a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
32c27f6be0
Tweak timeouts.
2014-03-04 17:16:23 -06:00
40047f01d3
Adds Safari User Assisted download launch module.
2014-03-04 17:02:51 -06:00
e30238fe0d
Land #3062 , unused arg fix for vmware_mount
2014-03-04 11:37:41 -06:00
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
a005d69b16
Fix $PATH issues. Add FileDropper functionality
2014-03-02 20:43:17 +02:00
e6c1dd3f9e
Switch post module to fixed exploit module.
2014-03-02 17:42:48 +02:00
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
17272acb27
Fix module code per recommendations
2014-03-01 00:53:24 +02:00
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
15345da9d8
remove the wget module, remove the cmd stuff, testing bind stuff ahead
2014-02-28 22:44:26 +01:00
ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet
2014-02-28 14:10:55 -06:00
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
fd4457fce8
Add AIX 6.1/7.1 ibstat $PATH Local Privilege Escalation
2014-02-27 23:56:49 +02:00
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
2935f4f562
CMD target
2014-02-24 18:12:23 +01:00
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
0126e3fcc8
cleanup
2014-02-23 21:17:32 +01:00
dbbd080fc1
a first try of the cmd stager, wget in a seperated module included
2014-02-23 20:59:17 +01:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
3a8de6e124
replaced rhost by peer
2014-02-18 21:01:50 +01:00
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
66e2148197
linksys themoon command execution exploit
2014-02-18 19:43:47 +01:00
4dda7e6bad
linksys themoon command execution exploit
2014-02-18 19:42:50 +01:00
57449ac719
Adds working shellcode exec local exploit.
2014-02-17 15:31:45 -06:00
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec
2014-02-14 17:16:27 -06:00
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
745f313413
Remove @nmonkee as author per twitter convo
2014-02-13 14:41:10 -06:00
371f23b265
Unbreak the URL refs add nmonkee as ref and author
...
While @nmonkee didn't actually contribute to #2942 , he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.
Also added a ref to @nmonkee's thing.
@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
ff267a64b1
Have into account the Content-Transfer-Encoding header
2014-02-12 12:40:11 -06:00
45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb
2014-02-12 11:14:25 -06:00
a59ce95901
Land #2970 , @sgabe exploit for CVE-2010-2343
2014-02-12 08:10:53 -06:00
9845970e12
Use pop#ret to jump over the overwritten seh
2014-02-12 08:10:14 -06:00
11513d94f5
Add Juan as author
2014-02-12 12:17:02 +01:00
3283880d65
Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
...
This partially reverts commit 12471660e9
2014-02-12 12:09:16 +01:00
7195416a04
Increase the size of the NOP sled
2014-02-12 02:35:53 +01:00
3f09456ce8
Minor code formatting
2014-02-11 23:53:04 +01:00
7fc3511ba9
Remove unnecessary NOPs
2014-02-11 23:48:54 +01:00
12471660e9
Replace unnecessary NOP sled with random text
2014-02-11 23:48:04 +01:00
184ccb9e1e
Fix payload size
2014-02-11 23:42:58 +01:00
783e62ea85
Applied changes from @wchen-r7's comments
2014-02-11 10:14:52 -08:00
3717374896
Fix and improve reliability
2014-02-11 10:44:58 -06:00
51df2d8b51
Use the fixed API on the mediawiki exploit
2014-02-11 08:28:58 -06:00
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
e8a3984c85
Fix ROP NOP address and reduce/remove NOPs
2014-02-11 00:29:37 +01:00
e6905837eb
Land #2960 , rand_text_alpha for amaya_bdo
2014-02-10 16:44:11 -06:00
13fadffe7e
Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial
2014-02-10 13:44:30 -08:00
