Commit Graph

23553 Commits (17c8f7c4c769273ec30e72f99f9357e9f812821e)

Author SHA1 Message Date
follower ecb5fffb0b
Typo fix: "withint" --> "within" 2018-02-13 06:20:57 +13:00
UserExistsError bad1429989 reverted CachedSize values 2018-02-11 19:07:41 -07:00
UserExistsError 8ae8a0d94b added bind_named_pipe payload 2018-02-11 18:56:50 -07:00
h00die 285b329ee1
Land #9422 abrt race condition priv esc on linux 2018-02-11 11:58:39 -05:00
Pearce Barry add7ae8fa1
Land #9536, Add Ubuntu notes to documentation 2018-02-11 07:27:00 -06:00
Pearce Barry 321b78b0fe
Land #9408, Add Juju-run Agent Privilege Escalation module (CVE-2017-9232) 2018-02-11 07:19:49 -06:00
Brendan Coles 4e5cbd68b9 Add Ubuntu notes to documentation 2018-02-11 06:52:36 +00:00
Brendan Coles 1177efef89 Update tested versions 2018-02-10 16:32:20 +00:00
Brendan Coles 0d573e1434 Support shell sessions 2018-02-09 16:15:04 -05:00
Brendan Coles 45249d582d Add partition check 2018-02-09 16:15:04 -05:00
Brendan Coles 0ba37f8104 Add glibc $ORIGIN Expansion Privilege Escalation exploit 2018-02-09 16:15:04 -05:00
h00die cb1b59545b
Land #9469 linux local exploit for glibc ld audit 2018-02-09 14:00:42 -05:00
Brent Cook 44b08feeb0
Land #9525, Update mysql_hashdump for MySQL 5.7 and above 2018-02-08 13:56:26 -06:00
Brent Cook 1bb5499fce fix whitespace 2018-02-08 13:55:40 -06:00
Jacob Robles c642d420c2
Land #9489, Add scanner for the Bleichenbacker oracle (AKA: ROBOT) 2018-02-08 12:55:02 -06:00
Jacob Robles c9a3894bdb
Removed require statements 2018-02-08 12:00:47 -06:00
Osanda Malith Jayathissa 00ead05237
Update for MySQL 5.7 and above
Starting from MySQL 5.7 the password column was changed to authentication_string. I've added a check to determine the version. Tested on both MySQL 5.6 and 5.7.
2018-02-08 13:40:35 +00:00
Brendan Coles 5b251ae672 Support shell sessions on Debian 2018-02-08 11:29:09 +00:00
Brent Cook b1d0529161 prefer 'shell' channels over 'exec' channels for ssh
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
2018-02-08 02:21:16 -06:00
Brent Cook ca4ad1d0c4
Land #9478, Improve Dup Scout BOF exploit 2018-02-07 23:51:14 -06:00
Jacob Robles 724a0e29f6
Update Parsing, Added Rescue 2018-02-07 19:19:58 -06:00
Brent Cook 1af1631ef6 bump cached payload sizes 2018-02-07 08:06:37 -06:00
Jacob Robles 1de8ec1073
Implemented Suggested Changes
Updated documentation headings and function/filename formatting.
Updated module options and formatting. Added check for file to parse.
2018-02-07 08:01:54 -06:00
青鸟 0abee0303f
add change 2018-02-07 03:48:36 +08:00
bluebird 278e9a92fc add module and documentation 2018-02-06 20:30:34 +08:00
Jacob Robles 1233bb855c
msftidy checks 2018-02-05 22:54:03 -06:00
Jacob Robles 1e9e9c9be0
Ulterius Server < v1.9.5.0 Directory Traversal
Adds documentation and module for Ulterius Server
directory traversal vulnerability.
2018-02-05 22:50:09 -06:00
Brendan Coles 41dbae29a6 Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit 2018-02-05 13:47:09 +00:00
Brendan Coles 696817215b Update tested versions 2018-02-05 04:48:52 +00:00
Brendan Coles e158ccb20b Support cleanup for meterpreter sessions 2018-02-04 04:38:53 +00:00
Brendan Coles 74ab02f27b Support meterpreter sessions 2018-02-03 11:55:08 +00:00
UnaPibaGeek eae9c60430 Disclaimer and wget support added and syntax errors fixed. 2018-02-03 02:18:30 -03:00
Adam Cammack 51e098da35
Add scanner for Bleichenbacher oracle (ROBOT) 2018-02-02 16:29:07 -06:00
William Vu c9473f8cbc
Land #9473, new MS17-010 aux and exploit modules 2018-02-01 23:56:29 -06:00
zerosum0x0 ffc7e078e2 don't disconnect until cleanup 2018-02-01 21:46:56 -07:00
h00die 7cb0a118c1
Land #9399 a linux priv esc against apport and abrt 2018-02-01 21:54:54 -05:00
Brendan Coles 3c21eb8111 Update documentation 2018-02-02 02:27:13 +00:00
Jacob Robles bc18389284
Updated Document and Module
Update the documentation based on analysis of the vulnerability.
Slight modifications to the exploit module as well to reduce the
size of the generated file and reduce bad characters.
2018-02-01 10:05:50 -06:00
RageLtMan 812d7ca739 Update native DNS spoofer for Dnsruby
Fix methods relating to answer/question data structures which were
set up for Net::DNS objects in the original implementation
utilizing uppercase letters in the exact same method names.

