Commit Graph

16979 Commits (1ee850246a9bc0753ab092bf28d91a8e0002d71d)

Author SHA1 Message Date
William Vu 3dac6377d0
Fix #4983, bad copy pasta'd deprecation year 2015-03-24 00:34:54 -05:00
William Vu fadac30f00 Fix deprecated year 2015-03-24 00:34:38 -05:00
William Vu 6353154865
Land #4983, renamed WordPress modules 2015-03-23 23:49:40 -05:00
William Vu e338b77389 Readd and deprecate renamed WordPress modules 2015-03-23 23:48:56 -05:00
sinn3r db243a8225 x360_video_player_set_text_bof actually uses SetText for ActiveX 2015-03-23 23:36:20 -05:00
sinn3r 3248f02c2c These exploits use :activex, so I update the usage for them 2015-03-23 19:34:24 -05:00
jvazquez-r7 04341bfc78
Support JMX_ROLE again 2015-03-23 17:32:26 -05:00
Brent Cook 1869977921
Land #4962: OJ adjusts MSF to new metsrv needs
bump meterpreter bins to 0.0.17
2015-03-23 17:18:06 -05:00
jvazquez-r7 d8d4c23d60
JMX code refactoring 2015-03-23 17:06:51 -05:00
OJ 24d74b26e3 Beginning work for stageless x64 meterpreter 2015-03-24 06:50:06 +10:00
jvazquez-r7 962bb670de
Remove old JMX mixin 2015-03-23 15:48:10 -05:00
andygoblins 89e27d98ab Use relative URL to GET payload for WinXP
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
Tod Beardsley 21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE 2015-03-23 13:44:41 -05:00
sinn3r 156520338d Making some changes to how BES handles ActiveX 2015-03-23 12:21:27 -05:00
jvazquez-r7 79068c8ec2
Delete JMX discovery stream 2015-03-23 10:21:37 -05:00
aushack b191f92713 Renamed WordPress files to fit majority naming convention. 2015-03-23 18:15:04 +11:00
OJ 9c9d333a1b Create verify ssl mixin, adjust some formatting 2015-03-23 13:21:08 +10:00
jvazquez-r7 2d1adf6ef4
Land #4923, @m-1-k-3's exploit for overflow on belkin routers 2015-03-22 02:05:35 -05:00
jvazquez-r7 ee74bb3c5b
The default concat operator should be ok 2015-03-22 02:05:02 -05:00
jvazquez-r7 5499b68e02
Do code cleanup 2015-03-22 01:58:32 -05:00
Spencer McIntyre a407bc8d65 Fix the reverse_https stager CachedSize for the spec 2015-03-21 13:05:44 -04:00
Spencer McIntyre 7282968d8a Python reverse HTTPS stager 2015-03-21 12:43:14 -04:00
William Vu 07b82ec640
Land #4974, minishare_get_overflow WfsDelay change 2015-03-20 18:55:58 -05:00
William Vu 859b54f8a3
Land #4956, Qualys' Exim GHOST module 2015-03-20 18:44:30 -05:00
jvazquez-r7 8c3e39acf0
Land #4847 @rastating's module for WordPress WP EasyCart privilege escalation 2015-03-20 18:23:05 -05:00
jvazquez-r7 349d7cb9ee
Do minor cleanup 2015-03-20 18:20:45 -05:00
Adam Ziaja 921b9eab8e Update minishare_get_overflow.rb
set WfsDelay 30
2015-03-20 23:42:54 +01:00
William Vu 4004771aed
Land #4972, minishare_get_overflow targets
Windows 2003 SP1 English and Windows 2003 SP2 English.
