c0e682b518
Land #3225 , @wvu-r7's and @hmoore-r7's improvements for openssl_heartbeat_client_memory
2014-04-09 17:39:04 -05:00
ccdc5bd281
Switch to get since @wvu-r7 also tested successfully with get
2014-04-09 17:30:00 -05:00
b905aece38
Fix job not backgrounding
2014-04-09 17:03:57 -05:00
ed247498b6
Make TLS negotiation optional
2014-04-09 17:03:38 -05:00
b0b979ce62
Meterpreter sessions won't get root in this way
2014-04-09 16:59:12 -05:00
a2ce2bfa56
Fix disclosure date
2014-04-09 16:41:49 -05:00
ff232167a6
Add module for eScan command injection
2014-04-09 16:39:06 -05:00
2de210f1c3
Land #3216 - Update @Meatballs1 and @FireFart in authors.rb
2014-04-09 16:38:10 -05:00
f56f34fb69
Land #3212 , @hmoore-r7's client-side Heartbleed
2014-04-09 15:42:36 -05:00
a86a8fed05
Changed heartbleed jabber implementation to match openssl s_client
...
see here for example implementation:
https://github.com/openssl/openssl/blob/master/apps/s_client.c#L1719
2014-04-09 22:20:32 +02:00
2f9a400efa
vprint_status the other message message
2014-04-09 15:11:02 -05:00
84ce72367b
Make the output less verbose
2014-04-09 14:57:51 -05:00
856ad7e83d
heartbleed - Better output on wrong jabber domain and add. nil? check
2014-04-09 21:53:17 +02:00
7a424784f8
Change default TLS Version to 1.0
...
Canonical testing shows this to be more widely supported, and yielding far more vulnerable hosts. Changing default to reflect that.
Experience of others in #metasploit seems similar.
2014-04-09 13:45:00 -05:00
fec089d88d
Land #3219 , openssl_heartbleed XMPP fix from @natronkeltner
2014-04-09 20:42:55 +02:00
e2b50d3709
fix openssl_heardbleed
...
-) XMPP Domain now configurable
-) Missing get_once to initiate the TLS connection
2014-04-09 20:39:33 +02:00
5696e52fac
Fix jabber to field
2014-04-09 13:48:45 -05:00
28a471e446
Land #3221 , @Firefart's fix for pop3 starttls
2014-04-09 13:31:45 -05:00
bea810b5d6
Add jabber fix from @natronkeltner
2014-04-09 13:11:45 -05:00
fdf4776142
Land #3217 , @todb-r7's title fix for Hearbleed module
2014-04-09 12:10:13 -05:00
157fb5a905
Make title more searchable
2014-04-09 12:08:35 -05:00
58f4a1c085
Usee loop do instead or while true
2014-04-09 11:48:45 -05:00
eb9d3520be
Land #3208 - Sophos Web Protection Appliance Interface Authenticated Exec
2014-04-09 11:30:59 -05:00
76a9381b2a
Make the title of the Heartbleed module searchable
...
Right now, the title does not actually tie the Heartbeat check to the
Heartbleed attack, so people searching strictly on module title are not
going to get a hit for this module.
2014-04-09 11:03:01 -05:00
bc36b9ebd6
Delete server side PoCs as referecences because don\'t apply here
2014-04-09 10:58:59 -05:00
fd90203120
Change some variable names to make code reading easier
2014-04-09 10:56:50 -05:00
899a7c9ea4
heartbleed bugfix for pop3
2014-04-09 17:51:44 +02:00
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
3849d1517f
Restore author credit
2014-04-09 09:42:39 -05:00
e154d175e8
Add @hmoore-r7's heartbeat client side module
2014-04-09 09:38:11 -05:00
8d38087a10
Fix case / when indention
2014-04-09 09:12:55 -05:00
0e0fd20f88
Added RFC link
2014-04-09 15:19:29 +02:00
a0a5b9faa1
Fix heartbleed module
...
