Commit Graph

4651 Commits (1963318e70d1c436d0b39241a53f1fce48a1ef0a)

Author SHA1 Message Date
Tod Beardsley fa353e6bd9
Add CVE, IBM ref for SameTime modules 2014-05-22 11:34:04 -05:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Karmanovskii e26dee5e22 Update mybb_get_type_db.rb
19/05/2014
I deleted      -     #return Exploit::CheckCode::Unknown  # necessary ????
2014-05-19 21:32:30 +04:00
William Vu a30d6b1f2d
Quick cleanup for sap_icm_urlscan 2014-05-19 09:21:26 -05:00
William Vu dc0e649a10
Clean up case statement 2014-05-19 09:21:07 -05:00
William Vu bc64e47698
Land #3370, cleanup for sap_icm_urlscan 2014-05-19 09:16:18 -05:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
Meatballs 6b1e4c3a9d
Show loot and error code 2014-05-19 11:17:58 +01:00
Meatballs 848227e18a
401 should be a valid url 2014-05-19 10:59:38 +01:00
Meatballs 5d96f54410
Be verbose about 307 2014-05-19 10:52:06 +01:00
Meatballs 88b7dc3def
re-add content length 2014-05-19 10:46:47 +01:00
Meatballs e59f104195
Use unless 2014-05-19 10:41:01 +01:00
William Vu a97d9ed54f
Land #3148, check_urlprefixes for sap_icm_urlscan 2014-05-17 16:10:52 -05:00
sappirate dd1a47f31f Modified sap_icm_urlscan to check for authentication of custom URLs
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
Karmanovskii 06912ac2b6 Update mybb_get_type_db.rb
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
JoseMi 21cf0a162c Added module to crash capwap dissector in wireshark tool 2014-05-17 11:31:43 +01:00
Christian Mehlmauer 488c3e6b93
Land #3358, @jvazquez-r7 Advantech WebAccess 7.1 SQLI module 2014-05-16 21:26:41 +02:00
jvazquez-r7 2012d41b3d Add origin of the user, and mark web users 2014-05-16 13:51:42 -05:00
jvazquez-r7 4143474da9 Add support for web databases 2014-05-16 11:47:01 -05:00
jvazquez-r7 883d2f14b5 delete debug print_status 2014-05-16 11:13:03 -05:00
jvazquez-r7 ea38a2c6e5 Handle ISO-8859-1 special chars 2014-05-16 11:11:58 -05:00
jvazquez-r7 c9465a8922 Rescue when the recovered info is in a format we can't understand 2014-05-16 08:57:59 -05:00
Tod Beardsley 3c1363b990
Add new SNMP enumeration modules 2014-05-16 08:32:46 -05:00
jvazquez-r7 7ec85c9d3a Delete blank lines 2014-05-16 01:03:04 -05:00
jvazquez-r7 9091ce443a Add suport to decode passwords 2014-05-16 00:59:27 -05:00
William Vu f9982752f3
Land #3362, ax rank for aux/dos mods 2014-05-14 15:20:07 -05:00
Tod Beardsley dc57e31be1
Aux modules don't respect Rank anyway 2014-05-14 15:03:10 -05:00
jvazquez-r7 5b3bb8fb3b Fix @FireFart's review 2014-05-14 09:00:52 -05:00
Karmanovskii cbb84e854c Update mybb_get_type_db.rb
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
jvazquez-r7 a7075c7e08 Add module for ZDI-14-077 2014-05-13 14:17:59 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
William Vu 92a9519fd9
Remove EOL spaces 2014-05-09 18:34:12 -05:00
jvazquez-r7 8c55858eae
Land #3309, @arnaudsoullie's changes for modblusclient 2014-05-08 10:45:19 -05:00
jvazquez-r7 25f13eac37 Clean a little response parsing 2014-05-08 10:44:53 -05:00
Arnaud SOULLIE 1f3466a3a3 Added Modbus error handling.
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
William Vu e8bc89af30
Land #3337, release fixes 2014-05-05 14:03:48 -05:00
jvazquez-r7 b81f94a229
Land #3336, @todb-r7's CVEs addition 2014-05-05 13:43:04 -05:00
Tod Beardsley c6affcd6d3
Fix caps, description on F5 module
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
William Vu 353a50cdd0
Land #3316, Content-Length fix for http_ntlmrelay 2014-05-05 13:38:36 -05:00
Tod Beardsley 3072c2f08a
Update CVEs for RootedCon Yokogawa modules
Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
William Vu a8915f0ed8
Land #3310, OpenSSH timing attack improvements 2014-05-04 19:47:51 -05:00
Tom Sellers a47b883083 Remove redundant simple.connect
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
Tom Sellers b2eeaef475 Add admin check to smb_login
The attached updates changes smb_login to detect if the newly discovered user is an administrator.  It is based on code from Brandon McCann "zeknox" submitted in PR #1373, the associated changes, and the newer PR #2656.
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773.