2015-03-20 17:27:34 -05:00
William Vu 6f51946aa0
Land #4969, GitLab module references 2015-03-20 17:26:51 -05:00
William Vu 99f3de0843 Clean up info hash formatting 2015-03-20 17:26:21 -05:00
Adam Ziaja 505ecd32fb Update minishare_get_overflow.rb
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
jvazquez-r7 1226b3656f
Land #4945, @wchen-r7's login scanner for Symantec web gateway 2015-03-20 14:44:05 -05:00
jvazquez-r7 2f35fcff99
Fix require 2015-03-20 14:43:42 -05:00
Meatballs 8ee520e749
Add reference 2015-03-20 19:17:34 +00:00
sinn3r b19f766728
Land #4942, Gitlab Login Scanner 2015-03-20 13:02:12 -05:00
sinn3r a2ce14a31e
Land #4941, Gitlab Unauth User Enumeration 2015-03-20 12:28:35 -05:00
sinn3r 235124a40a Fix typo 2015-03-20 12:27:23 -05:00
sinn3r 84164b44b2 Should also rescue JSON::ParserError for banner parsing 2015-03-20 12:27:02 -05:00
sinn3r 0c2ed21e90
Land #4318, Lateral movement through PSRemoting 2015-03-20 11:39:35 -05:00
sinn3r 23d8479683 Fix typo 2015-03-20 11:39:00 -05:00
sinn3r 0da79edb9c Add a print_status to let the user know the module is over
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
sinn3r 1b67a06d35 No banner var 2015-03-20 02:26:59 -05:00
sinn3r b55ffc9ff1 Change option to FORCE_EXPLOIT 2015-03-20 01:44:10 -05:00
oj@buffered.io fd4ad9bd2e Rework changes on top of HD's PR
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ 7b4161bdb4 Update code to handle cert validation properly
This code contains duplication from HD's PR. Once his has been landed
this code can be fixed up a bit so that duplication is removed.
2015-03-20 12:52:47 +10:00
William Vu 7eec88c086
Land #4957, glassfish_login symbol cleanup 2015-03-19 21:20:33 -05:00
jvazquez-r7 b839547dc3 Add documentation for Registry modules and methods 2015-03-19 17:57:21 -05:00
jvazquez-r7 a7f1244251
Finish the java_rmi_registry gather module 2015-03-19 17:33:45 -05:00
sinn3r 94ab2f94fd Remove symbols that aren't used
These symbols belong to the AuthBrute mixin, but we are not using
AuthBrute for login testing.
2015-03-19 14:14:01 -05:00
sinn3r d8539ef91a Change datastore option's description 2015-03-19 12:22:42 -05:00
sinn3r a2ba81f84f This should be true (required) 2015-03-19 11:54:03 -05:00
sinn3r d8c8bd1669 Move the details to a wiki 2015-03-19 11:52:17 -05:00
jvazquez-r7 5c3134a616
Add first support to gather information from RMI registries 2015-03-19 11:16:04 -05:00
OJ 7899881416 Update POSIX bins from master 2015-03-19 14:50:14 +10:00
OJ 1a2f35d806
Land #4951: Dynamic URI generation for Java/Python reverse_http(s) 2015-03-19 12:41:20 +10:00
Spencer McIntyre 076f15f933
Land #4792 @jakxx Publish It PUI file exploit 2015-03-18 20:59:54 -04:00
Spencer McIntyre 3f8ed56a9a
Add available space to the payload info 2015-03-18 20:57:58 -04:00
Meatballs 6ceab3d02d
Add a DisclosureDate 2015-03-18 23:51:18 +00:00
sinn3r 968a8758ad Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
joev b33e7f477c
Land #4947, h0ng10's TWiki exploit. 2015-03-18 17:17:34 -05:00
HD Moore 346b1d539f Revert Java back to static size for cache purposes (less cpu usage on startup) 2015-03-18 16:24:01 -05:00
HD Moore 33bbf7cb7e Dynamic URI generation for python/java http(s) stagers 2015-03-18 16:08:11 -05:00
jvazquez-r7 ae84c8ee30
Delete even more comments 2015-03-18 15:55:52 -05:00
jvazquez-r7 f956ba1a46 Do first JMX cleaning try 2015-03-18 15:37:07 -05:00
rwhitcroft 7ae97393e0 fix x64/reverse_https stager shellcode 2015-03-18 15:34:31 -04:00
OJ e943cb550f
Land #4585 : CVE-2015-0975 XXE in OpenNMS 2015-03-18 22:34:52 +10:00
OJ d1a2f58303 Fix of regex for file capture and format tweaks 2015-03-18 22:17:44 +10:00
Hans-Martin Münch (h0ng10) 5dd718e4fa Better description 2015-03-18 09:51:51 +01:00
Hans-Martin Münch (h0ng10) 00de437918 Initial commit 2015-03-18 09:45:08 +01:00
OJ fa7242388b Move the module to the correct location 2015-03-18 18:18:54 +10:00
HD Moore b62da42927 Merge branch 'master' into feature/add-proxies-to-wininet 2015-03-18 01:51:15 -05:00
HD Moore c607cf7b11 Merging master 2015-03-18 01:45:44 -05:00
HD Moore ef443c83b9 Fix overgreed search/replace 2015-03-18 01:21:53 -05:00
HD Moore f7a06d8e44 Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax 2015-03-18 01:15:32 -05:00
HD Moore 87a489907c Place an IPv6 proxy IP between brackets 2015-03-18 01:01:16 -05:00
HD Moore 259db269bd Remove user/pass and invalid class from the options 2015-03-18 01:01:16 -05:00
HD Moore 2ab14e7e79 Adds IPv6 and option-related issues with the previous patch 2015-03-18 01:01:10 -05:00
HD Moore 0601946830 Don't mandate and default PROXY_HOST (miscopy from the proxy stager) 2015-03-18 01:00:04 -05:00
HD Moore 85fb534e63 Fix up the offset detection again, cleanup redundant code 2015-03-18 00:59:25 -05:00
HD Moore 2f13988d7b Use OptPort vs OptInt and cleanup the description 2015-03-18 00:59:25 -05:00
HD Moore a01be365b0 Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
This also cleans up the windows reverse_https_proxy stager.
