467f1ce0ca
Land #8411 , Buffer overflow in VXSearch Enterprise v9.5.12
2017-05-22 07:37:31 -05:00
b5caeb29dd
only support for 32bit so far
2017-05-22 12:30:52 +02:00
036f063988
Fix a stack trace when no SMB response is received
2017-05-19 16:24:41 -05:00
a6f416e8df
Land #8290 , Hwbridge Automotive Fix and Extension Enhancements
2017-05-19 13:46:54 -05:00
b76229b5f7
removed unessessary line
2017-05-18 19:15:49 -07:00
7ca0fe5a68
Added make_junk function
2017-05-18 19:06:09 -07:00
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
c1624d0967
VX Search Enterprise GET Buffer Overflow
2017-05-18 17:12:47 +01:00
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
d944bdfab0
expect 0xC00000D
2017-05-17 23:05:20 -06:00
646ca14375
basic OS verification, ghetto socket read code
2017-05-17 22:48:45 -06:00
c0bf2cc6e7
Land #8401 , Buffer Overflow on Sync Breeze Enterprise 9.4.28
2017-05-17 23:39:50 -05:00
3360171977
Land #8319 , Add exploit module for Mediawiki SyntaxHighlight extension
2017-05-17 23:23:50 -05:00
b78749bc1b
Land #8221 , move autoroute
2017-05-17 15:17:45 -05:00
ad8788cc74
Update syncbreeze_bof.rb
2017-05-17 11:33:24 +01:00
5329ce56c4
Sync Breeze Enterprise GET Buffer Overflow
2017-05-17 10:53:28 +01:00
2f39daafc5
Updated module removing hardcoded binary payload strings
...
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
7e2dab4ddc
Land #8303 , Buffer Overflow on Dupscout Enterprise v9.5.14
2017-05-17 01:04:59 -05:00
6fb4040d11
add core buffer dump for OS version
2017-05-16 23:18:39 -06:00
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
11da7c7c81
Land #8394 , Add Moxa Credential Recovery Module
2017-05-16 16:45:22 -05:00
8025eb573a
Enforce check
...
Because we are not able to get our hands on the hardware for testing,
and that this module may trigger a backtrace if the UDP server isn't
Moxa, we force check to make sure that doesn't happen.
2017-05-16 16:43:22 -05:00
77a9676efb
Land #8347 , Add Serviio Media Server checkStreamUrl Command Execution
2017-05-16 16:20:39 -05:00
6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue
2017-05-16 15:53:34 -05:00
e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue
2017-05-16 15:41:16 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
2d7f7f9aec
Pass msftidy
2017-05-16 15:05:12 -05:00
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
e62fc3e93c
Land #8376 , Add BuilderEngine 3.5 Arbitrary file upload & exec exploit
2017-05-16 14:53:32 -05:00
631267480d
Update module description
2017-05-16 14:48:46 -05:00
2ed8ae11b4
Add doc and make minor changes
2017-05-16 14:47:19 -05:00
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
eff4914240
Land #8381 , ETERNALBLUE exploit (to be continued)
2017-05-16 12:19:45 -05:00
53bb5a8440
Update ms17_010_eternalblue.rb
2017-05-16 10:43:43 -06:00
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
20b682b2e4
Land #8391 , fix a typo in vmware_enum_permissions module description
...
orts
2017-05-16 09:33:26 -05:00
4a0535c2d0
add moxa credential recovery module
2017-05-16 10:21:44 -04:00
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
b2f69e9018
spelling
2017-05-15 21:11:19 -04:00
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
3c4dfee4f5
Module to execute powershell on Octopus Deploy server
...
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.
During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).
Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.
