Commit Graph

12866 Commits (1faf0691305cb1d063a0e022b46c4ca52fa3cdb9)

Author SHA1 Message Date
sinn3r 03559dedcd
Land #3187 - Changed OptString to OptRegexp 2014-04-03 14:52:59 -05:00
William Vu d69a9d3c45
Land #3186, OptString should be OptRegexp 2014-04-03 13:07:23 -05:00
Christian Mehlmauer d995d84e91
Changed OptString to OptRegexp 2014-04-03 19:40:07 +02:00
Christian Mehlmauer b4aa08251f
changed option from string to regex 2014-04-03 19:34:40 +02:00
Brandon Perry e2ded663a6 make more robust 2014-04-03 06:15:09 -07:00
Brandon Perry 53b8148438 make more random 2014-04-03 05:52:35 -07:00
Brandon Perry 77b64ee77d make more random 2014-04-03 05:41:00 -07:00
Christian Mehlmauer a4adfac312
Added feedback for http_header module 2014-04-02 23:01:23 +02:00
Brandon Perry 75dc4c459b msftidy 2014-04-02 13:22:21 -07:00
Brandon Perry bb82277a41 msftidy 2014-04-02 13:20:13 -07:00
Brandon Perry abc0b31f26 exploithub wat 2014-04-02 13:18:48 -07:00
jvazquez-r7 577bd7c855
Land #3146, @wchen-r7's flash version detection code 2014-04-02 15:13:41 -05:00
Brandon Perry 765657d55a alienvault module 2014-04-02 13:09:46 -07:00
Brandon Perry d3f353118a edb update 2014-04-02 13:06:54 -07:00
Brandon Perry 32cd846fe4 emc cta xxe module 2014-04-02 13:05:53 -07:00
Christian Mehlmauer 69192edd4b
Added new http_header module 2014-04-02 22:04:54 +02:00
jvazquez-r7 a85d451904 Add module for CVE-2014-2314 2014-04-02 14:49:31 -05:00
agix 4a575d57ab Try to fix Meatballs1 suggestions : optional service_description change call 2014-04-02 20:33:09 +01:00
agix b636a679ae Erf, sorry, fixed now 2014-04-02 20:33:08 +01:00
agix 631a7b9c48 Adapt to new psexec mixin (first try :D) 2014-04-02 20:33:08 +01:00
Florian Gaultier 978bdbb676 Custom Service Description 2014-04-02 20:33:07 +01:00
sinn3r e3dda2e862
Land #3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon 2014-04-02 14:07:37 -05:00
joev ebcf972c08 Add initial firefox xpi prompt bypass. 2014-04-01 23:48:35 -05:00
coma 149948485a Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra fixed issues 2014-04-01 12:28:41 -07:00
Sagi Shahar 8611526a01 Fix more bugs and more syntax errors 2014-04-01 01:22:12 +02:00
Sagi Shahar becefde52f Fix bugs and syntax 2014-04-01 00:54:51 +02:00
William Vu cf2589ba8d
Land #3162, Microsoft module name changes 2014-03-28 23:10:27 -05:00
sinn3r d7ca537a41 Microsoft module name changes
So after making changes for MSIE modules (see #3161), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
sinn3r 466096f637 Add MSB number to name 2014-03-28 20:33:40 -05:00
William Vu c37dbd104a
Clean up perms and whitespace for owa_login 2014-04-02 01:45:15 -05:00
Tod Beardsley 2972220f60
Land #3047 for real.
Merge branch 'land-3047-really' into upstream-master
2014-04-01 13:16:13 -05:00
sinn3r 367652592c
Land #2964 - Powershell CMD Encoder 2014-04-01 10:26:38 -05:00
William Vu f9a7cfaa67
Land #3168, EICAR payload encoding 2014-04-01 09:17:10 -05:00
Spencer McIntyre dfec2eb53f Cleanup an expression and avoid fail_with 2014-03-31 18:05:20 -04:00
Spencer McIntyre 07e04717c2 Allow using a single URI and/or a list of URIs 2014-03-31 18:05:20 -04:00
Joshua Smith b21d5c1801 use TARGET_URI if given, otherwise TARGET_URIS_FILE 2014-03-31 18:05:20 -04:00
Spencer McIntyre 5e9e7e15c8 Return whether result is nil or not. 2014-03-31 18:05:20 -04:00
Spencer McIntyre 0ac112b5e7 Support checking a single URI for ntlm information. 2014-03-31 18:05:19 -04:00
Tod Beardsley fb20759fc2
Comment doc speelling 2014-03-31 16:42:50 -05:00
Tod Beardsley 6474c7be5c
Land #3166 and also #3167
[Closes #3167]
2014-03-31 16:21:07 -05:00
William Vu 3b6d73420e
Fix syntax error in dns_amp 2014-03-31 16:18:49 -05:00
William Vu d9df2fbf08
Land #3158, msftidy rank check for aux modules 2014-03-31 15:17:30 -05:00