2015-03-18 00:59:13 -05:00
jvazquez-r7 14be07a2c4
Update java_rmi_server modules 2015-03-17 21:29:52 -05:00
jakxx b197b7aaf0 Additional Updates
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
2015-03-17 19:24:13 -04:00
James Lee bd4738b93e
Land #4827, capture and nbns fixups 2015-03-17 17:37:55 -05:00
James Lee d7fa0ec669
Let IPAddr#hton do the calculating 2015-03-17 17:36:45 -05:00
jakxx 085e6cc815 Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7 1242404085
Delete comment 2015-03-17 14:18:07 -05:00
William Vu d1d6378179
Land #4566, Misfortune Cookie scanner improvements 2015-03-17 12:32:35 -05:00
sinn3r f95b783193 I don't need these eitehr 2015-03-17 11:33:49 -05:00
jvazquez-r7 ebe7ad07b0 Add specs, plus modify java_rmi_server modules 2015-03-17 11:26:27 -05:00
jstnkndy 0490af8ba8 Added error checks, randomness, and uuid delimeter 2015-03-17 10:20:22 -04:00
jstnkndy f3fc4003d0 typo 2015-03-17 10:19:40 -04:00
jstnkndy b92d243c0e Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975 2015-03-17 10:18:32 -04:00
jstnkndy e0a7f531cc Added error checking, randomness, uuid delimiters 2015-03-17 10:10:51 -04:00
Meatballs e1ebc6c7fe
Update date, remove URL (will replace later) 2015-03-17 12:50:47 +00:00
Meatballs 0cd85cb052
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00
Meatballs d18224e3cb
Correct capitilzation of GitLab 2015-03-17 11:32:14 +00:00
Meatballs f4a1e981ab
Add gitlab login scanner 2015-03-17 11:19:23 +00:00
Meatballs 878247f495
Small modifications 2015-03-17 10:03:32 +00:00
Meatballs f1d5d8f1ce
Store to loot as well 2015-03-17 09:55:28 +00:00
Meatballs 9f40826f8e Store creds in database 2015-03-17 09:17:08 +00:00
Meatballs 3830e71257 Catch 7.5 401 2015-03-17 09:17:08 +00:00
Meatballs 1b565b0290 Check revision 2015-03-17 09:17:07 +00:00
Meatballs 7216f2a971 Initial commit 2015-03-17 09:17:07 +00:00
sinn3r 14296826f7 A cleaner way to set datastore options 2015-03-17 03:07:49 -05:00
sinn3r ff58f7d270 Add Symantec Web Gateway Login Module 2015-03-17 02:51:57 -05:00
jvazquez-r7 0a37df67a0 Add initial support for better RMI calls 2015-03-16 23:44:16 -05:00
Brent Cook abb8a32e68 update spec for dynamic meterpreter payloads 2015-03-16 18:08:13 -05:00
Felix Wehnert 2a525958bd fixed typo
Does no one tested this script on x64 yet ?
2015-03-16 20:15:26 +01:00
HD Moore 2ea984423b while(true)->loop, use thread.join 2015-03-16 14:08:01 -05:00
William Vu ac0e23d783
Land #4932, hardcoded username fix
For mssql_escalate_execute_as_sqli.