Testing:
  None yet, completely forgot i even wrote this module till i saw
it in my merge conflicts after upstream merged the PR.
2018-01-31 23:44:51 -05:00
Brendan Coles 0d80ca6f79 Change documentation extension from rb to md 2018-01-31 23:26:30 +00:00
Brent Cook beb4d56f7d
Land #9354, Debut embedded httpd server (Brother printers) DoS 2018-01-31 17:03:13 -06:00
bwatters-r7 8be2b1f59e
Land # 9407, Add BMC Server Automation RSCD Agent RCE exploit module
Merge branch 'land-9407' into upstream-master
2018-01-31 13:35:29 -06:00
Jacob Robles 656bb7f567
Modified DupScout Fileformat Exploit 2018-01-30 09:12:05 -06:00
Tim W 0ce125ec55 more fixes 2018-01-30 17:54:10 +08:00
Tim W 39c07e2289 add references 2018-01-30 17:52:01 +08:00
h00die 08dcb5cc49
Land #9445 fixes for ssl labs scanner module 2018-01-29 20:51:05 -05:00
Jacob Robles d4a0372238
Land #9457, Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow 2018-01-29 11:40:54 -06:00
zerosum0x0 7cc00c0e10 fixed padding/offsets for win 10 2018-01-28 21:10:51 -07:00
zerosum0x0 237c3f7b2c crash 10.14393... should fail to leak transaction 2018-01-28 18:52:43 -07:00
zerosum0x0 2723b328aa misc tidying, added more randomness 2018-01-28 18:20:18 -07:00
zerosum0x0 6c2d5b1fc2 semi-completed exploit files 2018-01-28 18:13:25 -07:00
Brendan Coles 092eb0cd11 Add glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation exploit 2018-01-28 05:11:38 +00:00
Brendan Coles 23f4bf1583 Add documentation 2018-01-27 03:15:06 +00:00
Pedro Ribeiro 54c6aa7629
Add full disclosure URL 2018-01-26 15:35:18 +07:00
Aaron Soto c390696ddf
Land #9379, Oracle Weblogic RCE exploit and documentation 2018-01-25 21:47:18 -06:00
William Vu 309deb9ee7
Land #9446, Post API fix for setuid_nmap 2018-01-25 16:00:40 -06:00
h00die 62573731fe remove empty line 2018-01-24 20:54:21 -05:00
h00die 4be0e7f9ef final fixes for brother debut dos 2018-01-24 20:53:08 -05:00
Daniel Teixeira 4cd5801e6f
Dup Scout Import Command Buffer Overflow 2018-01-24 20:47:46 +00:00
Matthew Kienow 6caba521d3
Land #9424, Add SharknAT&To external scanner 2018-01-24 12:40:29 -05:00
Pearce Barry eb572a3ef5
Land #8632, colorado ftp fixes 2018-01-23 17:45:07 -06:00
bwatters-r7 a27cfeaea9
Land #9416, Sync Breeze Enterprise 9.5.16 Import Command buffer overflow
Merge branch 'land-9416' into upstream-master
2018-01-23 16:35:51 -06:00
bwatters-r7 3922844650
ninja style changes 2018-01-23 16:34:49 -06:00
Adam Cammack d81d50b491
Land #9430, Improve Hyper-V checkvm checks 2018-01-23 15:22:12 -06:00
bwatters-r7 685a950077
Land #9114, Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143)
Merge branch 'land-9114' into upstream-master
2018-01-23 12:35:59 -06:00
William Vu 5684b9ed7c Readd dropped return during refactoring 2018-01-23 10:12:15 -06:00
Adam Cammack be08af5404
More Python style fixes 2018-01-23 09:17:22 -06:00
William Vu d3b3946669 Use Msf::Post::File#setuid? in setuid_nmap 2018-01-23 02:05:26 -06:00
RageLtMan ed47efdadc Silence tidy failures 2018-01-23 02:03:50 -05:00
RageLtMan 721163bd67 Python shell via reverse UDP
Python-based UDP egress shell, another PoC of the protocol used
as a raw transport.
2018-01-23 02:00:56 -05:00
RageLtMan ef1d4ddb03 Add UDP handlers and payloads (redux)
This is a repackaging effort for the work i originally pushed in
6035. This segment of the PR provides UDP session handlers for
bind and reverse sessions, a Windows Metasm stager (really the
TCP stager with a small change), and a pair of socat payloads for
testing simple UDP shells. Netcat or any scripting language with
a sockets library is sufficient to use these sessions as they are
stateless and simple.