Joshua Smith 159bc264a4 unretards the uri normalize loop 2014-03-31 15:58:21 -04:00
Joshua Smith 2290249a42 uses fail_with to bomb out on datastore probs 2014-03-31 15:52:05 -04:00
Joshua Smith 4f121e3e03 fixes if-logic for error condition 2014-03-31 15:38:05 -04:00
Tod Beardsley 894bbcae97
More fix-up on the DNS amplication scanner 2014-03-31 14:37:10 -05:00
Tod Beardsley 4d597174d0
Merge up from upstream/master 2014-03-31 14:33:28 -05:00
William Vu 387da26f8d
Land #3159, HP LaserJet printer SNMP enumeration 2014-03-31 12:48:23 -05:00
William Vu c6ceb8cdfd
Land #2929, DNS recursion amplification scanner 2014-03-31 12:47:46 -05:00
William Vu aaa15d13d9
Land #2928, extended SMTP open relay checks 2014-03-31 12:47:10 -05:00
Tod Beardsley ffdca3bf42
Fixup on some modules for release
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
Joshua Smith 2530fb9741 adds the return back in (forgot in prev commit) 2014-03-28 19:27:04 -04:00
Joshua Smith dc4b8461e8 unbreaks & DRYs my previous change. 2014-03-28 19:15:38 -04:00
Matteo Cantoni c559a6b39f fix description
(cherry picked from commit 7c860b9553)
2014-03-28 17:36:21 -05:00
Matteo Cantoni ae53d75cdb Module to HP LaserJet Printer SNMP Enumeration
(cherry picked from commit f18fef1864)
2014-03-28 17:36:21 -05:00
William Vu 2344a9368e
Fix warnings generated by #3158
Keeping ManualRanking for DoS modules.
2014-03-31 12:35:15 -05:00
jvazquez-r7 9374777da1
Land #2996, @mcantoni's jboss status aux module 2014-03-28 16:07:08 -05:00
jvazquez-r7 7689751c10 Module module location 2014-03-28 16:05:37 -05:00
jvazquez-r7 e3ec0e7624 Clean up jboss_status module 2014-03-28 16:04:43 -05:00
sinn3r a173fcf2fa Flash detection for firefox_svg_plugin
Good test case
2014-03-28 15:39:25 -05:00
jvazquez-r7 f7b1874e7d
Land #3151, @wchen-r7's use of BrowserExploitServer in ms13-59's exploit 2014-03-28 14:43:38 -05:00
jvazquez-r7 69369c04b3
Land #3126, @xistence's exploit for SePortal 2014-03-28 13:52:59 -05:00
jvazquez-r7 7b56c9edac Add references 2014-03-28 13:51:56 -05:00
Tod Beardsley 196e07c5b1
Touch up the EICAR stuff 2014-03-28 11:45:28 -05:00
Christian Mehlmauer 94494e38e7
Land #3152 - Use normalize_uri for module wp_property_upload_exec 2014-03-28 13:22:54 +01:00
William Vu 5458200434
Fix a couple minor annoyances in PJL 2014-03-28 02:19:30 -05:00
William Vu c1fdc4d945
Fix a couple things that were bugging me 2014-03-28 02:15:38 -05:00
Michael Messner 657b096be3 make msftidy happy 2014-03-27 19:24:25 +01:00
sinn3r f4e62a8dcd
Land #3146 - Firefox Gather Cookies from Privileged Javascript Shell 2014-03-27 13:14:22 -05:00
sinn3r 0b3f49f22a
Land #3145, Clean up firefox_svg_plugin, use FirefoxPrivilegeEscalation mixin 2014-03-27 12:59:49 -05:00
Kurt Grutzmacher 0b766cd412 changes per firefart 2014-03-27 10:08:44 -07:00
Michael Messner ad94653fc0 feedback included 2014-03-27 16:12:34 +01:00
Kurt Grutzmacher 744308bd35 tab... 2014-03-27 05:24:55 -07:00
Kurt Grutzmacher a8c96213f0 normalize_uri for wp_property_upload_exec 2014-03-27 05:22:56 -07:00
coma 107901b481 Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra msftidy fix 2014-03-26 22:37:21 -07:00
coma 30da3575e8 Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra 2014-03-26 21:53:12 -07:00
sinn3r 8ec10f7438 Use BrowserExploitServer for MS13-059 module 2014-03-26 17:49:01 -05:00
Michael Messner 4319885420 we do not need pieces ... 2014-03-26 20:45:30 +01:00
jvazquez-r7 19918e3207
Land #3143, @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf 2014-03-26 14:16:35 -05:00
jvazquez-r7 7ce71445fe
Land #3140, @wchen-r7's requirements for ms14_012_textrange 2014-03-26 14:07:05 -05:00
Joe Vennix b7f1cee8d3 Remove targets from post module. 2014-03-26 13:55:02 -05:00
Joe Vennix ed8bf6279b Use #run, not #exploit, for post modules. 2014-03-26 13:51:05 -05:00