2015-03-16 01:46:13 -05:00
HD Moore 7e89281485 Adds proxy (with authentication) support to reverse_http(s) 2015-03-16 00:03:31 -05:00
Scott Sutherland 00dbcc12ca Removed imp_user var from escalate_privs func 2015-03-15 22:02:12 -07:00
nullbind 5bebabb005 fixed hardcoded username 2015-03-15 19:45:02 -05:00
Sven Vetsch 4d3a1a2f71 fix all duplicated keys in modules 2015-03-14 13:10:42 +01:00
jvazquez-r7 bb81107e51 Land #4927, @wchen-r7's exploit for Flash PCRE CVE-2015-0318 2015-03-13 23:58:05 -05:00
sinn3r 3bfdfbc987 Small changes 2015-03-13 18:55:11 -05:00
jvazquez-r7 1ead57a80d
Land #4928, @h0ng10's local exploit for iPass Mobile Client 2015-03-13 16:58:45 -05:00
jvazquez-r7 9894a3dc54 Change module filename 2015-03-13 16:53:17 -05:00
jvazquez-r7 b4de3ce42b Do minor cleanup 2015-03-13 16:52:26 -05:00
Hans-Martin Münch (h0ng10) b0e730d5ae Typo 2015-03-13 20:41:14 +01:00
Hans-Martin Münch (h0ng10) 726f01b8cc Initial version 2015-03-13 20:33:45 +01:00
sinn3r 182850df30 Stick to Win 7 2015-03-13 12:41:05 -05:00
sinn3r 2b199315d4 Final 2015-03-13 12:30:41 -05:00
Brent Cook b68e05e536
Land #4914, @hmoore-r7 and @BorjaMerino winhttp stagers 2015-03-13 08:24:11 -05:00
OJ 35cfdf051a Add support for meterpreter_reverse_ipv6_tcp
New payload added, makes use of existing functionality.
2015-03-13 20:15:31 +10:00
William Vu a32cd2ae9e
Land #4877, CVE-2015-0240 (Samba) aux module 2015-03-13 00:03:53 -05:00
scriptjunkie 6011e8b3e1
Land #4918, Rework how payload prepends work 2015-03-12 18:56:04 -05:00
jvazquez-r7 75b2ef81dc
Land #4890, @julianvilas's improvements struts_code_exec_classloader 2015-03-12 17:25:00 -05:00
jvazquez-r7 b6146b1499 Use print_warning 2015-03-12 17:22:03 -05:00
jvazquez-r7 e035e6ce51
Land #4899, @h0ng10's exploit for iPass Open Mobile CVE-2015-0925 2015-03-12 16:42:52 -05:00
jvazquez-r7 7b7ebc20d7 Fix indentation 2015-03-12 16:41:41 -05:00
jvazquez-r7 da47d368e8 Do minor style cleaning 2015-03-12 16:35:48 -05:00
jvazquez-r7 a77078b555
Add X86 target 2015-03-12 16:34:44 -05:00
jvazquez-r7 1b20bc9dca
Land #4919, @wchen-r7's new reference for ie_uxss_injection 2015-03-12 15:30:37 -05:00
HD Moore b43893ad71
Lands #4903, corrects the return value used for the script path 2015-03-12 14:05:22 -05:00
m-1-k-3 819a49b28a msftidy again 2015-03-12 19:09:52 +01:00
m-1-k-3 2eab258a76 msftidy 2015-03-12 19:07:56 +01:00
m-1-k-3 ccf7314c8f msftidy 2015-03-12 19:05:21 +01:00
m-1-k-3 6fcab31997 ncc exploit CVE-2015-1187 - dir626l 2015-03-12 18:55:50 +01:00
sinn3r 220a26c5a4
Land #4907, CVE-2015-1427, elasticsearch groovy code injection 2015-03-12 11:28:24 -05:00
sinn3r ac24652196
Land #4911, CVE-2015-0096 (ms15_020_shortcut_icon_dllloader) 2015-03-12 10:51:56 -05:00
sinn3r 67d05f9354 Add the PR as a reference (how to guide) 2015-03-12 10:51:01 -05:00
sinn3r 0d36115112 Update MS15-018 MSB reference 2015-03-12 10:13:37 -05:00
HD Moore 744b1a680e Reworks how payload prepends work internally, see #1674 2015-03-12 02:30:06 -05:00
HD Moore f676dc03c8
Lands #4849, prevents the target from running out of memory during NTFS reads 2015-03-12 00:01:47 -05:00
jvazquez-r7 68d69177ad Add smb module for MS15-020 2015-03-11 23:46:50 -05:00
HD Moore 24440b8c38
Lands #4913, adds OSVDB reference to nvidia module 2015-03-11 23:32:22 -05:00
jvazquez-r7 a9fa2d25aa Add SMB module for MS10-046 2015-03-11 23:23:56 -05:00
OJ 345b5cc8e1 Add stageless meterpreter support
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.

