infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
23,751 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

12535 Commits (0b3f49f22ad463a0b349dee4040d6b18f5cb3b06)

Author SHA1 Message Date
sinn3r fe0b76e24e
Land #2994 - OWA 2013 support 2014-03-19 13:16:37 -05:00
jvazquez-r7 d6faf20981 Make title more accurate 2014-03-19 12:43:34 -05:00
jvazquez-r7 144b86fee3 Add reference 2014-03-19 12:17:53 -05:00
jvazquez-r7 27d142b387 Solve conflict by keeping file 2014-03-19 12:15:05 -05:00
jvazquez-r7 fb645b6692 Clean code 2014-03-19 12:06:20 -05:00
jvazquez-r7 0a795ab602
Land #3106, @xistence's exploit for Array Networks devices 2014-03-19 10:49:03 -05:00
jvazquez-r7 0e27d75e60 Code clean up 2014-03-19 10:48:25 -05:00
Brandon Perry 2ef2f9b47c use vars_get 2014-03-19 07:51:34 -07:00
Brandon Perry 920b2da720 Merge branch 'master' into joomla_sqli 2014-03-19 07:43:32 -07:00
Tod Beardsley d27264b402
Land #2782, fix expand_path abuse 2014-03-19 08:41:28 -05:00
xistence 056ce5d097 removed file which did not belong in this pull request 2014-03-19 15:04:19 +07:00
sinn3r 2e76faa076 Add MS14-012 Internet Explorer Use-After-Free Exploit Module 
Add MS14-012 IE UAF.
 2014-03-18 17:55:56 -05:00
jvazquez-r7 379c0efd5a Update POP chain documentation 2014-03-18 16:29:30 -05:00
jvazquez-r7 77c128fbc5 Fix disclosure date and add ref 2014-03-18 16:21:44 -05:00
jvazquez-r7 b6e8bb62bb Switch exploitation technique to use default available classes 2014-03-18 16:07:50 -05:00
William Vu dfd3a81566
Land #3111, hash rockets shouldn't be in refs 2014-03-18 14:25:04 -05:00
jvazquez-r7 38176ad67d
Land #3109, @xistence's Loadbalancer.org Enterprise VA applicance exploit 2014-03-18 06:53:26 -05:00
jvazquez-r7 ddd923793a Do minor clean up 2014-03-18 06:52:50 -05:00
jvazquez-r7 ad49df4301 Register RHOST 2014-03-18 06:17:41 -05:00
jvazquez-r7 600338bd29
Land #3108, @xistence's exploit for Quantum vmPRO shell-escape 2014-03-18 06:12:18 -05:00
jvazquez-r7 f656e5fedb Do minor clean up 2014-03-18 06:11:02 -05:00
jvazquez-r7 f86fd8af5d Delete debug print 2014-03-17 21:01:41 -05:00
jvazquez-r7 3bdd906aae Add module for CVE-2014-1691 2014-03-17 20:47:45 -05:00
Tod Beardsley 8f2124f5da
Minor updates for release 
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
 2014-03-17 13:26:26 -05:00
Tod Beardsley c916b62f47
Removes hash rockets from references. 
[SeeRM #8776]
 2014-03-17 09:40:32 -05:00
xistence 9bb4e5cfc3 Loadbalancer.org Enterprise VA SSH privkey exposure 2014-03-17 14:22:51 +07:00
xistence c116697c70 Quantum vmPRO backdoor command 2014-03-17 14:19:27 +07:00
xistence ef4a019b20 Quantum DXi V1000 SSH private key exposure 2014-03-17 14:15:00 +07:00
xistence e261975c34 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:11:16 +07:00
xistence 1043d9d8b2 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:06:55 +07:00
Daniel Miller 0b6a890137 Fix missing require in reverse_powershell 
When initializing the db:

