79b2a23dff
Land #5015 , @espreto file traversal scanner for RIPS
2015-04-03 15:35:58 -05:00
ce6e5e12d8
Make depth an option
2015-04-03 15:33:27 -05:00
70fad73092
Add metadata
2015-04-03 15:27:28 -05:00
e3bbb7c297
Solve conflicts
2015-04-03 14:57:49 -05:00
e729185804
Land #5051 , @nullbind's new options for mssql_enum_domain_accounts_sqli
2015-04-03 14:44:20 -05:00
fe9fbfd157
Make calculations easier
2015-04-03 14:43:01 -05:00
6c36a82f78
Land #5059 , @void-in's documentation clean up
2015-04-03 14:16:34 -05:00
828301a6cc
Land #5050 , @wchen-r7's exploit for Solarwinds Firewall Security Manager
...
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
7c9b19c6f8
Do minor cleanup
2015-04-03 11:53:50 -05:00
452ebcf9ad
travis
2015-04-03 16:29:35 +05:00
be829e77ba
cravis error solve
2015-04-03 16:25:18 +05:00
4bd40fed7f
yard doc and comment corrections for auxiliary
2015-04-03 16:12:23 +05:00
16cb334325
Land #5065 : OJ fix missed merges for uri_checksum and others
2015-04-02 22:53:29 -05:00
fd043d4842
Fix up build and missing uri_checksum stuff
...
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
2015-04-03 13:42:25 +10:00
0f7c644fff
Land #4784 , JBoss Seam 2 upload exec exploit
2015-04-02 22:32:35 -05:00
5b5dc3ef59
Merge branch 'upstream/master' into stageless-x64
...
Merge required adjustment of the proxy datastore names that were changed.
2015-04-03 08:53:09 +10:00
3ff91d74ca
More cleanup, mostly abysssec
...
[See #5012 ]
2015-04-02 16:16:38 -05:00
11057e5b3b
Fix up the last couple from Tenable, missed last
...
[See #5012 ]
2015-04-02 15:27:46 -05:00
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
6d5bcb93a8
Normalize the SecurityXploded Team credits
...
[See #5012 ]
2015-04-02 15:15:37 -05:00
6532fad579
Remove credits to Alligator Security Team
...
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.
The one that didn't was credited to dflah_ specifically, so merely
changed the author name.
Longer description, if needed, wrapped at 72 characters.
[See #5012 ]
2015-04-02 15:12:22 -05:00
db5293eeee
Lands #5054 , adds a module for the Ceragon mateidu SSH issue
2015-04-01 14:32:56 -05:00
b17727d244
Switching to privileged => false
2015-04-01 14:35:45 -05:00
a592f645f0
Land #5039 , Webdorado gallery wd 1.2.5 unauthenticated SQLi scanner
2015-04-01 14:34:58 -05:00
0825534d2c
Fix reference
2015-04-01 14:16:45 -05:00
8ec71e9daf
Add a module for R7-2015-05
2015-04-01 14:05:41 -05:00
02a5730d92
Use calculate_interface_hash
2015-04-01 12:09:42 -05:00
0b14a18ad2
This is final
2015-04-01 12:00:49 -05:00
f954ff78c0
Fix typo
2015-04-01 10:51:54 -05:00
91aeef0a8a
added startrid and endrid
2015-04-01 10:09:13 -05:00
0ee858cd65
Some useful messages
2015-04-01 01:41:31 -05:00
8ad07cdc0f
This should be on the right track
2015-04-01 01:27:50 -05:00
24171a1a08
Land #5045 : Convert stageless proxy to new format
2015-04-01 12:06:57 +10:00
6795c90eac
Some progress
2015-03-31 20:46:34 -05:00
97305629cb
Add Solarwinds FSM module
...
starter
2015-03-31 16:21:52 -05:00
34ff94e0da
Fix the proxy user/pass options
2015-03-31 15:49:43 -05:00
df15892958
Convert stageless proxy settings to the new format
2015-03-31 15:46:15 -05:00
a39ba05383
Functional Payload UUID embedding via PayloadUUIDSeed
2015-03-31 15:44:18 -05:00
63da27ece0
add missing HKLM root to regkey
...
