f88e68da25
fix msftidy stuff
2017-01-12 18:04:58 +00:00
2274e38925
fix msftidy stuff
2017-01-12 18:03:12 +00:00
b863db9d02
add billion sploit
2017-01-12 17:51:24 +00:00
2827a7ea1a
add 660v2 sploit
2017-01-12 17:50:57 +00:00
af2516d074
add 660v1 sploit
2017-01-12 17:49:28 +00:00
c0880985bc
fix duplicate entry for platform
2017-01-10 01:17:44 +00:00
74cea5dd04
Use Linux payloads instead of cmd/unix/interact
...
As of now, cmd/unix/interact causes msfconsole to freeze, so
we can't use this.
2017-01-09 11:11:17 -06:00
e331066d6d
Add CVE-2016-6433 Cisco Firepower Management Console UserAdd Exploit
2017-01-06 17:05:25 -06:00
13bca2ebc7
add httpusername and password for auto auth
2017-01-06 16:33:51 +00:00
19319f15d4
Land #7626 , Eir D1000 modem exploit
2017-01-04 17:02:39 -06:00
d95a3ff2ac
made changes suggested
2017-01-04 23:02:10 +00:00
b0e79076fe
Switch to wget CmdStager and tune timing
...
We don't want to trample the device with requests.
2017-01-04 16:42:53 -06:00
94d76cfb06
Merge remote-tracking branch 'upstream/master' into tr-069-ntpserver-command-injection
2017-01-03 17:04:04 -06:00
fe0a3c8669
Update themoon exploit to use wget command stager
2017-01-03 15:50:57 -06:00
9d3e90e8e5
cleanup
2017-01-02 17:32:38 +00:00
4c29d23c8a
further cleaning
2016-12-31 17:02:34 +00:00
956602cbfe
add final wnr2000 sploits
2016-12-31 16:49:05 +00:00
9d0ada9b83
Land #7749 , make drb_remote_codeexec great again
2016-12-28 06:11:48 -06:00
cfca4b121c
Clean up module
2016-12-28 06:10:46 -06:00
afd8315e1d
Remove apache_continuum_cmd_exec CmdStager flavor
...
It is inferred from the platform, and we don't want to override it
needlessly. :bourne is what worked during testing, but it won't always
work. Now we can override the flavor with CMDSTAGER::FLAVOR.
2016-12-27 16:24:16 -06:00
870e8046b5
add sploits
2016-12-27 21:12:35 +00:00
679ebf31bd
Minor fix to make dRuby great again
2016-12-23 15:12:22 +01:00
d69acd116d
Make dRuby great again
2016-12-22 15:37:16 +01:00
a4f681ae35
Add quoted hex encoding
2016-12-06 09:05:35 -06:00
d549c2793f
Fix module filename to be TR-064
2016-12-02 08:49:21 -06:00
9e4e9ae614
Add a reference to the TR-064 spec
2016-12-02 08:48:09 -06:00
ddac5600e3
Reference TR-064, not TR-069
2016-12-02 08:45:15 -06:00
1d6ee7192a
Land #7427 , new options for nagios_xi_chained_rce
2016-11-30 17:11:02 -06:00
3e8cdd1f36
Polish up USER_ID and API_TOKEN options
2016-11-30 17:10:52 -06:00
43cd788350
Switch back to echo as cmdstager flavor
2016-11-30 10:18:09 -06:00
b75fbd454a
Add missing peer in vprint_error
2016-11-30 07:59:41 -06:00
657d52951b
Linemax 63, switch to printf
2016-11-30 07:51:36 -06:00
08b9684c1a
Add a FORCE_EXPLOIT option for @FireFart
2016-11-29 16:37:13 -06:00
57d156a5e2
Revert "XML encode the command passed"
...
This reverts commit 9952c0ac6f
2016-11-29 16:24:26 -06:00
b7904fe0cc
Oh silly delimiters and lack thereof
2016-11-29 15:53:05 -06:00
9952c0ac6f
XML encode the command passed
2016-11-29 15:49:55 -06:00
851aae3f15
Oops, wrong module
...
This reverts commit d55d2099c5
2016-11-29 15:15:18 -06:00
d55d2099c5
Just one platform thanks
2016-11-29 15:08:45 -06:00
4d6b2dfb46
Use CmdStager instead
...
Oh, and this is totally untested as of this commit.
2016-11-29 15:03:38 -06:00
8de17981c3
Get rid of the WiFi key stealer
2016-11-29 14:48:04 -06:00
75bcf82a09
Never set DefaultPaylod, reverse target options
2016-11-29 14:43:10 -06:00
f55f578f8c
Title, desc, authors, refs
2016-11-29 14:39:38 -06:00
d691b86443
First commit of Kenzo's original exploit
...