More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
HD Moore c3f2536ef6 Make the stager clear in the payload descriptions 2015-03-11 21:30:02 -05:00
HD Moore b105a88b95 Fix https convention 2015-03-11 21:26:31 -05:00
HD Moore 8bae58d631 Updated cache sizes 2015-03-11 21:25:12 -05:00
Tod Beardsley 99494328d2
Update Nvidia module with an OSVDB ref
The paper is really good, but could use a more traditional reference.

[See #4884]
2015-03-11 19:51:22 -05:00
jvazquez-r7 0e4e264325 Redo description 2015-03-11 18:19:28 -05:00
jvazquez-r7 4e6aca0209 refactor create_exploit_file 2015-03-11 18:13:09 -05:00
jvazquez-r7 5662e5c5a6 Add module for MS15-020 2015-03-11 17:29:02 -05:00
HD Moore 1135e5e073 First take on WinHTTP stagers, untested 2015-03-11 16:27:14 -05:00
HD Moore 7e3b4017f0 Rename and resynced with master, ready for refactoring 2015-03-11 14:36:27 -05:00
HD Moore ea1bc69e2e Merge branch 'master' into feature/add-reverse_winhttp-stagers 2015-03-11 14:29:34 -05:00
sinn3r 215c209f88
Land #4901, CVE-2014-0311, Flash ByteArray Uncompress UAF 2015-03-11 14:04:17 -05:00
sinn3r 43b90610b1 Temp 2015-03-11 13:53:34 -05:00
Brent Cook ceeee4446f
Land #4904, @hmoore-r7 reworks reverse_http/s stagers
They are now assembled dynamically and support more flexible options,
such as long URLs.
2015-03-11 10:41:59 -05:00
sinn3r 2a9d6e64e2 Starting point for CVE-2015-0318 2015-03-11 09:58:41 -05:00
HD Moore ad39adf9c2 Missing comma 2015-03-11 00:49:07 -05:00
HD Moore a89926b663 Exclude vncinject from http stagers (depends on sockedi) 2015-03-11 00:46:04 -05:00
jvazquez-r7 8a452a7cba Do somce cleanup 2015-03-10 17:10:44 -05:00
Brent Cook 9ade107325 disable reverse_http methods from upexec and shell payloads
These don't work over http and don't appear to have ever, as far back as
I could test. They appear to be an accident perhaps.
2015-03-10 17:08:58 -05:00
jvazquez-r7 4a84693fb0 Support windows 2015-03-10 16:58:33 -05:00
jvazquez-r7 c26bea3429 Fix credits 2015-03-10 16:27:07 -05:00
jvazquez-r7 980c83cb70 Fix metadata 2015-03-10 16:25:02 -05:00
jvazquez-r7 9e17874389 Exploit CVE-2015-1427 2015-03-10 16:17:51 -05:00
HD Moore db351317a5 Merge with PR branch 2015-03-10 14:08:35 -05:00
HD Moore 0f763c2cb3 First step to reworking the winhttp stagers 2015-03-10 14:07:25 -05:00
Borja Merino 991e72a4fa HTTP stager based on WinHttp 2015-03-10 13:40:16 -05:00
HD Moore 966848127a Refactor x86 Windows reverse_http and reverse_https stagers 2015-03-10 12:48:30 -05:00
m-1-k-3 64f769504b encoding 2015-03-10 17:47:15 +01:00
m-1-k-3 6657c7d11d Belkin - CVE-2014-1635 2015-03-10 16:49:51 +01:00
jvazquez-r7 f8f178b1db Fix script_mvel_rce check 2015-03-10 09:39:02 -05:00
jvazquez-r7 9dc99e4207 Update check 2015-03-10 09:26:22 -05:00
Sigurd Jervelund Hansen c6cb1e840d Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...". 2015-03-10 10:26:03 +01:00
Brent Cook 97f09b6ab0
Land #4894: hmoore-r7 cache payload sizes on start
Avoid the hit of regenerating all of the static-size payloads when
loading the framework. This will facilitate conversion of payloads to
use metasm later.