-) incorrect length read
-) Parse TLS errors
2014-04-09 15:08:24 +02:00
8428b37e59
move file to .rb ext
2014-04-09 05:17:14 -07:00
a93e22b5c0
Land #3209 , @Firefart's heartbleed's module fix
2014-04-09 06:38:06 -05:00
9c159f0aa3
Land #3210 , typo in openssl_heartbleed
2014-04-09 09:53:06 +02:00
ae3ead6ef9
Land #2107 Post Enum Domain Users
2014-04-09 11:32:12 +01:00
4e7c675f3c
Fix typo, extraquote in message
2014-04-09 10:22:15 +02:00
cdfe333572
updated heartbleed module
...
-) Heartbeat length was added twice
-) Use the current date for the TLS client_hello
2014-04-09 09:19:05 +02:00
b4f5784ba2
Land #3147 , @m-1-k-3's mipsbe exec payload.
2014-04-08 22:32:21 -05:00
82c9b539ac
Fix disclosure date, earlier than I thought
2014-04-08 21:43:49 -05:00
3013704c75
Create sophos_wpa_iface_exec
...
This module exploits both bugs in http://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-08 21:21:43 -05:00
dd69a9e5dd
Land #3206 , OpenSSL Heartbleed infoleak
2014-04-08 20:12:00 -05:00
5e314f2a7c
Fix outstanding issues
2014-04-08 20:11:28 -05:00
f3086085b6
Land #3204 - MS14-017 Microsoft Word RTF Object Confusion
2014-04-08 18:47:53 -05:00
a4e1d866e1
Favor nil?
2014-04-08 18:21:49 -05:00
153e003e23
Do small fixes
2014-04-08 18:21:09 -05:00
39aecb140a
Use the datastore option
2014-04-08 16:55:08 -05:00
496dd944e6
Add support for datastore TLSVERSION
2014-04-08 16:51:50 -05:00
d51aa34437
Use Random generation Time as pointed by @Firefart
2014-04-08 16:46:15 -05:00
d964243cc4
Move heartbeat length to a variable
2014-04-08 16:33:05 -05:00
3d6c553efd
Fix endianess
2014-04-08 16:29:31 -05:00
373b05c5aa
Minimize extensions in the Hello
2014-04-08 16:21:38 -05:00
3254cce832
Align comment
2014-04-08 16:04:38 -05:00
c20b71e7b6
Switch to vprint unless success
2014-04-08 16:03:38 -05:00
7dbd690c99
Add new references
2014-04-08 16:01:06 -05:00
a55579dd4a
Fix references
2014-04-08 15:56:56 -05:00
4004cd8f9a
Allow hello data to grow dinamically
2014-04-08 15:52:39 -05:00
b8e2c9fe42
Clean and fix @Firefart's code
2014-04-08 15:32:13 -05:00
80bdbbed92
Solve conflict
2014-04-08 15:18:38 -05:00
8c7debb81d
Added some comments and modified JABBER
2014-04-08 22:13:02 +02:00
021da84459
Add authors and switch and's format
2014-04-08 15:10:27 -05:00
a2b709b20e
Land #3189 - Vtiger Install Unauthenticated Remote Command Execution
2014-04-08 14:58:34 -05:00
4012dd0acc
Fix everything that needs to be fixed
2014-04-08 14:57:42 -05:00
9c053a5b91
Added additional protocols
2014-04-08 21:56:05 +02:00
8dce80fd30
Added Big Endianess, improved check()-Function
...
Some Fritz!Box devices also run in Big Endianess mode. However, since
"uname -a" always returns "mips" and the "file"-command is not
available, autodetection is not an easy task.
The check()-function now checks, whether the device is really
vulnerable.
Furthemore, it's possible to send 92 bytes.
2014-04-08 21:32:36 +02:00
5f29026cb2
Complete @Firefart's module
2014-04-08 14:13:56 -05:00
3f6c8afbe3
Fix typo of MSCOMCTL not MCCOMCTL
2014-04-08 14:52:18 -04:00
85197dffe6
MS14-017 Word RTF listoverridecount memory corruption
2014-04-08 14:44:20 -04:00
21b220321f
Fix typo.