Specifically it:

 - Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
 - Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
 - Dealt with the issue in PR #2656 where the username was prefixed with a '\'


Verification

Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting

To validate that the remote domain ignores domain value use the following command from a windows system:

net use \\<hostip>\admin$ /user:<random_value>\<username>   <password>
2014-05-02 06:16:21 -05:00
Christian Mehlmauer f7d8a5e3a3 rework the openssl_heartbleed module 2014-05-01 21:43:58 +02:00
jvazquez-r7 d3045814a2 Add print_status messages 2014-05-01 11:05:55 -05:00
jvazquez-r7 cc2e680724 Refactor 2014-05-01 11:04:29 -05:00
jvazquez-r7 28e9057113 Refactor make_payload 2014-05-01 10:23:33 -05:00
jvazquez-r7 bd124c85cb Use metadata format for actions 2014-05-01 09:52:55 -05:00
William Vu 7777202045
Deconflict #3310 and correct the description 2014-04-30 12:02:57 -05:00
jvazquez-r7 9cd6c5ef2b
Land #3297, @Th4nat0s's F6 backends disclosure module 2014-04-30 09:31:37 -05:00
jvazquez-r7 4e80e1c239 Clean up pull request code 2014-04-30 09:31:07 -05:00
Tod Beardsley a5983b5f57
Light touchup on FP checker 2014-04-29 16:14:41 +01:00
Tod Beardsley 88efeea378
Add a false positive check 2014-04-29 16:07:42 +01:00
Arnaud SOULLIE e386855e0e Add ACTIONS descriptions 2014-04-29 16:55:05 +02:00
Tod Beardsley 4d76128937
Merge upstream and deconflict #3310 whitespace 2014-04-29 15:32:32 +01:00
Arnaud SOULLIE 04f2632972 Implement jvazquez-r7 comments 2014-04-29 16:09:47 +02:00
Rich Lundeen 60b9f855b4 Bug with HTTP POST requests (content type sent twice) 2014-04-28 18:44:02 -07:00
jvazquez-r7 4caf03b92f
Land #3301, @nodeofgithub's patch for sercomm module 2014-04-28 17:19:47 -05:00
Thanat0s 70314494ca test nil of port & host 2014-04-28 23:33:01 +02:00
Thanat0s fe3f7fd76a Obey to reviewer.. code fix 2014-04-28 23:26:29 +02:00
Tod Beardsley a6edd94c7f
Just fix refs and desc for release 2014-04-28 19:47:15 +01:00
Tod Beardsley a7e110be9e
Add a peer method, elaborate desc and prints 2014-04-28 19:41:44 +01:00
sinn3r 829b9ff4ff
Land #3308 - Fix smb_login using error_reason 2014-04-28 12:33:24 -05:00
Arnaud SOULLIE a0add34a7d Removed warning message and changed default unit number to 1 2014-04-28 15:47:10 +02:00
Pedro Laguna ab913a533e Update oracle_demantra_file_retrieval.rb
Fixed typo
2014-04-28 14:36:48 +01:00
Arnaud SOULLIE a2ccbf9833 Add read/write capabilities to modbusclient 2014-04-28 15:29:55 +02:00
Zinterax fb39e422aa Fix smb_login calling nonexistent method
When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError:

Auxiliary failed: NoMethodError undefined method `error_reason' for #<Rex::Proto::SMB::Exceptions::InvalidWordCount:0x007f48fcda0e48>

This changes uses the built in method get_error to return an error code.