the chevkm windows psot module had HKLM
missing from the front of one of it's reg key
paths. This was missed in Rails 3 due to the
error being swallowed unexpectedly. in rails 4
we actually see this cause a stack trace
MSP-12384
2015-03-31 14:17:18 -05:00
d1318d1b48
Fixups for release
2015-03-31 11:02:12 -05:00
633b46874d
Merge branch 'upstream/master'
2015-03-31 14:53:48 +10:00
e73286cfa5
update stale references
2015-03-30 17:17:48 -05:00
253e5d7dff
Include correct module, remove specified encoder type
2015-03-31 07:23:51 +10:00
613f4777ce
Land #5024 , add joomla_ecommercewd_sqli_scanner.rb
2015-03-30 12:45:09 -05:00
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
ee404713f1
Land #5014 , @wchen-r7's module for MS14-052
...
* As auxiliary module to gather info about existent local files
2015-03-30 11:02:56 -05:00
8ff54ff98d
Add msb reference
2015-03-30 10:58:08 -05:00
9af1e76bf7
Obfuscate js
2015-03-30 10:52:01 -05:00
c7fa01c5ae
Rename file
2015-03-30 10:39:33 -05:00
c28cc66398
Add x64 bind_tcp and reverse_ipv6_tcp
...
Also fix up a couple of modules to use Metasploit4 instead of
Metasploit3.
2015-03-30 18:59:30 +10:00
26792975eb
Refactor of code to reduce duplication
...
Add mixin for the stageless http preparation
2015-03-30 13:18:56 +10:00
f8851551c5
Add initial x64 stageless meterrpeter module
2015-03-30 11:23:51 +10:00
ce8f6d72e1
More work on x64 stageless
...
Testing with HD's new changes that allow for generation of larger x64
payloads
2015-03-30 09:51:04 +10:00
28b9e89963
removed duplicate "uses" from description
2015-03-29 19:40:31 -04:00
17dc2b184d
Merging upstream/master
2015-03-30 09:12:20 +10:00
c430e5fab1
@m7x forgot to put a reference in
2015-03-29 02:13:31 +01:00
de2bf0181c
add first pass at gallerywd sqli scanner
2015-03-28 16:15:51 -05:00
9f0483248c
add TARGETURI datastore option
2015-03-28 15:46:41 -05:00
2ed9489f38
Delete load line
2015-03-28 20:31:35 +00:00
99f79e8533
Use incognito token stealing rather than process migration if we have
...
the privileges required for successful impersonation.
2015-03-28 20:31:35 +00:00
f83f4ae764
Move hashdump to gather
2015-03-28 20:31:35 +00:00
e2af15a0df
Refactor MSSQL Post
2015-03-28 20:31:35 +00:00
1558190a9d
Add module mssql_local_hashdump
2015-03-28 20:31:35 +00:00
6ede476423
Update joomla_ecommercewd_sqli_scanner.rb
2015-03-28 08:38:12 -05:00
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
0dbd8544b4
Update joomla_ecommercewd_sqli_scanner.rb
2015-03-27 21:20:59 -05:00
31be47d5bc
Create joomla_ecommercewd_sqli_scanner.rb
2015-03-27 20:25:33 -05:00
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
4f4bf9debb
paylod vs payload
2015-03-27 11:55:15 -07:00
0a8fe781d1
paylod vs payload
2015-03-27 11:54:14 -07:00
5ba614a325
payloda vs payload
2015-03-27 11:53:20 -07:00
2d81460583
Explot vs Exploit
2015-03-27 11:37:11 -07:00
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
48484c1f09
Filed vs Failed fix
2015-03-27 11:27:36 -07:00
3e104fd8e6
Add Directory Traversal for RIPS Scanner
2015-03-27 05:08:43 -03:00
f996c5a888
Update description
2015-03-27 02:31:36 -05:00
67dc46791d
Limit the module to IE 8 and IE9
2015-03-27 02:30:04 -05:00
f88d9651b6
I don't think it's worth putting the js in ie_addons.js
2015-03-27 02:26:50 -05:00
bd2763292a
Properly credit Soroush Dalili
2015-03-26 23:36:16 -05:00
560f31c34d
Minor changes
2015-03-26 23:29:44 -05:00
68624dd56e
Final for ie_files_disclosure.rb
2015-03-26 22:49:22 -05:00
b0b17775c2
First working version
2015-03-26 21:53:26 -05:00
e0568e95c2