2015-03-09 23:06:55 -05:00
jvazquez-r7 fc4b312879 Add template 2015-03-09 23:04:32 -05:00
Julian Vilas fe822f8d33 Modify automatic file cleanup 2015-03-10 00:45:20 +01:00
Julian Vilas 0ef303cb6c Fix Java payload 2015-03-10 00:01:27 +01:00
HD Moore 618fbf075a Update CachedSize for the fixed stager 2015-03-09 16:57:14 -05:00
HD Moore 746f18d9bb Fallback to a localhost variant to make the length predictable 2015-03-09 16:56:25 -05:00
jvazquez-r7 78167c3bb8 Use single quotes when possible 2015-03-09 16:55:21 -05:00
HD Moore 6543c3c36f Update CachedSize for the fixed stager 2015-03-09 16:54:57 -05:00
HD Moore c676ac1499 Fallback to a localhost variant to make the length predictable 2015-03-09 16:53:28 -05:00
jvazquez-r7 cb72b26874 Add module for CVE-2014-0311 2015-03-09 16:52:23 -05:00
HD Moore d0324e8ad3 Final cleanup, passing specs 2015-03-09 15:50:57 -05:00
HD Moore da81f6b2a0 Correct the :dynamic cache sizes 2015-03-09 15:44:14 -05:00
HD Moore 02509d02e4 The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 15:31:04 -05:00
Hans-Martin Münch (h0ng10) bba4223d68 Initial commit 2015-03-09 16:36:11 +01:00
Tod Beardsley df80d56fda
Land #4898, prefer URI to open-uri 2015-03-09 09:14:10 -05:00
William Vu 3075c56064 Fix "response HTML" message
In modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb.
2015-03-07 17:08:08 -06:00
Julian Vilas 2eb0011a99 Autotrigger JSP shell at docBase 2015-03-07 20:41:08 +01:00
Julian Vilas 3be2bde5a2 Use bypass for bulletin S2-020 2015-03-07 19:14:20 +01:00
joev d7295959ca Remove open-uri usage in msf. 2015-03-05 23:45:28 -06:00
jvazquez-r7 2134cc3d22
Modify description 2015-03-05 16:55:24 -06:00
jvazquez-r7 7b4776ee79 Deregister FOLDER_NAME 2015-03-05 16:42:07 -06:00
jvazquez-r7 1bc81ea723
Merge #4884 into updated master 2015-03-05 16:41:15 -06:00
Meatballs 33f089b1a5
Tidyup 2015-03-05 21:50:12 +00:00
jvazquez-r7 9f3f8bb727
Merging #3323 work 2015-03-05 15:44:15 -06:00
jvazquez-r7 c388fd49c2 Fix print message 2015-03-05 15:43:54 -06:00
jvazquez-r7 dd2559b748 Favor new target over new module 2015-03-05 15:41:53 -06:00
jvazquez-r7 e1a4b046a0 Add support for tomcat 7 to struts_code_exec_classloader 2015-03-05 15:40:24 -06:00
Meatballs c56679f33e
Modify for new SMB mixin 2015-03-05 21:26:13 +00:00
Tod Beardsley e429d4c04f Add reference and description for PTH on Postgres
Dave and William did most of the work already over on PR #4871, this
just points it out in the module.
2015-03-05 14:36:56 -06:00
sinn3r 16c86227e2 Change to OptBool and default to explicit 2015-03-05 13:07:03 -06:00
jvazquez-r7 de08d8247b Do some module cleanup 2015-03-05 13:00:01 -06:00
jvazquez-r7 82659aba93 Populate metadata from code to make test easier 2015-03-05 12:40:20 -06:00
jvazquez-r7 dc02f8332f Pass msftidy 2015-03-05 12:29:31 -06:00
jvazquez-r7 a06eb04d59 Deregister FOLDER_NAME on exploit modules 2015-03-05 12:27:12 -06:00
sinn3r cb9922ad39
Land #4874, Add PHPMoAdmin command injection 2015-03-05 11:30:44 -06:00
sinn3r 8978b1d7b5 Add a version 2015-03-05 11:29:44 -06:00
Ricardo Almeida 32188f09d6 Update phpmoadmin_exec.rb
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
Ricardo Almeida 95962aab0d Update phpmoadmin_exec.rb
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.

Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
aushack 2f4df39dc9 Fixed typo 2015-03-05 17:40:51 +11:00
sinn3r d40e7485dd Add CVE-2015-0240 auxiliary module 2015-03-04 23:50:14 -06:00
jvazquez-r7 e715eaba58 Update description 2015-03-04 16:39:27 -06:00
jvazquez-r7 e155f2998e Change module filename 2015-03-04 16:38:08 -06:00
jvazquez-r7 77abd57397 Do code cleanup 2015-03-04 16:37:31 -06:00
jvazquez-r7 22ff4d0097 Update with master changes 2015-03-04 16:30:19 -06:00
jvazquez-r7 e7de09df29 Change module filename 2015-03-04 16:18:45 -06:00
jvazquez-r7 1337b7ace8 Clean module 2015-03-04 16:18:10 -06:00
Ricardo Almeida 9530e15c81 Update phpmoadmin_exec.rb
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
jvazquez-r7 d4738d8c0a
Update #3076 branch 2015-03-04 15:51:00 -06:00
Ricardo Almeida c19895ac85 Update phpmoadmin_exec.rb
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
jvazquez-r7 5cc9ea3618 Update with master changes 2015-03-04 15:16:12 -06:00
William Vu a64dd4a1af
Land #4871, Postgres PTH support
MSP-12244
2015-03-04 15:08:57 -06:00
David Maloney 2d46c06b97
Merge branch 'master' into feature/MSP-12244/postgres-pass-the-hash 2015-03-04 13:56:10 -06:00
jvazquez-r7 fa9d921138 Beautify description 2015-03-04 13:07:10 -06:00
jvazquez-r7 8fdb7a798e Change module filename 2015-03-04 13:01:06 -06:00
jvazquez-r7 36375fab28 Fix downcase path handling 2015-03-04 12:58:41 -06:00
jvazquez-r7 62dde22d88 Clean packet building 2015-03-04 12:27:58 -06:00
Ricardo Almeida 4d67e0e1bb Add PHPMoAdmin RCE 2015-03-04 18:17:31 +00:00
jvazquez-r7 e04ff3ee24 Delete CMD option 2015-03-04 11:51:58 -06:00
jvazquez-r7 d4337ce1ae Do minor metadata cleanup 2015-03-04 11:46:01 -06:00
jvazquez-r7 1371cfe025 Test landing #4451 2015-03-04 11:20:07 -06:00
jvazquez-r7 aaab4b401a Fix indenting and use primer 2015-03-04 10:46:34 -06:00
jvazquez-r7 0e57277dc1 Do cleanup 2015-03-04 10:33:57 -06:00
jvazquez-r7 b9ed8178a9 Solve conflicts on ms13_071_theme 2015-03-04 10:28:52 -06:00
Matthew Hall 4757698c15 Modify primer to utilise file_contents macro. 2015-03-04 09:52:00 +00:00
Matthew Hall a90ebfe9a7 Modify primer to utilise file_contents macro. 2015-03-04 09:51:32 +00:00
Matthew Hall dfb6711ad7 Modify primer to utilise file_contents macro. 2015-03-04 09:51:01 +00:00
Matthew Hall a5d748d19e Modify primer to utilise file_contents macro. 2015-03-04 09:50:28 +00:00
Matthew Hall 0d56f5b6e6 Modify primer to utilise file_contents macro. 2015-03-04 09:49:17 +00:00
jvazquez-r7 80b76436bb
Land #4831, @wchen-r7's update for MS14-064 exploit
* Support Windows XP with VBScript technique
2015-03-03 19:19:49 -06:00
sinn3r 7591e9ece3 Unbreak the comment 2015-03-03 19:14:18 -06:00
sinn3r 79e7bf7f9c Update comments and description 2015-03-03 19:13:15 -06:00
David Maloney c8f23b2903
fix jtr_postgres_fast too
the JtR hash cracker for postgres hashes now uses
the new PostgresMD5 class for finding it's hashes

MSP-12244
2015-03-03 18:46:47 -06:00
David Maloney 199c3ba96c
postgres hashdump now stores PostgresMD5 objects
instead of nonreplayabke hashes the postgres_hashdump
aux module now saves them approriately as PostgresMD5s
with the md5 tag intact at the front

MSP-12244
2015-03-03 16:45:13 -06:00
William Vu a648e74c4b Remove unnecessary semicolon 2015-03-02 15:36:45 -06:00
William Vu 80169de4d0 Remove -i from shell in reverse_python 2015-03-02 15:29:50 -06:00
William Vu ecd7ae9c3b
Land #4857, symantec_web_gateway_restore module 2015-03-02 15:00:10 -06:00
sinn3r ad28f9767f Use include 2015-03-02 14:41:25 -06:00
sinn3r cb140434f9 Update 2015-03-02 12:59:21 -06:00
sinn3r 5f3ed83922
Land #4836, Solarwinds Core Orion Service SQL injection 2015-03-02 11:44:26 -06:00
OJ 905a539a00 Add exploit for Seagate Business NAS devices
This module is an exploit for a pre-authenticated remote code execution
vulnerability in Seagate Business NAS products.