[-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0]
2014-04-28 09:28:29 -04:00
Thanat0s 2396d497d8 move scanner to gather 2014-04-28 12:57:54 +02:00
Thanat0s 3bfa8ea707 Pass msftidy 2014-04-28 12:53:49 +02:00
Thanat0s f34cfefb8f Change hash to array 2014-04-28 12:52:46 +02:00
Thanat0s 6610977e86 add cookie.match and alway return 2014-04-28 12:39:32 +02:00
Thanat0s d5fe8471ed unless id 2014-04-28 12:16:49 +02:00
Thanat0s 328acc44fa Start cleaning as requested 2014-04-28 11:32:46 +02:00
nodeofgithub b80d366bb7 Add filter to output WPA-PSK password on Netgear DG834GT 2014-04-26 15:52:31 +02:00
William Vu c2bb26590c
Land #3250, version handling for Heartbleed server 2014-04-25 00:17:26 -05:00
Ramon de C Valle fd232b1acd Use the protocol version from the handshake
I used the protocol version from the record layer thinking I was using
the protocol version from the handshake. This commit fix this and uses
the protocol version from the handshake instead of from the record layer
as in https://gist.github.com/rcvalle/10335282, which is how it should
have been initially.

Thanks to @wvu-r7 for finding this out!
2014-04-25 01:48:17 -03:00
Christian Mehlmauer ef815ca992
Land #3288, Postgres support for Heartbleed scanner 2014-04-24 18:03:13 +02:00
Spencer McIntyre 9ccb9397e3
Land #3264, throttl and csv output support for module 2014-04-23 19:00:28 -04:00
Spencer McIntyre e2b92a824f Change white space for authors in dns_reverse_lookup 2014-04-23 18:56:27 -04:00
William Vu 15bd92dd50
Fix OpenSSH timing attack module 2014-04-23 10:10:37 -05:00
William Vu 0a108acea3
Fix missing comma
Commas will be the death of me.
2014-04-23 10:10:12 -05:00
William Vu 6d7fde4302
Land #3157, OpenSSH user enumeration timing attack 2014-04-23 10:01:10 -05:00
William Vu 1a2899d57b
Fix up whitespace 'n' stuff 2014-04-23 10:00:34 -05:00
Thanat0s 457c48b89b Error on sleep 2014-04-23 11:38:23 +02:00
Jonathan Claudius d70aa4cdbb Fix MSFTidy complaints 2014-04-22 22:07:25 -04:00
Jonathan Claudius b3cabaaa28 Clean up some formatting concerns 2014-04-22 21:58:14 -04:00
Jonathan Claudius f71ad111da Change return values from nil to false 2014-04-22 21:48:16 -04:00
Jonathan Claudius 3d793fc6f1 Add default VPN group fall back 2014-04-22 21:45:04 -04:00
Jonathan Claudius 4d9ece2f9a Add hyphens and digits to group regex 2014-04-22 21:34:08 -04:00
kenkeiras 96f042110f return is not needed when it's the last lifunction line 2014-04-22 22:33:47 +02:00
kenkeiras c9d8da991a Use Rex.sleep instead of select 2014-04-22 22:33:19 +02:00
kenkeiras d2a558dc85 Removed unused code 2014-04-22 22:33:02 +02:00
Wiesław Kielas 8f6567967d Heartbleed PostgreSQL TLS support improvements 2014-04-22 17:36:06 +02:00
Wiesław Kielas fbe392a896 Add PostgreSQL TLS support to the Heartbleed scanner 2014-04-21 23:27:40 +02:00
Tod Beardsley e514ff3607
Description and print_status fixes for release
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
William Vu 1faf069130
Land #3284, deprecated module cleanup 2014-04-20 23:10:55 -05:00
James Lee ee413ac385
Remove previously deprecated modules 2014-04-20 22:15:44 -05:00
kenkeiras b8e0187647 Use OptPath for file path options 2014-04-18 21:56:17 +02:00
kenkeiras fb0af8a799 Remove unnecesary ssh_socket variable 2014-04-18 21:50:54 +02:00
kenkeiras c875bdadf5 Change THRESHOLD into a datastore option 2014-04-18 21:18:48 +02:00
kenkeiras 8a3329c891 Password made pseudo-random instead of a bunnch of A's 2014-04-18 21:10:34 +02:00
kenkeiras 47ff820a83 Remove unnecesary 'RHOST' deregister 2014-04-18 21:06:46 +02:00
kenkeiras cc2d4f9ed7 Remove unnecesary @good_credentials 2014-04-18 21:03:22 +02:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
jvazquez-r7 c4d4af031c
Land #3276, @todb-r7's "make msftidy happy"'s fix 2014-04-18 09:54:52 -05:00
jvazquez-r7 5083143971
Land #3238, @Zinterax's timeout addition in openssl_heartbleed 2014-04-18 09:28:04 -05:00
Tod Beardsley 2a729c84f6
Fix disclosure date 2014-04-18 09:27:41 -05:00
jvazquez-r7 8a011ec9f6
Land #3197, @0x3fcoma's module for CVE-2013-5795 and CVE-2013-5880 2014-04-18 08:58:54 -05:00
jvazquez-r7 f3299e3ced Do minor code cleanup 2014-04-18 08:58:11 -05:00
jvazquez-r7 2366f77226 Clean timeout handling code 2014-04-18 08:16:28 -05:00
Zinterax e38f4cbfa0 Apply response_timeout to get_once, code cleanup
Add response_timeout to get_once