a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-10 21:43:56 +00:00
1236a4eb07
Fixup on description and some option descrips
2014-02-10 14:41:59 -06:00
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
08b6f74fb4
Add module for CVE-2010-2343
2014-02-10 20:46:09 +01:00
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
8ece4a7750
Delete debug print
2014-02-10 08:57:45 -06:00
57320a59f1
Do small clean up for mediawiki_thumb pr
2014-02-10 08:57:09 -06:00
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
c96116b193
Land #2949 - Add module Kloxo SQLi
2014-02-08 13:45:11 -06:00
32c02dd56a
Added some randomness
2014-02-08 11:27:25 +08:00
dcff06eba1
More verbose failure messages
2014-02-07 23:59:28 +00:00
66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec
2014-02-07 17:41:35 -06:00
bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell)
2014-02-07 17:39:06 -06:00
783a986a19
Windows and auto target up and running
2014-02-07 23:26:57 +00:00
a0f47f6b2b
Correct error check logic
2014-02-07 22:06:53 +00:00
443a51bbf5
Undo revert from merge
2014-02-07 21:28:04 +00:00
56359aa99f
Merge changes from other dev machine
2014-02-07 21:22:44 +00:00
a4cc75bf98
Potential .pdf support
2014-02-07 20:37:44 +00:00
e13520d7fb
Handle a blank filename
2014-02-07 20:15:32 +00:00
103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-07 20:07:04 +00:00
c679b1001b
Make pring_warning verbose
2014-02-07 10:23:07 -06:00
2d93b38e2a
Fixed java_signed_applet for Java 7u51
2014-02-07 16:29:50 +01:00
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
a18de35fa7
Add module for ZDI-14-011
2014-02-06 18:25:36 -06:00
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
4b37cc7243
Land #2927 , PandoraFMS anyterm exploit
2014-02-06 15:22:23 -06:00
4236abe282
Better SIGHUP handling
2014-02-06 15:21:54 -06:00
19fff3c33e
Land #2942 , @jvennix-r7's Android awesomesauce
...
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
362e937c8d
Forgot to push local changes.
2014-02-06 11:47:35 -06:00
0dc2ec5c4d
Use BrowserExploitServer mixin.
...
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
fdb954fdfb
Report credentials
2014-02-05 14:37:33 -06:00
631559a2e8
Add module for Kloco SQLi
2014-02-05 14:18:56 -06:00
553616b6cc
Add URL for browser exploit.
2014-02-04 17:04:06 -06:00
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
23fc73924e
Msftidy it up.
2014-02-04 14:24:36 -06:00
a58698c177
Land #2922 , multithreaded check command
2014-02-04 11:21:05 -06:00
0a3cb3377f
AppendEncoder
2014-02-04 15:41:10 +00:00
26c506da42
Naming of follow method
2014-02-04 15:25:51 +00:00
f5fa3fb5ce
Windows compat, fixed PHP-CLI
2014-02-04 14:27:10 +00:00
64d11e58c2
Use semicolon for win compat
2014-02-04 13:53:33 +00:00
700e09f386
Wording tweak.
2014-02-04 02:55:10 -06:00
bbabd72b0e
Whitespace tweaks.
2014-02-04 02:52:52 -06:00
eb6a5a4c19
Tweak checks.
2014-02-04 02:49:44 -06:00
4923a93974
Tweak description.
2014-02-04 02:47:49 -06:00
37479884a5
Add browserautopwn support.
2014-02-04 02:32:12 -06:00
eba3a5aab0
More accurate description.
2014-02-04 01:44:39 -06:00
177bd35552
Add webview HTTP exploit.
2014-02-04 01:37:09 -06:00
2fd8257c7e
Use bperry's trigger
2014-02-04 00:51:34 +00:00
a8ff6eb429
Refactor send_request_cgi_follow_redirect
2014-02-03 21:49:49 +00:00
83925da2f1
Refactor form_data code
2014-02-03 21:16:58 +00:00
7e2a9a7072
More desc fixes, add a vprint to give a hint
2014-02-03 13:18:52 -06:00
d34020115a
Fix up on apache descs and print_* methods
2014-02-03 13:13:57 -06:00
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
50f860757b
Changes made to pandora_fms_exec module as requested
2014-02-03 14:10:27 +07:00
67c18d8d2d
I had a problem, then I used regex.