Land #4978 @zerosteiner adds reverse https for python meterpreter
2015-03-26 19:16:46 -05:00
955c0557e0
Land #4988 , Relative URL for ms14_064_ole_code_execution
2015-03-26 13:36:37 -05:00
d81a246660
target_uri
2015-03-26 12:16:20 +01:00
b7f469b747
feedback
2015-03-26 07:39:36 +01:00
10e8cefd6d
Pymet dont validate ssl certs for 2.7.9/3.4.3
2015-03-25 19:49:42 -04:00
68cb766681
Land #5007 , Ruby 1.9+ syntax
2015-03-25 16:11:53 -05:00
632879ceb6
Land #5001 , wp_easycart_privilege_escalation CVE
2015-03-25 13:54:44 -05:00
d84c48cb7d
Use newer hash syntax
2015-03-25 13:39:34 -05:00
72a0909e9b
Land #4992 , @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge
2015-03-25 13:30:36 -05:00
0540e25db2
Calculate the java/rmi/registry/RegistryImpl_Stub hash dinamically
2015-03-25 11:29:07 -05:00
356e8c727c
Add specs for Msf::Java::Rmi::Client::Jmx::Server
2015-03-24 18:56:58 -05:00
7a0fe05803
Add CVE-ID to module references
2015-03-24 22:30:43 +00:00
7bf00f8f47
Land #4789 , @rastating WPLMS wordpress module
2015-03-24 20:46:38 +01:00
39e87f927a
Make code consistent
2015-03-24 11:44:26 -05:00
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
7c456f2ad8
Land #4993 , ams_xfr "payload_exe" NameError fix
2015-03-24 00:51:49 -05:00
8255e7a2dc
Fix #4987 - undef payload_exe for ams_xfr
...
Fix #4987
2015-03-24 00:42:22 -05:00
3dac6377d0
Fix #4983 , bad copy pasta'd deprecation year
2015-03-24 00:34:54 -05:00
fadac30f00
Fix deprecated year
2015-03-24 00:34:38 -05:00
6353154865
Land #4983 , renamed WordPress modules
2015-03-23 23:49:40 -05:00
e338b77389
Readd and deprecate renamed WordPress modules
2015-03-23 23:48:56 -05:00
db243a8225
x360_video_player_set_text_bof actually uses SetText for ActiveX
2015-03-23 23:36:20 -05:00
3248f02c2c
These exploits use :activex, so I update the usage for them
2015-03-23 19:34:24 -05:00
04341bfc78
Support JMX_ROLE again
2015-03-23 17:32:26 -05:00
1869977921
Land #4962 : OJ adjusts MSF to new metsrv needs
...
bump meterpreter bins to 0.0.17
2015-03-23 17:18:06 -05:00
d8d4c23d60
JMX code refactoring
2015-03-23 17:06:51 -05:00
24d74b26e3
Beginning work for stageless x64 meterpreter
2015-03-24 06:50:06 +10:00
962bb670de
Remove old JMX mixin
2015-03-23 15:48:10 -05:00
89e27d98ab
Use relative URL to GET payload for WinXP
...
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE
2015-03-23 13:44:41 -05:00
156520338d
Making some changes to how BES handles ActiveX
2015-03-23 12:21:27 -05:00
79068c8ec2
Delete JMX discovery stream
2015-03-23 10:21:37 -05:00
b191f92713
Renamed WordPress files to fit majority naming convention.
2015-03-23 18:15:04 +11:00
9c9d333a1b
Create verify ssl mixin, adjust some formatting
2015-03-23 13:21:08 +10:00
2d1adf6ef4
Land #4923 , @m-1-k-3's exploit for overflow on belkin routers
2015-03-22 02:05:35 -05:00
ee74bb3c5b
The default concat operator should be ok
2015-03-22 02:05:02 -05:00
5499b68e02
Do code cleanup
2015-03-22 01:58:32 -05:00
a407bc8d65
Fix the reverse_https stager CachedSize for the spec
2015-03-21 13:05:44 -04:00
7282968d8a
Python reverse HTTPS stager
2015-03-21 12:43:14 -04:00
07b82ec640
Land #4974 , minishare_get_overflow WfsDelay change
2015-03-20 18:55:58 -05:00
859b54f8a3
Land #4956 , Qualys' Exim GHOST module
2015-03-20 18:44:30 -05:00
8c3e39acf0
Land #4847 @rastating's module for WordPress WP EasyCart privilege escalation
2015-03-20 18:23:05 -05:00
349d7cb9ee
Do minor cleanup
2015-03-20 18:20:45 -05:00
921b9eab8e
Update minishare_get_overflow.rb
...
set WfsDelay 30
2015-03-20 23:42:54 +01:00
4004771aed
Land #4972 , minishare_get_overflow targets
...