...
This isn't a Linksys exploit. Left over wording from a previous exploit?
2014-04-07 18:06:59 -05:00
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
fb1318b91c
Land #3193 , @m-1-k-3's exploit for the Fritzbox RCE vuln
2014-04-07 16:13:31 -05:00
ceaa99e64e
Minor final cleanup
2014-04-07 16:12:54 -05:00
ac0cafcca6
Initial commit for openssl Heartbleed bug
2014-04-07 21:15:54 +02:00
44640b126c
Add Oracle Demantra 2013-5795 (Database Credentials Retrieval)
2014-04-07 11:42:47 -07:00
b1a6b28af9
fixed disclosure date
2014-04-07 19:29:37 +02:00
003310f18a
feedback included
2014-04-07 19:25:26 +02:00
7572d6612e
Spelling and grammar on new release modules
2014-04-07 12:18:13 -05:00
85de6ed0c9
feedback included
2014-04-07 18:20:15 +02:00
0c883723ba
Land #3149 - Oracle Demantra Arbitrary File Retrieval with auth bypass
2014-04-07 11:11:55 -05:00
31dfae3a01
Follow the 100 columns per line guideline
2014-04-07 11:10:20 -05:00
de242ecc00
Correct date format
...
Hmm weird, msftidy didn't pick this up
2014-04-07 11:09:27 -05:00
56bd35c8ce
Add module for WinRAR spoofing vulnerability
2014-04-07 09:21:49 -05:00
11bbb7f429
fritzbox echo exploit
2014-04-07 09:12:22 +02:00
ca7dcc0781
cleanup with msftidy
2014-04-06 12:41:58 +02:00
6d72860d58
Land #3004 , @m-1-k-3's linksys moon exploit
2014-04-04 14:04:48 -05:00
0ae75860ea
Code clean up
2014-04-04 14:02:12 -05:00
ea1c6fe8a4
Land #3177 - JIRA Issues Collector Directory Traversal
2014-04-04 10:41:51 -05:00
395f5beef8
Land #3178 , http header scan module
2014-04-04 11:36:35 -04:00
2b6ae68cbf
Minor modifications for http_header
2014-04-04 10:46:03 -04:00
e2cbcf3c5d
Land #3179 , @brandonprry AlienVault sqli aux module
2014-04-04 09:17:11 -05:00
ff6105e55d
Add check codes
2014-04-04 09:13:43 -05:00
44db611845
defaultoptions, not option
2014-04-04 05:55:35 -07:00
c90c49e319
Add vtiger install rce 0 day
2014-04-04 10:16:55 +02:00
6f14cd225d
Do minor clean up
2014-04-03 23:22:44 -05:00
48ef061c3c
Land #3046 , AIX ibtstat privesc exploit
2014-04-03 17:07:00 -05:00
6c67f1881f
Normalize syntax and whitespace
2014-04-03 16:54:33 -05:00
253a1c1f87
Land #3180 , EMC Cloud Tiering Appliance Unauthed XXE with root perms
2014-04-03 22:02:13 +02:00
a57da00932
fix refs line
2014-04-03 14:07:00 -07:00
51f83fccde
add some checks in vase the file wasn't retrievable
2014-04-03 14:04:05 -07:00
03559dedcd
Land #3187 - Changed OptString to OptRegexp
2014-04-03 14:52:59 -05:00
d69a9d3c45
Land #3186 , OptString should be OptRegexp
2014-04-03 13:07:23 -05:00
d995d84e91
Changed OptString to OptRegexp
2014-04-03 19:40:07 +02:00
b4aa08251f
changed option from string to regex
2014-04-03 19:34:40 +02:00
e2ded663a6
make more robust
2014-04-03 06:15:09 -07:00
53b8148438
make more random
2014-04-03 05:52:35 -07:00
77b64ee77d
make more random
2014-04-03 05:41:00 -07:00
a4adfac312
Added feedback for http_header module
2014-04-02 23:01:23 +02:00
75dc4c459b
msftidy
2014-04-02 13:22:21 -07:00
bb82277a41
msftidy
2014-04-02 13:20:13 -07:00
abc0b31f26
exploithub wat
2014-04-02 13:18:48 -07:00
577bd7c855
Land #3146 , @wchen-r7's flash version detection code
2014-04-02 15:13:41 -05:00
765657d55a
alienvault module
2014-04-02 13:09:46 -07:00
d3f353118a
edb update
2014-04-02 13:06:54 -07:00
32cd846fe4
emc cta xxe module
2014-04-02 13:05:53 -07:00
69192edd4b
Added new http_header module
2014-04-02 22:04:54 +02:00
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
b636a679ae
Erf, sorry, fixed now
2014-04-02 20:33:08 +01:00
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
978bdbb676
Custom Service Description
2014-04-02 20:33:07 +01:00
e3dda2e862
Land #3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon
2014-04-02 14:07:37 -05:00
ebcf972c08
Add initial firefox xpi prompt bypass.
