Commit Graph

22172 Commits (0c792798a764249b84835b5bdaf0dfb25aca9151)

Author SHA1 Message Date
zerosum0x0 9634f974dd fix msftidy 2017-05-14 18:14:02 -06:00
zerosum0x0 fa79339432 eternalblue module 2017-05-14 18:11:41 -06:00
Spencer McIntyre f39e378496
Land #8330, fix ps_wmi_exec and psh staging 2017-05-13 14:26:47 -04:00
Carter ce7b967a13 Update archmigrate.rb 2017-05-13 13:35:48 -04:00
Carter 78b0fb00da I committed to the wrong branch 2017-05-13 13:35:13 -04:00
Carter 0bd11062e4 Ass SYSTEM check to archmigrate 2017-05-13 13:28:28 -04:00
itsmeroy2012 3a1ed19a42 Making use of StagerRetryConnect 2017-05-13 17:49:53 +05:30
William Vu c622e3fc22 Deregister URIPATH because it's overridden by Path 2017-05-12 11:56:38 -05:00
William Vu 84af5d071d Deregister VHOST because it's overridden by Host 2017-05-12 11:44:10 -05:00
Mzack9999 27e1de14b0 BuilderEngine 3.5 Arbitrary file upload and execution exploit 2017-05-12 18:37:08 +02:00
Brent Cook 7bcaaf33c7
Land #8294, gnome keyring post exploit credential dumper 2017-05-12 10:08:53 -05:00
Brent Cook e9fcc3c291 msftidy fixes 2017-05-12 10:08:26 -05:00
Brent Cook 7355817329
Land #8371, Fix msftidy warnings for the WNR2000 module 2017-05-11 22:51:11 -05:00
Brent Cook 123462bdca
Land #8293, add initial multi-platform railgun support 2017-05-11 22:32:23 -05:00
h00die af4505a9de
land #8009 post module for jboss creds gather 2017-05-11 22:39:54 -04:00
h00die 285857c23f remove req msfcore 2017-05-11 22:39:41 -04:00
h00die 6fa51aee8f moving docs to correct folder 2017-05-11 22:33:00 -04:00
William Vu 231510051c Fix uri_str for exploit 2017-05-11 16:30:10 -05:00
William Vu bee36ca90f Fix edge case 2017-05-11 16:22:21 -05:00
William Vu 68f13808e7 Fix msftidy warnings for the WNR2000 module 2017-05-11 16:16:10 -05:00
William Vu 2ae943d981 Use payload common case instead of general case
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
Brent Cook e414bdb876 don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules 2017-05-11 15:19:11 -05:00
Brent Cook 30c48deeab msftidy and misc. fixups for Quest BoF module 2017-05-11 08:07:39 -05:00
William Webb e8aed42ecd
Land #8223, Quest Privilege Manager pmmasterd Buffer Overflow 2017-05-11 00:44:19 -05:00
Josh Hale 843f148e62 One more yard doc function 2017-05-10 23:01:03 -05:00
Josh Hale e84765c1c6 All functions have yard doc like comments 2017-05-10 23:01:03 -05:00
Josh Hale c5391c2a64 Update cmd print to match core.rb 2017-05-10 23:01:03 -05:00
Josh Hale 10c7c3893a Add subnet check for Android payloads 2017-05-10 23:01:03 -05:00
Josh Hale c49bd9ee4e Add session ready check 2017-05-10 23:01:03 -05:00
Josh Hale 97eaa83114 Update delete all routes 2017-05-10 23:01:03 -05:00
Josh Hale f670fcddcb Initial code cleanup and multi compatibility work 2017-05-10 23:01:02 -05:00