2015-03-01 13:25:28 +10:00
Brandon Perry f8e3874203 add nil check 2015-02-28 20:43:19 -06:00
sinn3r 4a1fbbdc3b Use datastore to find payload name 2015-02-28 19:56:32 -06:00
sinn3r ef9196ba6c Correct comment 2015-02-27 13:27:49 -06:00
sinn3r 7b6c39058a Correct target name 2015-02-27 13:24:57 -06:00
sinn3r 90aff51676 Add CVE-2014-7285, Symantec Web Gateway restore.php Command Injection 2015-02-27 12:31:29 -06:00
Bazin Danil 1d03b9a166 Maj debug output 2015-02-26 21:06:20 +01:00
rastating 3b21de3906 Add WPVDB reference 2015-02-26 13:37:23 +00:00
Brandon Perry ceb92cdf5e update login method 2015-02-26 07:33:51 -06:00
William Vu f24da1b178 Add file checking to printer_delete_file 2015-02-25 18:14:13 -06:00
William Vu dc3ba40e5d Add file checking to printer_upload_file 2015-02-25 18:13:36 -06:00
William Vu 513d11ce93 Complete replacement of "pathname" with "path"
See e8c2c3687d.
2015-02-25 15:52:26 -06:00
William Vu b3d4fc798f Add printer_delete_file module 2015-02-25 15:47:53 -06:00
William Vu 90d179e56f Add printer_upload_file module 2015-02-25 15:01:01 -06:00
William Vu 3cf94740e6
Land #4817, CHECK_TCP option for Lantronix module 2015-02-25 13:16:14 -06:00
William Vu d301752a88 Fix whitespace 2015-02-25 13:16:03 -06:00
rastating e2dfdd60c0 Update version range 2015-02-25 19:11:15 +00:00
rastating 242d3b8680 Add WP EasyCart privilege escalation module 2015-02-24 21:11:22 +00:00
Tod Beardsley 94b4bc24bd
Minor word choice changes
[See #4804]
2015-02-24 12:29:11 -06:00
Tod Beardsley 6feae9524b
Fix up funny indent on description
[See #4770]
2015-02-24 12:25:48 -06:00
Brandon Perry 1134b0a6fa fix dataastore to datastore 2015-02-24 10:34:33 -06:00
Brent Cook cf913e521c
Land #4832 @wvu-r7 remove and merge duplicate hash key initializers 2015-02-24 08:38:09 -06:00
BAZIN-HSC a0ba078801 add debug output 2015-02-24 14:15:30 +01:00
William Vu 5cdb678654 Fix invalid use of RPORT (should be RHOST) 2015-02-24 05:24:09 -06:00
William Vu f3cad229d3 Fix duplicate hash key "References"
In modules/auxiliary/scanner/http/http_login.rb.
2015-02-24 05:19:58 -06:00
William Vu aa1e1a5269 Fix duplicate hash key "Platform"
In modules/exploits/windows/mssql/mssql_linkcrawler.rb.
2015-02-24 05:19:56 -06:00
William Vu 57642377cc Fix duplicate hash key "MinNops"
In modules/exploits/windows/backupexec/name_service.rb.
2015-02-24 05:19:55 -06:00
William Vu f2c96b4fdd Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/ntr_activex_stopmodule.rb.
2015-02-24 05:19:54 -06:00
William Vu b671c9b496 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb.
2015-02-24 05:19:53 -06:00
William Vu 2e90f266fa Fix duplicate hash key "massage_array"
In modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb.
2015-02-24 05:19:52 -06:00
William Vu e618c2f112 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb.
2015-02-24 05:19:51 -06:00
William Vu 2ffa368c18 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/ntr_activex_check_bof.rb.
2015-02-24 05:19:50 -06:00
William Vu a8f0af4409 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/cisco_playerpt_setsource.rb.
2015-02-24 05:19:49 -06:00
William Vu ff73b4d51a Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/local/pxeexploit.rb.
2015-02-24 05:19:48 -06:00
William Vu 53e45498ca Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb.
2015-02-24 05:19:47 -06:00
William Vu 943ff2da75 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/http/hp_pcm_snac_update_domain.rb.
2015-02-24 05:19:46 -06:00
William Vu 6aa3952c91 Fix duplicate hash key "Platform"
In modules/exploits/windows/scada/winlog_runtime_2.rb.
2015-02-24 05:19:45 -06:00
sinn3r 8d17aa04ee Update the title too 2015-02-24 00:46:35 -06:00
sinn3r 578a545b22 Update MS14-064 for Windows XP 2015-02-23 23:08:13 -06:00
William Vu 8c5ff858d0
Land #4812, hp_sys_mgmt_login configurable URIs 2015-02-23 19:04:14 -06:00