Testing of this PR requires rex/core #1 and rex/socket #2

The SSL testing which was being done on 6035 is backed out, left
for a later time when we can do DTLS properly.
2018-01-23 02:00:55 -05:00
Brent Cook 03d1523d43
Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-22 23:54:32 -06:00
Brent Cook a6e5944ec5 fix msftidy, add nicer errors on bind failure 2018-01-22 23:37:39 -06:00
Brent Cook aae77fc1a4
Land #9349, GoAhead LD_PRELOAD CGI Module 2018-01-22 23:10:36 -06:00
Pedro Ribeiro 621868b7fb
Add CVE numbers 2018-01-23 11:26:39 +07:00
Brent Cook d1569f8280
Land #9413, Expand the number of class names searched when checking for an exploitable JMX server 2018-01-22 16:49:01 -06:00
Brent Cook 10fde42adc
Land #9431, Fix owa_login to handle inserting credentials for a hostname 2018-01-22 16:46:39 -06:00
Brent Cook b12953fa85
Land #9404, update module author 2018-01-22 16:41:50 -06:00
Brent Cook 04d305feb3 update SSL Labs scanner with new API, be robust
This updates the SSL Labs scanner to know about new additions to the API, and prevents the module from breaking again just because there is new JSON in the output. I couldn't figure out how to get the Api class to print messages normally, and there is some other output that needs to be added. But the module does work again.
2018-01-22 16:32:16 -06:00
UnaPibaGeek ae93162faf HSTS eraser module 2018-01-22 18:53:16 -03:00
Wei Chen 394c31c1e3 Remove NoMethod Rescue for cerberus_sftp_enumusers
Please see reasons in #9436
2018-01-22 11:10:23 -06:00
Wei Chen 38d056b930
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
Land #9436

Thanks Steve!
2018-01-22 11:07:23 -06:00
Wei Chen 85d018096b Pass password_prompt and non_interactive to fix #8970
Fix #8970
2018-01-22 11:06:12 -06:00
Brent Cook 682c915a09
Land #9267, Add targets to sshexec 2018-01-22 09:59:48 -06:00
Pedro Ribeiro b734af4e79
Add my advisory URL 2018-01-22 22:00:48 +07:00
Pedro Ribeiro c1fe355329
Create exploit for AsusWRT LAN RCE 2018-01-22 21:44:02 +07:00
Brent Cook 69818aea22 update payload sizes 2018-01-21 08:03:07 -06:00
Pearce Barry 2a6b3671bf
Add connection addr+port info to http response object.
Update owa_login to use this instead of doing lookups on its own.
2018-01-19 13:37:33 -06:00
Steve Embling 8f75d3a46b Possible fix to changes in net::ssh usage 2018-01-19 15:10:14 +00:00
Kevin Kirsche c7d3b5dfbb
Update payload and disable check functionality
The check functionality is broken as MSF cannot handle HttpServer and HttpClient at this time.