Change timeout output in establish_connect()

Add disconnect ater timeout output

Made establish_connect timeout check more readable
2014-04-18 07:57:33 -04:00
Zinterax fab091ca88 Fix Action => DUMP
Fix for when Action is set to DUMP. Modifed the check to use action.name.

Console output:

msf auxiliary(openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Heartbeat data stored in /root/.msf4/loot/20140418070745_default_192.168.1.3_openssl.heartble_135938.bin
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:08:12 -04:00
Zinterax 1cf1616341 Rebase. Add timeout option support
Rebase to account for the KEYS merge.

Modify bleed() to work with timeout option.

Modify establish_connect() to work with timeout option.

Modify loot_and_report() to work with timeout option.

---Test Console Output---

Client Hello Timeout:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[-] 127.0.0.1:443 - No Client Hello response after 10 seconds...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched Apache:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[*] 127.0.0.1:443 - Sending Heartbeat...
[-] 127.0.0.1:443 - No Heartbeat response...
[-] 127.0.0.1:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Vulnerable Server:

msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:04:05 -04:00
Zinterax 021ac53911 remove me 2014-04-18 07:03:36 -04:00
Jonathan Claudius 01d843f78f Handle certificate auth nuances 2014-04-17 20:24:19 -04:00
Jonathan Claudius 6daae961cb Add parameterized requests for detection/enumeration 2014-04-17 19:40:27 -04:00
Tod Beardsley 845108acf6
Looks like an autocorrect ran wild on TLS_CALLBACK
Whoops.
2014-04-17 17:47:47 -05:00
Tod Beardsley 2aa2cb17f3
Reimplement a check. 2014-04-17 17:10:54 -05:00
Tod Beardsley d40ab039e4
Clean up whitespace. Protip: use commit hooks 2014-04-17 16:28:07 -05:00
Tod Beardsley c34d548e50
First, undo #3252. Sorry about that.
undo #3252 completely. This means a reimplementation of @dchan's work,
but his intent was simply to implement a check_host() that doesn't
actually pull memory, so that should be pretty straight forward with the
new structure of the module.
2014-04-17 16:25:15 -05:00
Jeff Jarmoc e3daf6daf7 Singular 'TLS_CALLBACK' option 2014-04-17 15:51:37 -05:00
Jeff Jarmoc 6c832e22d6 rename scan to loot_and_report 2014-04-17 15:47:57 -05:00
Jeff Jarmoc c12eae66b3 Error and return if public key wasn't retrieved. 2014-04-17 15:44:40 -05:00
Jeff Jarmoc 578002e016 KEYS action gets it's own function 2014-04-17 15:39:05 -05:00
Tod Beardsley 5b0b5d9476
Land #3252, check() functionality for Heartbleed 2014-04-17 15:34:35 -05:00
Tod Beardsley a2d6c58374
Changing << to + per @jlee-r7 2014-04-17 15:34:13 -05:00
Jeff Jarmoc 9f30976b83 Heartbleed RSA Keydump
Flattened, merge conflicts resolved, etc.
2014-04-17 14:30:47 -05:00
Jonathan Claudius 7ddd93cf5d Add redirect support to #is_app_ssl_vpn? 2014-04-17 12:06:29 -04:00
Jonathan Claudius 0c5fb8c0c2 Fix bug in group enumeration regex 2014-04-17 10:31:05 -04:00
Christian Mehlmauer 71a650fe6e
Land #3259, XMPP Hostname autodetect by @TomSellers 2014-04-17 08:54:15 +02:00
Tom Sellers 1f452aab48 Code cleanup
Changes requested by wvu-R7
2014-04-17 12:46:25 -05:00
Tom Sellers 9e2285619e Additional cleanup
Whitespace cleanup
2014-04-17 10:46:33 -05:00
Jonathan Claudius f53e7f84b8 Adds Cisco SSL VPN Bruteforce Aux Mod 2014-04-16 22:47:58 -04:00
Tom Sellers ee0d30a1f3 Whitespace fix
Removing extra line feeds
2014-04-16 17:27:39 -05:00
Tom Sellers 92eab6c54b Attribution addition
Per comment from Firefart
2014-04-16 17:26:09 -05:00
Tom Sellers 1f3ec46b8a Heartbleed - Add autodetection of XMPP hostname (round 2)
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.

