Polished
2014-02-01 00:26:55 +00:00
a5bff638c5
Remove EOL spaces
2014-01-31 15:01:03 -06:00
5a883a4477
updated
2014-01-31 21:59:26 +01:00
7fa1522299
Initial commit
2014-01-31 18:51:18 +00:00
b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution
2014-01-31 12:06:58 -06:00
60ead5de43
Explain why we flag the vuln as "Appears" instead of vulnerable
2014-01-31 12:05:58 -06:00
2fca2da9f7
Add an vprint message on check
2014-01-31 11:57:20 -06:00
356692f2f5
Land #2923 , @rangercha tomcat deploy module compatible with tomcat8
2014-01-31 10:53:53 -06:00
a010748056
Land #2924 , @xistence's exploit for CVE-2014-1683
2014-01-31 09:20:10 -06:00
710902dc56
Move file location
2014-01-31 09:18:59 -06:00
810605f0b7
Do final cleanup for the skybluecanvas exploit
2014-01-31 09:17:51 -06:00
32c5d77ebd
Land #2918 , @wvu's fix for long argument lists
2014-01-31 08:49:22 -06:00
f6291eb9a8
updated
2014-01-31 14:33:18 +01:00
ffd8f7eee0
Changes as requested in SkyBlue Canvas RCE module
2014-01-31 12:52:48 +07:00
Fr330wn4g3
jvazquez-r7
xistence
bcoles
OJ
Meatballs
David Maloney
sinn3r
Joe Vennix
Tod Beardsley
William Vu
Philip OKeefe
Mekanismen
Jovany Leandro G.C
sgabe
bwall
Spencer McIntyre
David Maciejak
grimmlin
James Lee