More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
5ee570bb9c
Fix non-uniform spelling and capitalization
2017-05-15 08:31:01 -04:00
cb4c700e62
fix typo
2017-05-14 21:52:36 -06:00
865a36068e
sleep fix and new shellcode
2017-05-14 21:45:19 -06:00
e3dcf0ab2d
added docs
2017-05-14 19:22:26 -06:00
9634f974dd
fix msftidy
2017-05-14 18:14:02 -06:00
fa79339432
eternalblue module
2017-05-14 18:11:41 -06:00
f39e378496
Land #8330 , fix ps_wmi_exec and psh staging
2017-05-13 14:26:47 -04:00
ce7b967a13
Update archmigrate.rb
2017-05-13 13:35:48 -04:00
78b0fb00da
I committed to the wrong branch
2017-05-13 13:35:13 -04:00
0bd11062e4
Ass SYSTEM check to archmigrate
2017-05-13 13:28:28 -04:00
3a1ed19a42
Making use of StagerRetryConnect
2017-05-13 17:49:53 +05:30
c622e3fc22
Deregister URIPATH because it's overridden by Path
2017-05-12 11:56:38 -05:00
84af5d071d
Deregister VHOST because it's overridden by Host
2017-05-12 11:44:10 -05:00
27e1de14b0
BuilderEngine 3.5 Arbitrary file upload and execution exploit
2017-05-12 18:37:08 +02:00
7bcaaf33c7
Land #8294 , gnome keyring post exploit credential dumper
2017-05-12 10:08:53 -05:00
e9fcc3c291
msftidy fixes
2017-05-12 10:08:26 -05:00
7355817329
Land #8371 , Fix msftidy warnings for the WNR2000 module
2017-05-11 22:51:11 -05:00
123462bdca
Land #8293 , add initial multi-platform railgun support
2017-05-11 22:32:23 -05:00
af4505a9de
land #8009 post module for jboss creds gather
2017-05-11 22:39:54 -04:00
285857c23f
remove req msfcore
2017-05-11 22:39:41 -04:00
6fa51aee8f
moving docs to correct folder
2017-05-11 22:33:00 -04:00
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
bee36ca90f
Fix edge case
2017-05-11 16:22:21 -05:00
68f13808e7
Fix msftidy warnings for the WNR2000 module
2017-05-11 16:16:10 -05:00
2ae943d981
Use payload common case instead of general case
...
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
843f148e62
One more yard doc function
2017-05-10 23:01:03 -05:00
e84765c1c6
All functions have yard doc like comments
2017-05-10 23:01:03 -05:00
c5391c2a64
Update cmd print to match core.rb
2017-05-10 23:01:03 -05:00
10c7c3893a
Add subnet check for Android payloads
2017-05-10 23:01:03 -05:00
c49bd9ee4e
Add session ready check
2017-05-10 23:01:03 -05:00
97eaa83114
Update delete all routes
2017-05-10 23:01:03 -05:00
f670fcddcb
Initial code cleanup and multi compatibility work
2017-05-10 23:01:02 -05:00
099fc0176a
move autoroute to a more sensible location
2017-05-10 23:01:02 -05:00
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
d00685a802
Don't run a DoS during wmap scans
2017-05-10 14:41:24 -05:00
42c7d64b28
Update style
2017-05-10 06:37:09 +00:00
faf01ed5ef
Land #8353 , add aux scanner for Intel AMT digest bypass
2017-05-09 18:45:21 -05:00
72388a957f
Land #8355 , IIS ScStoragePathFromUrl
...
See #8162
2017-05-09 11:06:01 -05:00
2b4ace9960
convert to "screaming snake"
2017-05-09 09:30:45 +02:00
cf487cc90c
reverse_ncat_ssl is stable
2017-05-08 17:43:34 -05:00
32dafb06af
Replace NoTarget with NotVulnerable
2017-05-08 22:29:44 +00:00
f70b402dd9
add comment
2017-05-09 00:17:00 +02:00
86365c89d1
Land #8352 , style updates for lotus_domino_hashes
2017-05-08 17:11:44 -05:00
806963359f
fix fail with condition
2017-05-08 23:47:48 +02:00
William Webb
Christian Mehlmauer
HD Moore
Pearce Barry
lincoln
James Lee
Daniel Teixeira
zerosum0x0
wchen-r7
William Vu
zerosum0x0
Patrick DeSantis
h00die
james-otten
Carter
Spencer McIntyre
itsmeroy2012
Mzack9999
Brent Cook
Josh Hale
Adam Cammack
Brendan Coles