This version addresses issues that FireFart (Thanks!) brought up about code quality and connection reliability.
2014-04-16 08:49:45 -05:00
sinn3r 7a4e12976c
First little bit at Bug 8498
[FixRM #8489] rhost/rport modification
2014-04-15 18:20:16 -05:00
sinn3r d7513b0eb2 Handle nil properly when no results are found 2014-04-15 18:19:29 -05:00
Tod Beardsley 9db01770ec
Add custom rhost/rport, remove editorializing desc
Verification:

````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````

...etc.
2014-04-14 21:46:05 -05:00
Tod Beardsley 40a359f312 Include a vhost for Shodan or else it complains
Works now. The rhost option was not keeping the custom vhost option.

````
msf auxiliary(shodan_search) > rexploit
[*] Reloading module...

[*] Total: 13443 on 269 pages. Showing: 1
[*] Country Statistics:
[*] United States (US): 2006
[*] Germany (DE): 1787
[*] Korea, Republic of (KR): 1061
[*]     Italy (IT): 916
[*] Hungary (HU): 604
[*] Collecting data, please WaitUntilAuthEmptyt...

IP Results
==========
````
2014-04-14 21:23:27 -05:00
Tod Beardsley 1436f68955
Fix shodan to not muck with datastore 2014-04-14 21:21:11 -05:00
Tod Beardsley 9035d1523d
Update wol.rb to specify rhost/rport directly
- [ ] Fire up tcpdump on the listening interface
 - [ ] Run the module and see the pcap:

listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
Tom Sellers 0360d1177f Heartbleed - Add autodetection of XMPP hostname
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server.  This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS.  The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
2014-04-14 20:09:21 -05:00
Thanat0s 07ed8d832a Update db 2014-04-15 02:48:55 +02:00
David Chan 1a73206034 Add detection for GnuTLS with with multiple records 2014-04-14 17:09:25 -07:00
Thanat0s fecdbd1781 F5 bigip cookie module 2014-04-15 01:11:17 +02:00
Thanat0s 176204d62d With implemented remarks 2014-04-14 21:11:04 +02:00
Tom Sellers 634a03a852 Update to openssl_heartbleed to deal with SMTP RFC
Added CR character in order to have the commands match SMTP RFC 5321 2.3.8 for line termination. Some SMTP services, such as the Symantec Mail Gateway, require strict compliance or the connection will be dropped with the response  '550 esmtp: protocol deviation'

Reference:
   http://www.symantec.com/business/support/index?page=content&id=TECH96829
   http://tools.ietf.org/html/rfc5321#section-2.3.8
2014-04-14 13:27:33 -05:00
David Maloney c537aebf0f
Land #3228, JtR colon Seperation 2014-04-14 11:19:16 -05:00
Thanat0s dd7bceee56 fix threaded issues 2014-04-12 17:43:39 +02:00
Thanat0s d493c48cc6 add thottling,notes insert and output to dns_rev_lookup 2014-04-12 16:36:18 +02:00
Ramon de C Valle 039946e8d1 Use the first cipher suite sent by the client
If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
first cipher suite sent by the client. This complements the last commit
and makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282).
2014-04-12 05:05:14 -03:00
Ramon de C Valle b95fcb9610 Use the protocol version sent by the client
Use the protocol version sent by the client. This should be the latest
version supported by the client, which may also be the only acceptable.
This makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282).
2014-04-12 04:21:35 -03:00
David Chan 6fafc10184 Add HeartBleed check functionality 2014-04-12 00:07:00 -07:00
Sebastiano Di Paola a63f020a68 Fixing coding style 2014-04-11 19:39:57 +02:00
Sebastiano Di Paola 4acacb005d Fixed a bug...referring to wrong variable after filtering with regexp 2014-04-11 19:33:23 +02:00
Sebastiano Di Paola 83fe1cec65 Cleaned up Array.join call 2014-04-11 19:24:32 +02:00
Sebastiano Di Paola 55ec969bd9 Renamed FILTER -> DUMPFILTER, more intuitive and coherent 2014-04-11 19:07:57 +02:00
Sebastiano Di Paola 8268009b36 Renamed PATTERN_FILTER -> FILTER 2014-04-11 19:03:25 +02:00
Sebastiano Di Paola c378fe95c1 Added missing space in comment 2014-04-11 19:01:01 +02:00
Sebastiano Di Paola f8f710547c Fixed call to String.match with regexp pattern 2014-04-11 18:59:59 +02:00