2014-02-02 22:19:54 +00:00
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
57f4998568
Better failures and handle unconfigured server
2014-02-02 16:26:22 +00:00
9fa9402eb2
Better check and better follow redirect
2014-02-02 16:07:46 +00:00
0d3a40613e
Add auto 30x redirect to send_request_cgi
2014-02-02 15:03:44 +00:00
8b33ef1874
Not html its form-data...
2014-02-02 13:57:29 +00:00
7ddc6bcfa5
Final tidyup
2014-02-01 01:05:02 +00:00
486a9d5e19
Use msf branded djvu
2014-02-01 00:37:28 +00:00
fd1a507fda
Rename file
2014-02-01 00:27:32 +00:00
700c6545f0
Polished
2014-02-01 00:26:55 +00:00
a5bff638c5
Remove EOL spaces
2014-01-31 15:01:03 -06:00
5a883a4477
updated
2014-01-31 21:59:26 +01:00
7fa1522299
Initial commit
2014-01-31 18:51:18 +00:00
b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution
2014-01-31 12:06:58 -06:00
60ead5de43
Explain why we flag the vuln as "Appears" instead of vulnerable
2014-01-31 12:05:58 -06:00
2fca2da9f7
Add an vprint message on check
2014-01-31 11:57:20 -06:00
356692f2f5
Land #2923 , @rangercha tomcat deploy module compatible with tomcat8
2014-01-31 10:53:53 -06:00
a010748056
Land #2924 , @xistence's exploit for CVE-2014-1683
2014-01-31 09:20:10 -06:00
710902dc56
Move file location
2014-01-31 09:18:59 -06:00
810605f0b7
Do final cleanup for the skybluecanvas exploit
2014-01-31 09:17:51 -06:00
32c5d77ebd
Land #2918 , @wvu's fix for long argument lists
2014-01-31 08:49:22 -06:00
f6291eb9a8
updated
2014-01-31 14:33:18 +01:00
ffd8f7eee0
Changes as requested in SkyBlue Canvas RCE module
2014-01-31 12:52:48 +07:00
93db1c59af
Do small fixes
2014-01-30 17:16:43 -06:00
9daacf8fb1
Clean exploit method
2014-01-30 16:58:17 -06:00
4458dc80a5
Clean the find_csrf mehtod
2014-01-30 16:39:19 -06:00
697a86aad7
Organize a little bit the code
2014-01-30 16:29:45 -06:00
50317d44d3
Do more easy clean
2014-01-30 16:23:17 -06:00
1a9e6dfb2a
Allow check to detect platform and arch
2014-01-30 15:17:20 -06:00
b2273dce2e
Delete Automatic target
...
It isn't usefull at all, when auto targeting is done, the payload (java platform and arch)
has been already selected.
2014-01-30 15:04:08 -06:00
cebbe71dba
Do easy cleanup of exploit
2014-01-30 14:42:02 -06:00
c336133a8e
Do a first clean related to auto_target
2014-01-30 14:27:20 -06:00
57b8b49744
Clean query_manager
2014-01-30 14:20:02 -06:00
148e51a28b
Clean metadata and use TARGETURI
2014-01-30 14:03:52 -06:00
56287e308d
Clean up unused variables
2014-01-30 11:20:21 -06:00
e7ab77c736
added module for Oracle Forms and Reports
2014-01-30 14:45:17 +01:00
9a929e75e4
Added Pandora FMS RCE
2014-01-29 12:46:23 +07:00
bac6e2a3e1
added SkyBlueCanvas CMS 1.1 r248-03 RCE
2014-01-28 11:06:25 +07:00
OJ
Joe Vennix
William Vu
James Lee
sinn3r
David Maloney
sgabe
Meatballs
Tod Beardsley
Sagi Shahar
bcoles
Michael Messner
jvazquez-r7
Fr330wn4g3
xistence
Philip OKeefe
Mekanismen
Jovany Leandro G.C
bwall
Spencer McIntyre
David Maciejak
grimmlin