Windows 2003 SP1 English and Windows 2003 SP2 English.
2015-03-20 17:27:34 -05:00
6f51946aa0
Land #4969 , GitLab module references
2015-03-20 17:26:51 -05:00
99f3de0843
Clean up info hash formatting
2015-03-20 17:26:21 -05:00
505ecd32fb
Update minishare_get_overflow.rb
...
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
1226b3656f
Land #4945 , @wchen-r7's login scanner for Symantec web gateway
2015-03-20 14:44:05 -05:00
2f35fcff99
Fix require
2015-03-20 14:43:42 -05:00
8ee520e749
Add reference
2015-03-20 19:17:34 +00:00
b19f766728
Land #4942 , Gitlab Login Scanner
2015-03-20 13:02:12 -05:00
a2ce14a31e
Land #4941 , Gitlab Unauth User Enumeration
2015-03-20 12:28:35 -05:00
235124a40a
Fix typo
2015-03-20 12:27:23 -05:00
84164b44b2
Should also rescue JSON::ParserError for banner parsing
2015-03-20 12:27:02 -05:00
0c2ed21e90
Land #4318 , Lateral movement through PSRemoting
2015-03-20 11:39:35 -05:00
23d8479683
Fix typo
2015-03-20 11:39:00 -05:00
0da79edb9c
Add a print_status to let the user know the module is over
...
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
1b67a06d35
No banner var
2015-03-20 02:26:59 -05:00
b55ffc9ff1
Change option to FORCE_EXPLOIT
2015-03-20 01:44:10 -05:00
fd4ad9bd2e
Rework changes on top of HD's PR
...
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
7b4161bdb4
Update code to handle cert validation properly
...
This code contains duplication from HD's PR. Once his has been landed
this code can be fixed up a bit so that duplication is removed.
2015-03-20 12:52:47 +10:00
7eec88c086
Land #4957 , glassfish_login symbol cleanup
2015-03-19 21:20:33 -05:00
b839547dc3
Add documentation for Registry modules and methods
2015-03-19 17:57:21 -05:00
a7f1244251
Finish the java_rmi_registry gather module
2015-03-19 17:33:45 -05:00
94ab2f94fd
Remove symbols that aren't used
...
These symbols belong to the AuthBrute mixin, but we are not using
AuthBrute for login testing.
2015-03-19 14:14:01 -05:00
d8539ef91a
Change datastore option's description
2015-03-19 12:22:42 -05:00
a2ba81f84f
This should be true (required)
2015-03-19 11:54:03 -05:00
d8c8bd1669
Move the details to a wiki
2015-03-19 11:52:17 -05:00
5c3134a616
Add first support to gather information from RMI registries
2015-03-19 11:16:04 -05:00
7899881416
Update POSIX bins from master
2015-03-19 14:50:14 +10:00
1a2f35d806
Land #4951 : Dynamic URI generation for Java/Python reverse_http(s)
2015-03-19 12:41:20 +10:00
076f15f933
Land #4792 @jakxx Publish It PUI file exploit
2015-03-18 20:59:54 -04:00
3f8ed56a9a
Add available space to the payload info
2015-03-18 20:57:58 -04:00
6ceab3d02d
Add a DisclosureDate
2015-03-18 23:51:18 +00:00
968a8758ad
Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
...
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
b33e7f477c
Land #4947 , h0ng10's TWiki exploit.