Sebastiano Di Paola 638cb41a3f Remove Spaces at EOL, fixed if test on pattern variable 2014-04-11 18:58:05 +02:00
Sebastiano Di Paola 34fa4e29d9 Restored FTP option 2014-04-11 18:16:19 +02:00
Sebastiano Di Paola eb0e35bf25 Fixed store on file option 2014-04-11 18:07:14 +02:00
Sebastiano Di Paola c4029ea582 - Rubbish that was left dangling here around 2014-04-11 17:20:54 +02:00
Sebastiano Di Paola 1808fe470a fixed conflicts, used OptRegexp for pattern 2014-04-11 17:16:06 +02:00
Sebastiano Di Paola 4315ad2987 Fixed conflict and used OptRegexp type for pattern 2014-04-11 17:15:39 +02:00
jvazquez-r7 813e0eab89
Land #3233, @wvu-r7's improvements fort heartbleed modules 2014-04-11 09:33:57 -05:00
jvazquez-r7 e2ec53272e Fix also negative numbers 2014-04-11 09:33:27 -05:00
jvazquez-r7 fb5881d8e2
Land #2324, @sensepost and @Firefart's sftp support for heartbleed 2014-04-11 08:47:22 -05:00
jvazquez-r7 2134d676b4 Use verbose by default 2014-04-11 07:58:56 -05:00
Tod Beardsley 56662bd89b
Correct corpwatch_lookup_name datastore usage
[SeeRM #8498]
2014-04-10 16:56:55 -05:00
Tod Beardsley 06dedeec8f
Update corpwatch_lookup_id to run correctly
[SeeRM #8498]
2014-04-10 16:52:34 -05:00
William Vu 6675464c20
Fix a few things in the Heartbleed modules 2014-04-10 16:06:40 -05:00
Sebastiano Di Paola 9adf629ee7 Added feature to dump to file leaked memory 2014-04-10 22:51:07 +02:00
Christian Mehlmauer f115a7f6e1
Fix intendation 2014-04-10 02:52:05 +02:00
gigstorm f1443c039e Updated hash value to SSLv3
Tested and working on server that has SSLv3 only enabled
2014-04-11 14:01:28 -07:00
gigstorm 6ab3478c7e Update to include SSL Version 3 protocol
SSL Version 3 will also respond to this and a server configured to respond to SSL version 3 but not TLS will show false negative without this option (proven).  May need to update cipher suites to include this option.
2014-04-11 12:41:17 -07:00
James Lee f54654a326
More refactor on jtr_linux
Reducing complexity in `run` makes modules easier to read
2014-04-09 19:26:34 -05:00
James Lee 7f900c2628
Micro optimizations for jtr_linux 2014-04-09 19:26:23 -05:00
James Lee 46038d58b7
Refactor jtr_linux copy pasta
Move it to a nifty method
2014-04-09 19:26:11 -05:00
Christian Mehlmauer 4fc272c0e9
Fix merge error 2014-04-10 00:53:14 +02:00
jvazquez-r7 f398924280
Land @Firefart's new fix for the jabber case 2014-04-09 17:52:53 -05:00
Christian Mehlmauer 98816c3a01
Added @sensepost FTP implemenation 2014-04-10 00:48:09 +02:00
singe ccfcf2cedb Added FTP STARTTLS support to heartbleed scanner. 2014-04-10 00:45:59 +02:00
jvazquez-r7 c0e682b518
Land #3225, @wvu-r7's and @hmoore-r7's improvements for openssl_heartbeat_client_memory 2014-04-09 17:39:04 -05:00
jvazquez-r7 ccdc5bd281 Switch to get since @wvu-r7 also tested successfully with get 2014-04-09 17:30:00 -05:00
William Vu b905aece38 Fix job not backgrounding 2014-04-09 17:03:57 -05:00
HD Moore ed247498b6 Make TLS negotiation optional 2014-04-09 17:03:38 -05:00
sinn3r 2de210f1c3
Land #3216 - Update @Meatballs1 and @FireFart in authors.rb 2014-04-09 16:38:10 -05:00
William Vu f56f34fb69
Land #3212, @hmoore-r7's client-side Heartbleed 2014-04-09 15:42:36 -05:00
Christian Mehlmauer a86a8fed05
Changed heartbleed jabber implementation to match openssl s_client
see here for example implementation:
https://github.com/openssl/openssl/blob/master/apps/s_client.c#L1719
2014-04-09 22:20:32 +02:00
William Vu 2f9a400efa
vprint_status the other message message 2014-04-09 15:11:02 -05:00
William Vu 84ce72367b
Make the output less verbose 2014-04-09 14:57:51 -05:00
Christian Mehlmauer 856ad7e83d
heartbleed - Better output on wrong jabber domain and add. nil? check 2014-04-09 21:53:17 +02:00
Jeff Jarmoc 7a424784f8 Change default TLS Version to 1.0
Canonical testing shows this to be more widely supported, and yielding far more vulnerable hosts.  Changing default to reflect that.

Experience of others in #metasploit seems similar.
2014-04-09 13:45:00 -05:00
Christian Mehlmauer fec089d88d