The payloads were updated to ensure CVE-2017-10271 is being exploited instead of CVE-2017-3506 as explained on https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/
2018-01-18 13:26:44 -05:00
Brent Cook 7849743789
update stageless python sizes 2018-01-18 00:41:58 -06:00
Pearce Barry e9ce2374e5
Auto-resolve target if it's a hostname (owa_login).
Ensures the module does save the creds which it claims to be saving.  See MS-2968.
2018-01-17 16:47:21 -06:00
Aaron Soto 9328374155
Update 'author' field of metadata 2018-01-17 16:43:37 -06:00
Adam Cammack 0f0b116751
Rename scanner bits to avoid confusion 2018-01-17 14:46:31 -06:00
Aaron Soto 10cf327c26
Improve Hyper-V tests in checkvm
All Win10 machines, physical and virtual, were being reported as 'Hyper-V' (false positives)

Added functionality to extract hostname of physical hypervisor from VM registry
2018-01-17 14:29:03 -06:00
bwatters-r7 4c11eae774
Maybe that timeout is needed..... 2018-01-17 13:21:36 -06:00
Adam Cammack c7894f1d74
Split long lines and add comments 2018-01-17 12:04:12 -06:00
Philippe Tranca 35bec8d3cd Fixed classes names and added RMI interfaces 2018-01-17 17:10:36 +01:00
Philippe Tranca d345008b20 Added all the classes that implement RMI server 2018-01-17 17:03:32 +01:00
bwatters-r7 f439edfa1a Fixes by the fabled wvu 2018-01-17 08:20:52 -06:00
Brent Cook d6e966b079
Land #9414, wp_admin_shell_upload - remove plugin dir after exploitation 2018-01-16 21:08:22 -06:00
Adam Cammack 37bf68869f
Add scanner for the open proxy from 'SharknAT&To' 2018-01-16 21:05:19 -06:00
Brendan Coles 5e11d36351 Add ABRT raceabrt Privilege Escalation module 2018-01-16 14:52:33 +00:00
Brendan Coles 4ade798cef Fix check for juju-run path 2018-01-16 07:19:48 +00:00
William Vu e5bd36da1c
Land #9402, NIS bootparamd domain name disclosure 2018-01-15 15:36:00 -06:00
Daniel Teixeira aa9b5e4419
Sync Breeze Enterprise Import Command 2018-01-15 20:46:40 +00:00
Christian Mehlmauer 2f9eebe28b
remove plugin dir 2018-01-15 14:48:59 +01:00
Philippe Tranca dfb9941e95 Fix java_jmx_server exploit
Add test case when discovering RMI endpoint as the previous one was not complete
2018-01-15 12:13:09 +01:00
Nicky Bloor 333ee893d3 Tidied up platform detection, check method, and minor typos. 2018-01-14 18:28:40 +00:00
Brendan Coles e1cbe4e906 Rename apport_chroot_priv_esc to apport_abrt_chroot_priv_esc 2018-01-14 08:33:43 +00:00
Brendan Coles c234d0523a Add support for abrt on Fedora 2018-01-14 08:33:10 +00:00
Brendan Coles c94763bfe0 Add Juju-run Agent Privilege Escalation module 2018-01-14 05:57:17 +00:00
William Vu 736d438813 Address second round of feedback
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
Nicky Bloor 6568d29b67 Add BMC Server Automation RSCD Agent RCE exploit module. 2018-01-14 01:12:55 +00:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
2018-01-13 15:40:11 -06:00
Brendan Coles 2f3e3b486a Use cross-compiled exploit 2018-01-13 05:44:42 +00:00
Brendan Coles d172259f5d
umlaut 2018-01-13 16:06:11 +11:00
William Vu eb8429cbd3
Revert "umlaut"
This reverts commit ffd7073420.
2018-01-12 22:57:22 -06:00
Brendan Coles ffd7073420
umlaut 2018-01-13 15:48:45 +11:00
Jeffrey Martin 1f1dc59d17
Land #9392, python meterpreter whitespace normalization 2018-01-12 21:24:13 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
William Vu 0c9f1d71d3 Add NIS bootparamd domain name disclosure 2018-01-12 19:34:53 -06:00
Brendan Coles 842736f7b1 register_dir_for_cleanup 2018-01-12 14:21:43 +00:00
Agahlot 488f27bf76 Small Typo 2018-01-12 07:05:30 -05:00
RageLtMan c65c03722c Migrate native DNS services to Dnsruby data format
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.

Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.

Testing:
  Internal tests for resolution of different record types locally
and over pivot sessions.
2018-01-12 05:00:00 -05:00
Brendan Coles 8bbffd20cd Add Apport chroot Privilege Escalation exploit 2018-01-12 07:25:35 +00:00
Kevin Kirsche 04e4ff6b3c
Use stop_service to avoid cleanup overload 2018-01-11 19:14:26 -05:00
Kevin Kirsche 40f54df129
Feedback updates 2018-01-11 18:54:58 -05:00
Kevin Kirsche 172ffdfea1
Use geturi instead of building it ourselves 2018-01-11 18:27:56 -05:00
Wei Chen e6c4fb1dab
Land #9269, Add a new target for Sync Breeze Enterprise GET BoF
Land #9269
2018-01-11 16:54:23 -06:00
Wei Chen f395e07fc6 Land #9269, add new target for Sync Breeze Enterprise GET BoF
Land #9269
2018-01-11 16:53:02 -06:00
Kevin Kirsche d4056e72da
Lower the default timeout for CHECK 2018-01-11 17:38:30 -05:00
Kevin Kirsche 3617a30e34
Add URIPATH random URI 2018-01-11 17:33:14 -05:00
Kevin Kirsche a28d4a4b5b
Add check and update for some style considerations 2018-01-11 17:28:09 -05:00
Kevin Kirsche 0d9a40d2e5
Use target['Platform'] instead of target_platform 2018-01-11 15:44:07 -05:00
Kevin Kirsche c490d642e2
Was missing a comma 2018-01-11 09:42:24 -05:00
Kevin Kirsche 3132566d8f
Fix OptFloat error 2018-01-11 09:22:16 -05:00
Kevin Kirsche c05b440f26
Fix additional feedback
This
* uses ternary operators
* uses an `RPORT` option shortcut
* removes the `xml_payload` variable and instead more explicitly uses the method directly
* Uses `OptFloat` for the timeout option to allow partial seconds
2018-01-11 08:17:13 -05:00
William Vu 4b225c30fd
Land #9368, ye olde NIS ypserv map dumper 2018-01-10 22:02:36 -06:00
William Vu f66b11f262 Nix an unneeded variable declaration 2018-01-10 20:24:02 -06:00
Wei Chen 6510ee53bc
Land #9204, Add exploit for Samsung SRN-1670D (CVE-2017-16524)
Land #9204
2018-01-10 20:15:29 -06:00
Wei Chen 18c179a091 Update module and add documentation
This updates the module to pass:

* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes

A documentation is also added.
2018-01-10 20:13:42 -06:00
William Vu b66889ac86 Rescue additional errors and refactor code
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
Wei Chen 7e2c7837e5
Land #9325, Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module
Land #9325
2018-01-10 17:39:50 -06:00
Wei Chen b1f3f471f3 Update phpcollab_upload_exec code (also module documentation) 2018-01-10 17:38:52 -06:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
Tim W 550e9a3d31 fix payload cached size 2018-01-10 15:06:08 +08:00
Wei Chen 8d77f35b16
Land #9373, Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow
Land #9373
2018-01-09 22:40:50 -06:00
Wei Chen 25280e3319 Update labf_nfsaxe and module documentation 2018-01-09 22:39:40 -06:00