Brent Cook 099fc0176a move autoroute to a more sensible location 2017-05-10 23:01:02 -05:00
Adam Cammack 18d95b6625
Land #8346, Templatize shims for external modules 2017-05-10 18:15:54 -05:00
William Vu 09f6c21f94 Add note about Host header limitations 2017-05-10 15:17:20 -05:00
William Vu b446cbcfce Add reference to Exim string expansions 2017-05-10 15:17:20 -05:00
William Vu 8842764d95 Add some comments about badchars 2017-05-10 15:17:20 -05:00
William Vu ecb79f2f85 Use reduce instead of extracting twice 2017-05-10 15:17:20 -05:00
William Vu b5f25ab7ca Use extract instead of doubling /bin/echo 2017-05-10 15:17:20 -05:00
William Vu 9a64ecc9b0 Create a pure-Exim, one-shot HTTP client 2017-05-10 15:17:20 -05:00
William Vu 0ce475dea3 Add WordPress 4.6 PHPMailer exploit 2017-05-10 15:17:20 -05:00
James Lee d00685a802
Don't run a DoS during wmap scans 2017-05-10 14:41:24 -05:00
Brendan Coles 42c7d64b28 Update style 2017-05-10 06:37:09 +00:00
Brent Cook faf01ed5ef
Land #8353, add aux scanner for Intel AMT digest bypass 2017-05-09 18:45:21 -05:00
James Lee 72388a957f
Land #8355, IIS ScStoragePathFromUrl
See #8162
2017-05-09 11:06:01 -05:00
Christian Mehlmauer 2b4ace9960
convert to "screaming snake" 2017-05-09 09:30:45 +02:00
Brent Cook cf487cc90c reverse_ncat_ssl is stable 2017-05-08 17:43:34 -05:00
Brendan Coles 32dafb06af Replace NoTarget with NotVulnerable 2017-05-08 22:29:44 +00:00
Christian Mehlmauer f70b402dd9
add comment 2017-05-09 00:17:00 +02:00
Brent Cook 86365c89d1
Land #8352, style updates for lotus_domino_hashes 2017-05-08 17:11:44 -05:00
Christian Mehlmauer 806963359f
fix fail with condition 2017-05-08 23:47:48 +02:00
Christian Mehlmauer f62ac6327d
add @rwhitcroft 2017-05-08 23:20:12 +02:00
Christian Mehlmauer 26373798fa
change rank 2017-05-08 23:07:12 +02:00
Christian Mehlmauer 962a31f879
change minimum length 2017-05-08 23:01:17 +02:00
Christian Mehlmauer 7dccb17834
auto extract values and implement brute forcing 2017-05-08 22:47:29 +02:00
Brent Cook 841f63ad20 make office_word_hta backward compat with older Rubies 2017-05-08 15:10:48 -05:00
Christian Mehlmauer 406a7f1ae2
Merge remote-tracking branch 'dmchell/dmchell-cve-2017-7269' into iis2 2017-05-08 21:51:51 +02:00
Brent Cook fede672a81 further revise templates 2017-05-08 14:26:24 -05:00
HD Moore f7ff840ef0 Add missing return, thanks bperry! 2017-05-08 14:08:59 -05:00
HD Moore 9392e48b72 Add a scanner for Intel AMT auth bypass (CVE-2017-5689) 2017-05-08 13:24:00 -05:00
Jeffrey Martin a1efa30fa2
comments adjustments & enum better 2017-05-08 11:57:06 -05:00
William Vu b794bfe5db
Land #8335, rank fixes for the msftidy god 2017-05-07 21:20:33 -05:00
Bryan Chu 88bef00f61 Add more ranks, remove module warnings
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables

../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability

../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability

../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart

../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability

../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability

../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability

../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability

../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
Pearce Barry af3f1fbc37
Land #8332, Canprobe Module 2017-05-07 12:20:27 -05:00
Pearce Barry c05e7b3b58
Minor corrections and a tweak to appease msftidy. 2017-05-07 11:55:20 -05:00
Pearce Barry e3d3fa8e45
Tweak internal description formatting. 2017-05-07 11:31:36 -05:00
Pearce Barry b965bdcdae
Appease msftidy and Travis. 2017-05-07 11:19:32 -05:00
m0t ab245b5042 added note to description 2017-05-07 13:56:50 +01:00
m0t 4f12a1e271 added note to description 2017-05-07 13:54:28 +01:00
Brendan Coles 635a7a42e6 Update style lotus_domino_hashes 2017-05-07 16:37:48 +10:00
Jeffrey Martin 05bf16e91e
Land #8331, Adding module CryptoLog Remote Code Execution 2017-05-05 18:24:14 -05:00
Jeffrey Martin e2fe70d531
convert store_valid_credential to named params 2017-05-05 18:23:15 -05:00
Mehmet Ince 720a02f5e2
Addressing Spaces at EOL issue reported by Travis 2017-05-05 11:05:17 +03:00
Brendan Coles 0eacf64324 Add Serviio Media Server checkStreamUrl Command Execution 2017-05-05 07:54:00 +00:00
Mehmet Ince 58d2e818b1
Merging multiple sqli area as a func 2017-05-05 10:49:05 +03:00
Jeffrey Martin 63b6ab5355
simplify valid credential storage 2017-05-04 22:51:40 -05:00
darkbushido 81bcf2ca70 updating all LHOST to use the new opt type 2017-05-04 12:57:50 -05:00
Brent Cook 97095ab311
Land #8338, Fix msf/core and self.class msftidy warnings 2017-05-03 21:55:52 -05:00
Brent Cook 2d93c8e2d6 merge, don't overwrite 2017-05-03 18:17:58 -05:00
Brent Cook 0798923901 set the correct schema for linux meterpreter reverse_tcp stages 2017-05-03 16:12:45 -05:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
Mehmet Ince d04e7cba10
Rename the module as well as title 2017-05-03 19:18:46 +03:00
Mehmet Ince ae8035a30f
Fixing typo and using shorter sqli payload 2017-05-03 16:45:17 +03:00
Craig Smith 9877aa9ef9 Added documentation and cleand up how STOPID worked 2017-05-02 18:57:32 -07:00
Mehmet Ince db2a2ed289
Removing space at eof and self.class from register_options 2017-05-03 01:31:13 +03:00
Mehmet Ince 77acbb8200
Adding cryptolog rce 2017-05-03 01:05:40 +03:00
Craig Smith 3519adbaef A basic CAN fuzzer. It probes the data regions of different CAN IDs.
The default is to use a set value but can iterate the full range.  It can
also add padding if necessary.  Not checks on returns or results of fuzzing.
2017-05-02 14:19:29 -07:00
Adam Cammack 494711ee65
Land #8307, Add lib for writing Python modules 2017-05-02 15:53:13 -05:00
Yorick Koster 6870a48c48 Code suggestion from @jvoisin 2017-05-02 16:41:06 +02:00
William Vu 03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory 2017-05-01 16:23:14 -05:00
William Vu 41ef1a4e90
Land #8325, cmd/unix/reverse_ncat_ssl payload 2017-05-01 14:54:52 -05:00
C_Sto 772a16f4cd fix style 2017-05-02 00:55:57 +08:00
C_Sto 9e06c3f07e fix argument arrangement 2017-05-02 00:39:00 +08:00
C_Sto 5a2afbc364 Tidy payload 2017-05-01 21:38:34 +08:00
Yorick Koster 006ed42248 Added fix information
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/0002
09.html
2017-05-01 09:01:14 +02:00
C_Sto cfa204b8e8 add reverse ncat ssl 2017-05-01 06:57:28 +08:00
reanar 0b62a6478a Modification for Travis (remove require msf/core, and self.class in register) 2017-04-30 17:05:11 +02:00
reanar 3f348150c6 Modification of description 2017-04-30 16:38:39 +02:00
reanar 52ec448511 Add WordPress Directory Traversal DoS Module 2017-04-30 15:03:48 +02:00
Yorick Koster 673dbdc4b9 Code review feedback from h00die 2017-04-29 20:37:39 +02:00
Yorick Koster fcf14212b4 Fixed disclosure date 2017-04-29 16:25:25 +02:00
Yorick Koster f9e7715adb Fixed formatting 2017-04-29 16:07:45 +02:00
Yorick Koster 1569d2cf8e MediaWiki SyntaxHighlight extension exploit module
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
2017-04-29 14:29:56 +02:00
Brandon Knight c4b3ba0d14 Actually removing msf/core this time... ><
Helps to actually remove the bits that were failing. Now with even more
removal of msf/core!
2017-04-28 21:42:06 -04:00
Brandon Knight ff263812fc Fix msftidy warnings
Remove explicitly loading msf/core and self.class from the register_
functions.
2017-04-28 21:26:53 -04:00
HD Moore afc804fa03 Quick Ghostscript module based on the public PoC 2017-04-28 09:56:52 -05:00
Brandon Knight f8fb03682a Fix issue in ps_wmi_exec and powershell staging
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.

Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
itsmeroy2012 cd73bd137a Making use of while loop and solving StagerRetryWait issue 2017-04-27 11:50:13 +05:30
William Vu 1a402ed1d8 Add arch to smb_ms17_010 DOUBLEPULSAR detection 2017-04-26 20:59:13 -05:00
Brent Cook 037fdf854e move common json-rpc bits to a library 2017-04-26 18:08:08 -05:00
Brent Cook 480a0b4273 update payload sizes 2017-04-26 18:02:14 -05:00
Brent Cook a60e5789ed update mettle->meterpreter references in modules 2017-04-26 17:55:10 -05:00
Brent Cook 078ba66e5f remove unneeded msf/core requires 2017-04-26 17:17:20 -05:00
Brent Cook 353191992f move mettle payloads to meterpreter, add reverse_http/s stageless 2017-04-26 17:06:34 -05:00
Brent Cook f8792956ee fix one module for testing 2017-04-26 16:21:13 -05:00
Daniel Teixeira a3a4ba7605 Buffer Overflow on Dup Scout Enterprise v9.5.14 2017-04-26 15:19:00 +01:00
Spencer McIntyre da6c03d13f Fix function names to always be snake_case 2017-04-26 09:30:29 -04:00
William Vu bbee7f86b5
Land #8263, Mercurial SSH exec module 2017-04-26 01:38:01 -05:00
William Vu f60807113b Clean up module 2017-04-26 01:37:49 -05:00
Spencer McIntyre a3bcd20b26 Minor cleanups for multi-platform railgun 2017-04-25 17:45:07 -04:00
William Vu 5476f6066c
Land #8271, DOUBLEPULSAR detection for MS17-010 2017-04-25 16:31:39 -05:00
Craig Smith 4019a14865 The local HWBridge now does not print out status for each URI request per default. This can be enabled by setting verbose to true.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 5537348e28 Addes Statistics support from the API. When typing status in a hardware bridge it will also print packet statistics.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
wchen-r7 320898697a
Land #8266, Add Buffer Overflow Exploit on Disk Sorter Enterprise 2017-04-24 17:17:30 -05:00
wchen-r7 1d86905fca
Land #8288, Minor changes to WiPG-1000 module 2017-04-24 17:09:25 -05:00
wchen-r7 e333cb65e5 Restore require 'msf/core' 2017-04-24 17:09:02 -05:00
wchen-r7 c573628e10 Fix header 2017-04-24 17:01:35 -05:00
wchen-r7 e775f9ccbd
Land #8259, Add post module to upload and execute a file 2017-04-24 17:00:55 -05:00
Matthias Brun d3aba846b9 Make minor changes 2017-04-24 23:35:36 +02:00
wchen-r7 5bbb4d755a
Land #8254, Add CVE-2017-0199 - Office Word HTA Module 2017-04-24 16:05:00 -05:00
wchen-r7 6029a9ee2b Use a built-in HTA server and update doc 2017-04-24 16:04:27 -05:00
zerosum0x0 55f01d3fc7 made the plugin less spammy with more vprintf 2017-04-24 13:33:05 -06:00
zerosum0x0 453ca6e3bf added OS printing on vulnerable systems 2017-04-24 13:20:44 -06:00
Daniel Teixeira 47898717c9 Minor documentation improvements
Space after ,
2017-04-24 14:47:25 +01:00
itsmeroy2012 bd2379784e Improved error handling for the python reverse_tcp payload
Handling all kinds of errors

Removing 'e'

Updating payload cached sizes

Updating payload cached sizes 2.0

Adding option to set retry time
2017-04-23 20:43:57 +05:30
zerosum0x0 a69aba0eab added XOR Key calculation 2017-04-22 23:54:30 -06:00
h00die 8e4c093a22 added version numbers 2017-04-22 09:45:55 -04:00
Spencer McIntyre ffe6d35b4d Add a module to dump network passwords from gnome 2017-04-21 16:17:18 -04:00
zerosum0x0 8a77bf7b60 removed wrong comments 2017-04-21 08:27:13 -06:00
Matthias Brun 714ada2b66 Inline execute_cmd function 2017-04-21 15:32:15 +02:00
zerosum0x0 9fab64c60e added references 2017-04-20 15:22:37 -06:00
zerosum0x0 dd12afd717
added DoublePulsar detection 2017-04-20 15:03:29 -06:00
Matthias Brun 8218f024e0 Add WiPG-1000 Command Injection module 2017-04-20 16:32:23 +02:00
Koen Riepe 55ab800f13
Minor code fixes. 2017-04-19 14:41:11 +02:00
DanielRTeixeira f1c51447c1 Add files via upload
Buffer Overflow on Disk Sorter Enterprise
2017-04-19 10:57:41 +01:00
Jonathan Claudius f5430e5c47
Revert Msf::Exploit::Remote::Tcp 2017-04-18 19:27:35 -04:00
Jonathan Claudius 9a870a623d
Make use of Msf::Exploit::Remote::Tcp 2017-04-18 19:17:48 -04:00
Jonathan Claudius 03e3065706
Fix MSF tidy issues 2017-04-18 18:56:42 -04:00
Jonathan Claudius 32f0b57091
Fix new line issues 2017-04-18 18:52:53 -04:00
James Lee bdeeb8ee1d
Add a check 2017-04-18 16:32:06 -05:00
William Vu 3b38d0d900
Land #8262, PR ref for huawei_hg532n_cmdinject 2017-04-18 16:29:13 -05:00