Commit Graph

362 Commits (0eab2fa98d3e0ba07042c29362747c96c29e8940)

Author SHA1 Message Date
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
Tod Beardsley 95b5ff6bea
Minor fixups on recent modules.
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301, @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces

Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in

Edited modules/auxiliary/scanner/http/title.rb first landed in #5333,
HTML Title Grabber

Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401, multi-platform CVE-2015-0311 - Flash uncompress()
UAF

Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290, Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
jvazquez-r7 b9f9647ab1
Use all the BES power 2015-05-21 14:06:41 -05:00
jvazquez-r7 aa919da84d
Add the multiplatform exploit 2015-05-20 18:57:59 -05:00
joev db999d2c62 Remove ff 31-34 exploit from autopwn, requires interaction. 2015-05-03 10:42:21 -05:00
jvazquez-r7 ab94f15a60
Take care of modules using the 'DEBUG' option 2015-04-21 12:13:40 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
root cd65e6f282 Add browser_autopwn info to firefox_proxy_prototype 2015-04-06 10:42:32 +05:00
Tod Beardsley 21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE 2015-03-23 13:44:41 -05:00
William Vu 3075c56064 Fix "response HTML" message
In modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb.
2015-03-07 17:08:08 -06:00
Joe Vennix 0bf3a9cd55
Fix duplicate :ua_maxver key. 2014-12-22 14:57:44 -06:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
James Lee a65ee6cf30
Land #3373, recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
HD Moore bfadfda581 Fix typo on match string for opera_configoverwrite 2014-09-29 15:34:35 -05:00
Joe Vennix d9e6f2896f
Add the JSObfu mixin to a lot of places. 2014-09-21 23:45:59 -05:00
sinn3r 85b48fd437
Land #3736 - Revert initial ff xpi prompt bypass for Firefox 22-27 2014-09-04 16:08:15 -05:00
Joe Vennix f7617183d9
Revert "Add initial firefox xpi prompt bypass."
This reverts commit ebcf972c08.
2014-09-02 12:27:41 -05:00
Joe Vennix 26cfed6c6a
Rename exploit module. 2014-08-26 23:05:41 -05:00
Joe Vennix 96276aa6fa
Get the disclosure date right. 2014-08-26 20:36:58 -05:00
Joe Vennix 52f33128cd
Add Firefox WebIDL Javascript exploit.
Also removes an incorrect reference from another FF exploit.
2014-08-26 20:35:17 -05:00
sinn3r e2e2dfc6a3 Undo FF 2014-08-19 17:47:44 -05:00
joev b93fda5cef
Remove browser_autopwn hook from deprecated FF module. 2014-08-18 15:33:43 -05:00
joev 87aa63de6e
Deprecate FF17 SVG exploit.
This exploit needs flash, the tostring_console injection one does not.
2014-08-18 15:32:51 -05:00
HD Moore 6d92d701d7 Merge feature/recog into post-electro master for this PR 2014-08-16 01:19:08 -05:00
joev 6d958475d6
Oops, this doesn't work on 23, only 22. 2014-08-15 17:00:58 -05:00
joev fb1fe7cb8b
Add some obfuscation. 2014-08-15 16:54:30 -05:00
joev b574a4c4c5
Wow, this gets a shell all the way back to 15.0. 2014-08-15 16:39:36 -05:00
joev 5706371c77
Update browser autopwn settings. 2014-08-15 16:32:06 -05:00
joev 8c63c8f43d
Add browserautopwn hook now that this is not user-assisted. 2014-08-15 16:28:21 -05:00
joev 694d917acc
No need for web console YESSSS 2014-08-15 16:02:26 -05:00
joev 738a295f0a
Rename module to tostring_console*. 2014-08-15 15:17:37 -05:00
joev f182613034
Invalid CVE format. 2014-08-15 15:09:45 -05:00
joev edb9d32e5c
Add module for toString() injection in firefox. 2014-08-15 15:08:10 -05:00
jvazquez-r7 8937fbb2f5 Fix email format 2014-07-11 12:45:23 -05:00
HD Moore 583dab62b2 Introduce and use OS matching constants 2014-05-28 14:35:22 -05:00
HD Moore a844b5c30a Merge branch 'master' of github.com:hmoore-r7/metasploit-framework into feature/recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
2014-05-18 10:50:32 -05:00
Tod Beardsley 0b2737da7c
Two more java payloads that wanted to write RHOST
There are three total, and they're all copy-pasted from the original
module from 2009. I suspect this idiom isn't used at all any more -- I
can't detect a difference in the payload if I just declare a host being
cli.peerhost, rather than rewriting RHOST to be cli.peerhost.

[SeeRM #8498]
2014-04-14 22:22:30 -05:00
Tod Beardsley 775b0de3c0
Replace RHOST reassing with just host
This looks okay from debug (the host looks like it's generating okay)
but there may be some subtle thing I'm not seeing here. @wchen-r7 can
you glance at this please?

[SeeRM #8498]
2014-04-14 22:17:31 -05:00
jvazquez-r7 577bd7c855
Land #3146, @wchen-r7's flash version detection code 2014-04-02 15:13:41 -05:00
joev ebcf972c08 Add initial firefox xpi prompt bypass. 2014-04-01 23:48:35 -05:00
HD Moore 7e227581a7 Rework OS fingerprinting to match Recog changes
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.