2014-04-01 23:48:35 -05:00
149948485a
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra fixed issues
2014-04-01 12:28:41 -07:00
8611526a01
Fix more bugs and more syntax errors
2014-04-01 01:22:12 +02:00
becefde52f
Fix bugs and syntax
2014-04-01 00:54:51 +02:00
cf2589ba8d
Land #3162 , Microsoft module name changes
2014-03-28 23:10:27 -05:00
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
c37dbd104a
Clean up perms and whitespace for owa_login
2014-04-02 01:45:15 -05:00
2972220f60
Land #3047 for real.
...
Merge branch 'land-3047-really' into upstream-master
2014-04-01 13:16:13 -05:00
367652592c
Land #2964 - Powershell CMD Encoder
2014-04-01 10:26:38 -05:00
f9a7cfaa67
Land #3168 , EICAR payload encoding
2014-04-01 09:17:10 -05:00
dfec2eb53f
Cleanup an expression and avoid fail_with
2014-03-31 18:05:20 -04:00
07e04717c2
Allow using a single URI and/or a list of URIs
2014-03-31 18:05:20 -04:00
b21d5c1801
use TARGET_URI if given, otherwise TARGET_URIS_FILE
2014-03-31 18:05:20 -04:00
5e9e7e15c8
Return whether result is nil or not.
2014-03-31 18:05:20 -04:00
0ac112b5e7
Support checking a single URI for ntlm information.
2014-03-31 18:05:19 -04:00
fb20759fc2
Comment doc speelling
2014-03-31 16:42:50 -05:00
6474c7be5c
Land #3166 and also #3167
...
[Closes #3167 ]
2014-03-31 16:21:07 -05:00
3b6d73420e
Fix syntax error in dns_amp
2014-03-31 16:18:49 -05:00
d9df2fbf08
Land #3158 , msftidy rank check for aux modules
2014-03-31 15:17:30 -05:00
159bc264a4
unretards the uri normalize loop
2014-03-31 15:58:21 -04:00
2290249a42
uses fail_with to bomb out on datastore probs
2014-03-31 15:52:05 -04:00
4f121e3e03
fixes if-logic for error condition
2014-03-31 15:38:05 -04:00
894bbcae97
More fix-up on the DNS amplication scanner
2014-03-31 14:37:10 -05:00
4d597174d0
Merge up from upstream/master
2014-03-31 14:33:28 -05:00
387da26f8d
Land #3159 , HP LaserJet printer SNMP enumeration
2014-03-31 12:48:23 -05:00
c6ceb8cdfd
Land #2929 , DNS recursion amplification scanner
2014-03-31 12:47:46 -05:00
aaa15d13d9
Land #2928 , extended SMTP open relay checks
2014-03-31 12:47:10 -05:00
jvazquez-r7
William Vu
HD Moore
sinn3r
Christian Mehlmauer
Jeff Jarmoc
Tod Beardsley
Brandon Perry
Meatballs
julianvilas
joev
Brandon Perry
Fabian Bräunlein
Spencer McIntyre
coma
Michael Messner
dummys
agix
Florian Gaultier
Sagi Shahar
Joshua Smith