Land #3219, openssl_heartbleed XMPP fix from @natronkeltner 2014-04-09 20:42:55 +02:00
Christian Mehlmauer e2b50d3709
fix openssl_heardbleed
-) XMPP Domain now configurable
-) Missing get_once to initiate the TLS connection
2014-04-09 20:39:33 +02:00
jvazquez-r7 5696e52fac Fix jabber to field 2014-04-09 13:48:45 -05:00
jvazquez-r7 28a471e446
Land #3221, @Firefart's fix for pop3 starttls 2014-04-09 13:31:45 -05:00
jvazquez-r7 bea810b5d6 Add jabber fix from @natronkeltner 2014-04-09 13:11:45 -05:00
jvazquez-r7 157fb5a905 Make title more searchable 2014-04-09 12:08:35 -05:00
jvazquez-r7 58f4a1c085 Usee loop do instead or while true 2014-04-09 11:48:45 -05:00
Tod Beardsley 76a9381b2a
Make the title of the Heartbleed module searchable
Right now, the title does not actually tie the Heartbeat check to the
Heartbleed attack, so people searching strictly on module title are not
going to get a hit for this module.
2014-04-09 11:03:01 -05:00
jvazquez-r7 bc36b9ebd6 Delete server side PoCs as referecences because don\'t apply here 2014-04-09 10:58:59 -05:00
jvazquez-r7 fd90203120 Change some variable names to make code reading easier 2014-04-09 10:56:50 -05:00
Christian Mehlmauer 899a7c9ea4
heartbleed bugfix for pop3 2014-04-09 17:51:44 +02:00
Tod Beardsley 062175128b
Update @Meatballs and @FireFart in authors.rb 2014-04-09 10:46:10 -05:00
Tod Beardsley 3849d1517f
Restore author credit 2014-04-09 09:42:39 -05:00
jvazquez-r7 e154d175e8 Add @hmoore-r7's heartbeat client side module 2014-04-09 09:38:11 -05:00
jvazquez-r7 8d38087a10 Fix case / when indention 2014-04-09 09:12:55 -05:00
Christian Mehlmauer 0e0fd20f88
Added RFC link 2014-04-09 15:19:29 +02:00
Christian Mehlmauer a0a5b9faa1
Fix heartbleed module
-) incorrect length read
-) Parse TLS errors
2014-04-09 15:08:24 +02:00
jvazquez-r7 a93e22b5c0
Land #3209, @Firefart's heartbleed's module fix 2014-04-09 06:38:06 -05:00
julianvilas 4e7c675f3c Fix typo, extraquote in message 2014-04-09 10:22:15 +02:00
Christian Mehlmauer cdfe333572
updated heartbleed module
-) Heartbeat length was added twice
-) Use the current date for the TLS client_hello
2014-04-09 09:19:05 +02:00
William Vu dd69a9e5dd
Land #3206, OpenSSL Heartbleed infoleak 2014-04-08 20:12:00 -05:00
William Vu 5e314f2a7c
Fix outstanding issues 2014-04-08 20:11:28 -05:00
jvazquez-r7 a4e1d866e1 Favor nil? 2014-04-08 18:21:49 -05:00
jvazquez-r7 153e003e23 Do small fixes 2014-04-08 18:21:09 -05:00
jvazquez-r7 39aecb140a Use the datastore option 2014-04-08 16:55:08 -05:00
jvazquez-r7 496dd944e6 Add support for datastore TLSVERSION 2014-04-08 16:51:50 -05:00
jvazquez-r7 d51aa34437 Use Random generation Time as pointed by @Firefart 2014-04-08 16:46:15 -05:00
jvazquez-r7 d964243cc4 Move heartbeat length to a variable 2014-04-08 16:33:05 -05:00
jvazquez-r7 3d6c553efd Fix endianess 2014-04-08 16:29:31 -05:00
jvazquez-r7 373b05c5aa Minimize extensions in the Hello 2014-04-08 16:21:38 -05:00
jvazquez-r7 3254cce832 Align comment 2014-04-08 16:04:38 -05:00
jvazquez-r7 c20b71e7b6 Switch to vprint unless success 2014-04-08 16:03:38 -05:00
jvazquez-r7 7dbd690c99 Add new references 2014-04-08 16:01:06 -05:00
jvazquez-r7 a55579dd4a Fix references 2014-04-08 15:56:56 -05:00
jvazquez-r7 4004cd8f9a Allow hello data to grow dinamically 2014-04-08 15:52:39 -05:00
jvazquez-r7 b8e2c9fe42 Clean and fix @Firefart's code 2014-04-08 15:32:13 -05:00
jvazquez-r7 80bdbbed92 Solve conflict 2014-04-08 15:18:38 -05:00
Christian Mehlmauer 8c7debb81d
Added some comments and modified JABBER 2014-04-08 22:13:02 +02:00
jvazquez-r7 021da84459 Add authors and switch and's format 2014-04-08 15:10:27 -05:00
Christian Mehlmauer 9c053a5b91
Added additional protocols 2014-04-08 21:56:05 +02:00
jvazquez-r7 5f29026cb2 Complete @Firefart's module 2014-04-08 14:13:56 -05:00
Tod Beardsley 17ddbccc34
Remove the broken lorcon module set
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.

I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.

Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.