This is a work in progress, and is merely the copy-paste
of the original PoC exploit from:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
2016-11-29 09:13:52 -06:00
6f70323460
Minor misspelling mistakes and corrected the check of the mysqld process
2016-11-25 19:03:23 +00:00
1119dc4abe
Targets set to automatic
...
removed targets and set only automatic
the targets weren't used so there's no funcionallity loss
2016-11-25 17:35:28 +00:00
59f3c9e769
Land #7579 , rename netfilter_priv_esc to rename netfilter_priv_esc_ipv4
2016-11-21 17:59:29 -06:00
8869ebfe9b
Fix incorrect disclosure date for OpenNMS exploit
...
Disclosure date was Nov 2015, not Nov 2014
2016-11-21 16:44:36 +00:00
6c6221445c
Land #7543 , Create exploit for CVE-2016-6563 / Dlink DIR HNAP Login
2016-11-21 09:59:50 -06:00
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
acfd214195
Mysql privilege escalation
...
Documentation, compiled binary and final implementation.
Completed the documentation, added the missing compiled binary and a
final and tested implementation of the module.
2016-11-19 11:24:29 +00:00
cfd31e32c6
renaming per @bwatters-r7 comment in #7491
2016-11-18 13:52:09 -05:00
4596785217
Land #7450 , PowerShellEmpire Arbitrary File Upload
2016-11-17 17:47:15 -06:00
18bafaa2e7
Land #7531 , Fix drb_remote_codeexec and create targets
2016-11-16 12:58:22 -06:00
b56b6a49ac
Land #7328 , Extend lsa_transname_heap exploit to MIPS
2016-11-15 07:37:19 -06:00
c458d662ed
report correct credential status as successful
2016-11-14 12:27:22 -06:00
4ae90cbbef
Land #7191 , Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE.
2016-11-14 12:06:02 -06:00
908713ce68
remove whitespace at end of module name
2016-11-14 08:35:34 +00:00
9eb9d612ca
Minor typo fixups.
2016-11-11 16:54:16 -06:00
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
50f578ba79
Add full disclosure link
2016-11-08 22:15:19 +00:00
95bd950133
Point to proper link on github
2016-11-07 17:59:29 +00:00
f268c28415
Create dlink_hnap_login_bof.rb
2016-11-07 17:45:37 +00:00
da356e7d62
Remove Compat hash to allow more payloads
2016-11-04 13:57:05 -05:00
f0c89ffb56
Refactor module and use FileDropper
2016-11-04 13:57:05 -05:00
6d7cf81429
Update references
2016-11-04 13:57:05 -05:00
009d6a45aa
Update description
2016-11-04 13:57:05 -05:00
bf7936adf5
Add instance_eval and syscall targets
2016-11-04 13:57:05 -05:00
dae1f26313
Land #7521 , Modernize TLS protocol configuration for SMTP / SQL Server
2016-11-03 12:56:50 -05:00
eca4b73aab
Land #7499 , check method for pkexec exploit
2016-11-03 10:59:06 -05:00
1c746c0f93
Prefer CheckCode::Detected
2016-11-03 11:14:48 +01:00
2cdff0f414
Fix check method
2016-11-03 11:14:48 +01:00
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
f8912486df
fix typos
2016-11-01 05:43:03 -05:00
3c56f1e1f7
Remove commented x64 arch from sock_sendpage
2016-11-01 01:29:11 +10:00
45d6012f2d
fix check method
2016-10-30 14:57:42 -04:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
c7b775ac1c
Fix detection following @bwatters-r7 recommendations. Remove safesync exploit that shouldn't be here.
2016-10-28 18:03:56 +00:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
23ab4f1fc1
Remove one last tab
2016-10-27 12:32:40 +02:00
d9f07183bd
Please h00die ;)
2016-10-27 12:18:33 +02:00
2ac54f5028
Add a check for the linux pkexec module
2016-10-27 10:28:13 +02:00
684feb6b50
moved STAGE0 and STAGE1 into datastore
2016-10-18 11:47:38 -04:00
e806466fe3
correct carriage return and link issue
2016-10-17 10:31:39 -04:00
7e68f7d2a4
EmpirePowerShell Arbitrary File Upload (Skywalker)
2016-10-17 10:03:07 -04:00
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
5e7d546fa2
Land #7094 , OpenNMS Java Object Deserialization RCE Module
2016-10-14 13:19:11 -05:00
cfddc734a8
Land #7286 , WiFi pineapple preconfig command injection module
2016-10-14 12:57:42 -05:00
e05a325786
Land #7285 , WiFi pineapple command injection via authentication bypass
2016-10-14 12:57:05 -05:00
12493d5c06
moved c code to external sources
2016-10-13 20:37:03 -04:00
9d2355d128
removed debug line
2016-10-10 10:23:51 -04:00
2ad82ff8e3
more nagios versatility
2016-10-10 10:21:49 -04:00
7b84e961ed
Minor output correction.