2015-03-18 17:17:34 -05:00
346b1d539f
Revert Java back to static size for cache purposes (less cpu usage on startup)
2015-03-18 16:24:01 -05:00
33bbf7cb7e
Dynamic URI generation for python/java http(s) stagers
2015-03-18 16:08:11 -05:00
ae84c8ee30
Delete even more comments
2015-03-18 15:55:52 -05:00
f956ba1a46
Do first JMX cleaning try
2015-03-18 15:37:07 -05:00
7ae97393e0
fix x64/reverse_https stager shellcode
2015-03-18 15:34:31 -04:00
e943cb550f
Land #4585 : CVE-2015-0975 XXE in OpenNMS
2015-03-18 22:34:52 +10:00
d1a2f58303
Fix of regex for file capture and format tweaks
2015-03-18 22:17:44 +10:00
5dd718e4fa
Better description
2015-03-18 09:51:51 +01:00
00de437918
Initial commit
2015-03-18 09:45:08 +01:00
fa7242388b
Move the module to the correct location
2015-03-18 18:18:54 +10:00
b62da42927
Merge branch 'master' into feature/add-proxies-to-wininet
2015-03-18 01:51:15 -05:00
c607cf7b11
Merging master
2015-03-18 01:45:44 -05:00
ef443c83b9
Fix overgreed search/replace
2015-03-18 01:21:53 -05:00
f7a06d8e44
Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax
2015-03-18 01:15:32 -05:00
87a489907c
Place an IPv6 proxy IP between brackets
2015-03-18 01:01:16 -05:00
259db269bd
Remove user/pass and invalid class from the options
2015-03-18 01:01:16 -05:00
2ab14e7e79
Adds IPv6 and option-related issues with the previous patch
2015-03-18 01:01:10 -05:00
0601946830
Don't mandate and default PROXY_HOST (miscopy from the proxy stager)
2015-03-18 01:00:04 -05:00
85fb534e63
Fix up the offset detection again, cleanup redundant code
2015-03-18 00:59:25 -05:00
2f13988d7b
Use OptPort vs OptInt and cleanup the description
2015-03-18 00:59:25 -05:00
a01be365b0
Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
...
This also cleans up the windows reverse_https_proxy stager.
2015-03-18 00:59:13 -05:00
14be07a2c4
Update java_rmi_server modules
2015-03-17 21:29:52 -05:00
b197b7aaf0
Additional Updates
...
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
2015-03-17 19:24:13 -04:00
bd4738b93e
Land #4827 , capture and nbns fixups
2015-03-17 17:37:55 -05:00
d7fa0ec669
Let IPAddr#hton do the calculating
2015-03-17 17:36:45 -05:00
085e6cc815
Implemented Recommended Changes
...
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
1242404085
Delete comment
2015-03-17 14:18:07 -05:00
d1d6378179
Land #4566 , Misfortune Cookie scanner improvements
2015-03-17 12:32:35 -05:00
f95b783193
I don't need these eitehr
2015-03-17 11:33:49 -05:00
ebe7ad07b0
Add specs, plus modify java_rmi_server modules
2015-03-17 11:26:27 -05:00
0490af8ba8
Added error checks, randomness, and uuid delimeter
2015-03-17 10:20:22 -04:00
f3fc4003d0
typo
2015-03-17 10:19:40 -04:00
b92d243c0e
Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975
2015-03-17 10:18:32 -04:00
e0a7f531cc
Added error checking, randomness, uuid delimiters
2015-03-17 10:10:51 -04:00
e1ebc6c7fe
Update date, remove URL (will replace later)
2015-03-17 12:50:47 +00:00
0cd85cb052
Correct capitilzation of GitLab
2015-03-17 11:33:57 +00:00
d18224e3cb
Correct capitilzation of GitLab
2015-03-17 11:32:14 +00:00
f4a1e981ab
Add gitlab login scanner
2015-03-17 11:19:23 +00:00
878247f495
Small modifications
2015-03-17 10:03:32 +00:00
f1d5d8f1ce
Store to loot as well
2015-03-17 09:55:28 +00:00
jvazquez-r7
root
Brent Cook
OJ
scriptjunkie
Tod Beardsley
HD Moore
sinn3r
nullbind
David Maloney
Brandon Perry
h00die
Meatballs
root
William Vu
C-P
Roberto Soares
m-1-k-3
Spencer McIntyre
rastating
Christian Mehlmauer
andygoblins
aushack
Adam Ziaja
joev
rwhitcroft
Hans-Martin Münch (h0ng10)
jakxx
James Lee
jstnkndy