This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
sinn3r a173fcf2fa Flash detection for firefox_svg_plugin
Good test case
2014-03-28 15:39:25 -05:00
Joe Vennix 80808fc98c Cleans up firefox SVG plugin. 2014-03-26 13:12:39 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
jvazquez-r7 6c490af75e Add randomization to Rex::Zip::Jar and java_signed_applet 2014-02-27 12:38:52 -06:00
grimmlin 2d93b38e2a Fixed java_signed_applet for Java 7u51 2014-02-07 16:29:50 +01:00
Joe Vennix b3b04c4159 Fix both firefox js exploits to use browser_autopwn. 2014-01-11 17:34:38 -06:00
Joe Vennix 06fb2139b0 Digging around to get shell_command_token to work. 2014-01-02 14:05:06 -06:00
Joe Vennix 1b0e99b448 Update proto_crmfrequest module. 2014-01-02 10:48:28 -06:00
Joe Vennix 694cb11025 Add firefox platform, architecture, and payload.
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
Joe Vennix 8e27e87c81 Use the right disclosure date. 2013-12-19 12:58:52 -06:00
Joe Vennix 955dfe5d29 msftidy it up. 2013-12-19 12:53:58 -06:00
Joe Vennix b50bbc2f84 Update module to use sinn3r's beautiful browserexploitserver. 2013-12-19 12:49:24 -06:00
Joe Vennix eb08a30293 Update description with new version support. 2013-12-19 02:08:55 -06:00
Joe Vennix 5ee6c77901 Add a patch for 15.x support.
* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00
Joe Vennix 2add2acc8f Use a smaller key size, harder to spot. 2013-12-18 21:02:23 -06:00
Joe Vennix 8d183d8afc Update versions, 4.0.1 does not work on windows. 2013-12-18 20:57:47 -06:00
Joe Vennix cb390bee7d Move comment. 2013-12-18 20:37:33 -06:00
Joe Vennix 23b5254ea1 Fix include reference. 2013-12-18 20:35:43 -06:00
Joe Vennix 5255f8da12 Clean up code. Test version support.
* Using #get in Object#defineProperty call makes the payload execute immediately
on all supported browsers I tested.
* Moved Ranking to Excellent since it is now 100% reliable.
2013-12-18 20:30:08 -06:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix ca2de73879 It helps to actually commit the exploit. 2013-12-18 14:31:42 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
jvazquez-r7 004c1bac78 Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
Tod Beardsley ca313806ae Trivial grammar and word choice fixes for modules 2013-08-19 13:24:42 -05:00
jvazquez-r7 1a3b4eebdb Fix directory name on ruby 2013-08-15 22:54:31 -05:00
jvazquez-r7 795ad70eab Change directory names 2013-08-15 22:52:42 -05:00
jvazquez-r7 c5c2aebf15 Update references 2013-08-15 22:04:15 -05:00
jvazquez-r7 cc5804f5f3 Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00
HD Moore 6c1ba9c9c9 Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00
jvazquez-r7 4fa789791d Explain Ranking 2013-06-25 13:10:15 -05:00
jvazquez-r7 127300c62d Fix also ruby module 2013-06-25 12:59:42 -05:00
Matthias Kaiser 8a96b7f9f2 added Java7u21 RCE module
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
Steve Tornio a824a0583e add osvdb ref 89059 2013-06-20 07:34:15 -05:00
Joe Vennix 45da645717 Update ff svg exploit description to be more accurate. 2013-06-11 12:12:18 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 79bfdf3ca6 Add comment to explain the applet delivery methods 2013-06-07 14:20:21 -05:00
jvazquez-r7 641fd3c6ce Add also the msf module 2013-06-07 13:39:19 -05:00
Steve Tornio 80f1e98952 added osvdb refs 2013-06-01 07:04:43 -05:00
Tod Beardsley 75d6c8079a Spelling, whitespace
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
sinn3r 81ad280107 Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE
Chained exploit using CVE-2013-0758 and CVE-2013-0757
2013-05-23 12:21:10 -05:00
sinn3r 67861794f6 Fix automatic payload selection 2013-05-22 22:37:18 -05:00
sinn3r 23fe3146dc Extra print_status I don't want 2013-05-22 14:38:30 -05:00
sinn3r 0e6576747a Fix target selection probs, and swf path 2013-05-22 14:34:00 -05:00
Joe Vennix aae4768563 Fix whitespace issues from msftidy. 2013-05-21 14:31:36 -05:00
Joe Vennix eaeb10742a Add some comments and clean some things up. 2013-05-21 14:01:14 -05:00
Joe Vennix 978aafcb16 Add DEBUG option, pass args to .encoded_exe(). 2013-05-21 14:01:14 -05:00
Joe Vennix ee8a97419c Add some debug print calls to investigate Auto platform selection. 2013-05-21 14:01:13 -05:00
Joe Vennix 60fdf48535 Use renegerate_payload(cli, ...). 2013-05-21 14:01:13 -05:00
Joe Vennix 1a5c747bb9 Update description. 2013-05-15 23:52:51 -05:00
Joe Vennix 178a43a772 Whitespace tweaks and minor bug fix. Wrong payloads still run. 2013-05-15 23:47:04 -05:00