2016-10-09 19:01:06 -05:00
7e6facd87f
added wrong file
2016-10-09 09:49:58 -04:00
2c4a069e32
prepend fork fix
2016-10-09 09:40:44 -04:00
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
75bea08e0e
changing branches
2016-10-04 21:08:12 -04:00
e6daef62b4
egypt
2016-10-03 20:24:59 -04:00
7b0a8784aa
additional doc updates
2016-09-29 19:02:16 -04:00
bac4a25b2c
compile or nill
2016-09-29 06:15:17 -04:00
4fac5271ae
slight cleanup
2016-09-29 05:51:13 -04:00
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
988471b860
Land #7372 , useless use of cat fix
...
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
3033c16da6
Add missing rank
2016-09-28 16:37:04 -05:00
b46073b34a
Replace `cat` with Ruby's `read_file`
...
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
45ee59581b
Fix inverted logic in Docker exploit
...
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.
Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
dbb2abeda1
Remove the `cat $FILE | grep $PATTERN` anti-pattern
...
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
7646771dec
refactored for live compile or drop binary
2016-09-22 20:07:07 -04:00
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
04f8f7a0ea
Land #7266 , Add Kaltura Remote PHP Code Execution
2016-09-21 17:14:49 -05:00
2d3c167b78
Grammar changes again.
2016-09-20 23:51:12 +03:00
0f16393220
Yet another grammar changes
2016-09-20 19:48:40 +03:00
fb00d1c556
Another minor grammer changes
2016-09-20 19:23:28 +03:00
251421e4a7
Minor grammar changes
2016-09-20 10:37:39 -05:00
385428684f
Move module and docs under the exploit/linux/http folder
2016-09-20 12:45:23 +03:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
edd1704080
reexploit and other docs and edits added
2016-09-18 09:01:41 -04:00
4f85a1171f
reexploit and other docs and edits added
2016-09-18 08:51:27 -04:00
d2100bfc4e
Land #7301 , Support URIHOST for exim4_dovecot_exec for NAT
2016-09-16 12:49:57 -07:00
7c396dbf59
Use URIHOST
2016-09-16 12:48:54 -07:00
4d0643f4d1
Add missing DefaultTarget to Docker exploit
2016-09-16 13:09:00 -05:00
da516cb939
Land #7027 , Docker privesc exploit
2016-09-16 12:44:21 -05:00
e3060194c6
Fix formatting in ubiquiti_airos_file_upload
...
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
7393d91bfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2016-09-16 10:46:44 +01:00
4be4bcf7eb
forgot updates
2016-09-16 02:08:09 -04:00
2e42e0f091
first commit
2016-09-16 01:54:49 -04:00
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
c6214d9c5e
Fix and clean module
2016-09-14 14:36:29 -05:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
11342356f8
Support LHOST for metasploit behind NAT
2016-09-13 11:23:49 +10:00
c06ee991ed
Adding WiFi pineapple command injection via authenticaiton bypass.
2016-09-06 17:22:25 -07:00
8d40dddc17
Adding WiFi pineapple preconfig command injection module.
2016-09-06 17:18:36 -07:00
e4d118108a
Trend Micro SafeSync exploit.
2016-09-06 19:33:23 +00:00
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
411689aa44
Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router
2016-09-01 10:05:13 +01:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
2b6576b038
Land #7012 , Linux service persistence module
2016-08-17 22:45:35 -05:00
c64d91457f
Land #7003 , cron/crontab persistence module
2016-08-17 22:45:16 -05:00
c64e1b8fe6
Land #7181 , NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance
2016-08-08 16:04:33 -05:00
cb04ff48bc
Land #7180 , Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE
2016-08-08 15:55:39 -05:00
8654baf3dd
Land #6880 , add a module for netcore/netdis udp 53413 backdoor
2016-08-08 15:43:34 -05:00
f98efb1345
Fix typos
2016-08-08 15:41:03 -05:00
1320647f31
Exploit for Trend Micro Smart Protection Server (CVE-2016-6267).
2016-08-08 18:47:46 +00:00
3b64b891a6
Update nuuo_nvrmini_unauth_rce.rb
2016-08-05 21:53:25 +01:00
746ba4d76c
Add bugtraq reference
2016-08-05 21:53:08 +01:00
Pedro Ribeiro
wchen-r7
William Vu
Adam Cammack
joernchen of Phenoelit
Tod Beardsley
x2020
Brent Cook
Prateep Bandharangshi
William Webb
h00die
Brendan
Jeffrey Martin
Pearce Barry
OJ
Alex Flores
Quentin Kaiser
Julien (jvoisin) Voisin
wolfthefallen
jvoisin
Mehmet Ince
David Maloney
Thao Doan
Jan Mitchell
aushack
catatonic