/opt/metasploit-framework/modules/payloads/singles/cmd/windows/reverse_powershell.rb:34:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
    from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
    from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:72:in `on_module_load'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:207:in `load_module'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:271:in `block in load_modules'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:58:in `block (2 levels) in each_module_reference_name'
    from /opt/metasploit-framework/lib/rex/file.rb:127:in `block in find'
    from /opt/metasploit-framework/lib/rex/file.rb:126:in `catch'
    from /opt/metasploit-framework/lib/rex/file.rb:126:in `find'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:45:in `block in each_module_reference_name'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `foreach'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `each_module_reference_name'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:264:in `load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:118:in `block in load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `each'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:56:in `block in add_module_path'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `each'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `add_module_path'
    from /opt/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:14:in `init_module_paths'
    from /opt/metasploit-framework/lib/msf/ui/console/driver.rb:228:in `initialize'
    from /opt/metasploit-framework/msfconsole:148:in `new'
    from /opt/metasploit-framework/msfconsole:148:in `<main>'
 2014-03-14 19:28:00 +00:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
Brandon Perry a01dd48640 a bit better error message if injection works but no file 2014-03-13 13:38:43 -07:00
Brandon Perry b0688e0fca clarify LOAD_FILE perms in description 2014-03-13 13:11:27 -07:00
sinn3r 243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow 2014-03-13 14:13:17 -05:00
sinn3r e832be9eeb Update description and change ranking 
The exploit requires the targeted user to open the malicious in
specific ways.
 2014-03-13 14:09:37 -05:00
sinn3r 6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell 2014-03-13 13:36:37 -05:00
Michael Messner 8db5d854c2 typo, null terminator 2014-03-13 18:38:27 +01:00
Joe Vennix 952b50f8c1
Add priv escalation mixin to the firefox local exploit. 2014-03-13 11:49:44 -05:00
Brandon Perry 2734b89062 update normalize_uri calls 2014-03-13 06:55:15 -07:00
William Vu 5aad8f2dc3
Land #3088, SNMP timestamp elements fix 2014-03-13 02:22:14 -05:00
Brandon Perry 7540dd83eb randomize markers 2014-03-12 20:11:55 -05:00
Brandon Perry 3fedafb530 whoops, extra char 2014-03-12 19:54:58 -05:00
Brandon Perry aa00a5d550 check method 2014-03-12 19:47:39 -05:00
Michael Messner f39e784d19 mipsle execve payload 2014-03-12 21:08:40 +01:00
Brandon Perry 9cb1c1a726 whoops, typoed the markers 2014-03-12 10:58:34 -07:00
Brandon Perry 6636d43dc5 initial module 2014-03-12 10:46:56 -07:00
Tod Beardsley 206660ddde
Recreate the intent of cfebdae from @parzamendi-r7 
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656.

[SeeRM #8730]
 2014-03-11 14:30:01 -05:00
sho-luv f7af9780dc
Rescue InvalidWordCount error 
This is a cherry-pick of commit ea86da2 from PR #2656
 2014-03-11 14:17:36 -05:00
William Vu 517f264000 Add last chunk of fixes 2014-03-11 12:46:44 -05:00
James Lee f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0 
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
 2014-03-11 12:44:07 -05:00
William Vu 25ebb05093 Add next chunk of fixes 
Going roughly a third at a time.
 2014-03-11 12:23:59 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors 
There needs to be a better way to go about preventing/fixing these.
 2014-03-11 11:18:54 -05:00
OJ 3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path 
Conflicts:
	lib/msf/core/post/windows/shadowcopy.rb
	modules/exploits/windows/local/bypassuac.rb
	modules/post/windows/gather/wmic_command.rb
	modules/post/windows/manage/persistence.rb
 2014-03-11 23:13:39 +10:00
joev 46c11ea2eb Small fixes to m-1-k-3's mipsle reboot shellcode. 2014-03-10 17:17:23 -05:00
joev 7da54eb9cf
Merge branch 'landing-3041' into upstream-master 
Lands PR #3041, @m-1-k-3's reboot shellcode.
 2014-03-10 17:11:06 -05:00
Tod Beardsley 2086224a4c
Minor fixes. Includes a test module. 2014-03-10 14:49:45 -05:00
Tod Beardsley 26be236896
Pass MSFTidy please 2014-03-10 14:45:56 -05:00
jvazquez-r7 8cfa5679f2 More nick instead of name 2014-03-10 16:12:44 +01:00
jvazquez-r7 bc8590dbb9 Change DoS module location 2014-03-10 16:12:20 +01:00
jvazquez-r7 1061036cb9 Use nick instead of name 2014-03-10 16:11:58 +01:00
Tod Beardsley 5485028501
Add 3 Yokogawa SCADA vulns 
These represent our part for public disclosure of the issues listed
here:

http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf

Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:

YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4

@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:

https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities

Thanks for all the work on these!
 2014-03-10 09:33:54 -05:00
sinn3r e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument 2014-03-08 00:58:52 -06:00
Tod Beardsley 151e2287b8
OptPath, not OptString. 2014-03-07 10:52:45 -06:00
Tod Beardsley 5cf1f0ce4d
Since dirs are required, server will send/recv 
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.

Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
 2014-03-07 10:49:11 -06:00
Tod Beardsley 37fa4a73a1
Make the path options required and use /tmp 
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
 2014-03-07 10:41:18 -06:00
sinn3r c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack 2014-03-07 10:29:56 -06:00
Spencer McIntyre ebee365fce
Land #2742, report_vuln for MongoDB no auth 2014-03-06 19:34:45 -05:00
Spencer McIntyre 84f280d74f
Use a more descriptive MongoDB vulnerability title 2014-03-06 19:20:52 -05:00
Tod Beardsley 8a0531650c
Allow TFTP server to take a host/port argument 
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.

This is almost never correct.
 2014-03-06 16:13:20 -06:00
Joe Vennix 9638bc7061 Allow a custom .app bundle. 
* adds a method to Rex::Zip::Archive to allow recursive packing
 2014-03-06 16:11:30 -06:00
Joe Vennix 5abb442757 Adds more descriptive explanation of 10.8+ settings. 2014-03-06 15:15:27 -06:00
Joe Vennix 43d315abd5 Hardcode the platform in the safari exploit. 2014-03-06 13:04:47 -06:00
Brendan Coles df2bdad4f9 Include 'msf/core/exploit/powershell' 
Prevent:

```
[-] 	/pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
 2014-03-06 12:57:43 +11:00
Joe Vennix 38a2e6e436 Minor fixes. 2014-03-05 19:03:54 -06:00
Joe Vennix dca807abe9 Tweaks for BES. 2014-03-05 19:00:15 -06:00
Joe Vennix 12cf5a5138 Add BES, change extra_plist -> plist_extra. 2014-03-05 18:51:42 -06:00
sinn3r 9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write 2014-03-05 16:34:54 -06:00
bcoles 1ea35887db Add OSVDB reference 2014-03-06 01:40:15 +10:30
jvazquez-r7 4e9350a82b Add module for ZDI-14-008 2014-03-05 03:25:13 -06:00
Joe Vennix cd3c2f9979 Move osx-app format to EXE. 2014-03-04 22:54:00 -06:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
sinn3r 7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read 2014-03-04 17:52:29 -06:00
sinn3r f0e97207b7 Fix email format 2014-03-04 17:51:24 -06:00
Joe Vennix 32c27f6be0 Tweak timeouts. 2014-03-04 17:16:23 -06:00
Joe Vennix 40047f01d3 Adds Safari User Assisted download launch module. 2014-03-04 17:02:51 -06:00
sinn3r caaa419ef8
Land #3054 - Fix crash in osx/x64/exec on 10.9 Mavericks 2014-03-04 15:24:02 -06:00
Brandon Perry c86764d414 update default password to root 2014-03-04 11:55:30 -08:00
Brandon Perry 2b06791ea6 updates regarding PR comments 2014-03-04 10:08:31 -08:00
William Vu e30238fe0d
Land #3062, unused arg fix for vmware_mount 2014-03-04 11:37:41 -06:00
James Lee 68205fa43c
Actually use the argument 2014-03-04 11:30:42 -06:00
sinn3r f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww 2014-03-04 11:29:52 -06:00
David Maloney db76962b4a
Land #2764, WMIC Post Mixin changes 
lands Meatballs WMIC changes
 2014-03-04 10:21:46 -06:00
Brandon Perry a3523bdcb9 Update mantisbt_admin_sqli.rb 
remove extra new line and fix author line
 2014-03-04 08:44:53 -06:00
OJ f0868c35bf
Land #3050 - Fix tained perl payloads 2014-03-04 10:05:47 +10:00
sgabe 408fedef93 Add module for OSVDB-98283 2014-03-04 00:51:01 +01:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
Brandon Perry 98b59c4103 update desc 2014-03-03 12:40:58 -08:00
Brandon Perry c5d1071456 add mantisbt aux module 2014-03-03 12:36:38 -08:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00