````
msf auxiliary(wifun) > show options

Module options (auxiliary/dos/wifi/wifun):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHANNEL    11               yes       The initial channel
   DRIVER     autodetect       yes       The name of the wireless driver
for lorcon
   INTERFACE  wlan0            yes       The name of the wireless
interface

msf auxiliary(wifun) > run

[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
Christian Mehlmauer ac0cafcca6
Initial commit for openssl Heartbleed bug 2014-04-07 21:15:54 +02:00
coma 44640b126c Add Oracle Demantra 2013-5795 (Database Credentials Retrieval) 2014-04-07 11:42:47 -07:00
silascutler 7b9b20a07e Corrected Spaces Issues
Removed extra spaces on line 23&24
2014-04-07 14:30:52 -04:00
Tod Beardsley 7572d6612e
Spelling and grammar on new release modules 2014-04-07 12:18:13 -05:00
sinn3r 0c883723ba
Land #3149 - Oracle Demantra Arbitrary File Retrieval with auth bypass 2014-04-07 11:11:55 -05:00
sinn3r 31dfae3a01 Follow the 100 columns per line guideline 2014-04-07 11:10:20 -05:00
sinn3r de242ecc00 Correct date format
Hmm weird, msftidy didn't pick this up
2014-04-07 11:09:27 -05:00
Karmanovskii 5dbd124ef9 Update mybb_get_type_db.rb 2014-04-05 02:53:43 -07:00
Karmanovskii c035715a71 Update mybb_get_type_db.rb
Changed the name of the variable _Version_server on _version_server according to the recommendation of jvazquez-r7
2014-04-05 02:50:53 -07:00
Spencer McIntyre 395f5beef8
Land #3178, http header scan module 2014-04-04 11:36:35 -04:00