Joe Vennix 6c51e0fd0d Add cookie gathering post module for FF privileged sessions. 2014-03-26 13:49:53 -05:00
Michael Messner 3fc114e265 exec payload - new try 2014-03-26 19:48:14 +01:00
Joe Vennix 80808fc98c Cleans up firefox SVG plugin. 2014-03-26 13:12:39 -05:00
Tod Beardsley 5b8d8d8009
Get Pro and Framework back in sync. 2014-03-26 09:25:19 -05:00
sinn3r fdc355147f Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb 2014-03-25 18:41:47 -05:00
William Vu cd448ba46c
Land #3132, ntp_monlist improvements 2014-03-25 15:19:45 -05:00
Joe Vennix 33651d0753
Fix formatting of hash options. 2014-03-25 14:43:53 -05:00
Joe Vennix c8784168d5 Fix references and whitespace in mips payloads. 2014-03-25 14:39:27 -05:00
William Vu 1c4797337f Clean up rapid7/metasploit-framework#3132 2014-03-25 14:04:43 -05:00
jvazquez-r7 c72c96f0e0
Land #3138, @rcvalle's exploit for CVE-2013-2143 2014-03-25 13:36:03 -05:00
jvazquez-r7 d83f665466 Delete commas 2014-03-25 13:34:02 -05:00
sinn3r 6c206e4ced Add a comment about what this build version range is covering 2014-03-25 11:43:13 -05:00
sinn3r 7108d2b90a Add ua_ver and mshtml_build requirements
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
joev 1ac3944627
Merge branch 'landing-pr-3095' into upstream-master 2014-03-25 10:56:42 -05:00
joev 1680f9cc5d
Land PR #3127, @m-1-k-3's mipsbe reboot payload, into master 2014-03-25 10:44:37 -05:00
Ramon de C Valle e27adf6366 Fix msftidy warnings 2014-03-25 10:39:40 -03:00
Michael Messner 50efd0b5d0 change name and filename and file included 2014-03-25 09:13:04 +01:00
Michael Messner a9952fa294 change name and filename 2014-03-25 09:11:16 +01:00
Michael Messner fca4425f95 feedback 2014-03-25 09:09:13 +01:00
Ramon de C Valle 473f745c3c Add katello_satellite_priv_esc.rb
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
2014-03-24 23:44:44 -03:00
sinn3r 0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping 2014-03-24 21:16:10 -05:00
sinn3r 53b25c8c93 Fix header & author e-mail format 2014-03-24 21:15:27 -05:00
Brandon Perry d2a9a26bc8 real fix for sinn3r bug 2014-03-24 18:40:48 -05:00
Brandon Perry ec35f4b13f some bugs for sinn3r 2014-03-24 18:17:50 -05:00
Brandon Turner 460a1f551c
Fix for R7-2014-05 2014-03-24 14:12:12 -05:00
Tod Beardsley cfdd64d5b1
Title, description grammar and spelling 2014-03-24 12:16:59 -05:00
Tod Beardsley cd9182c77f
Msftidy warning fix on Joomla module.
Pre-commit hooks people.
2014-03-24 12:03:12 -05:00
jvazquez-r7 c7ba7e4d92
Land #3131, @xistence's exploit for CVE-2014-1903 2014-03-24 08:48:06 -05:00
jvazquez-r7 c3b753f92e Make PHPFUNC advanced option 2014-03-24 08:47:31 -05:00
jvazquez-r7 4f333d84c9 Clean up code 2014-03-24 08:15:54 -05:00
Brandon Perry d6f397ab6d whoops that isn't how you EDB 2014-03-22 11:48:41 -05:00
Brandon Perry 291692d6e0 Update lifesize_uvc_ping_rce.rb 2014-03-22 11:30:00 -05:00
Brandon Perry 67a3a7227b Create lifesize_uvc_ping_rce.rb 2014-03-21 21:33:12 -05:00
Joshua Smith 312f117262 updates file read to close file more quickly 2014-03-21 14:53:15 -04:00
sinn3r 13f5c22536
Land #3129 - Fix 2782 with 2961 and stop stack-tracing download_exec 2014-03-21 11:36:59 -05:00
Matteo Cantoni 4b2a2d4dea Improve NTP monlist auxiliary module 2014-03-21 16:39:53 +01:00
Matteo Cantoni fbcd661504 removed snmp_enum_hp_laserjet from this pull request 2014-03-21 15:58:53 +01:00
xistence c4f0d8e179 FreePBX config.php RCE CVE-2014-1903 2014-03-21 10:29:15 +07:00
Spencer McIntyre aa26405c23 Cleanup an expression and avoid fail_with 2014-03-20 17:33:09 -04:00
sinn3r b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution 2014-03-20 12:32:14 -05:00
Tod Beardsley 3d3681801a
Fix linux download_exec for #2961
Note! This module already seems pretty broken, in that it doesn't appear
to correctly locate curl or wget. Will open another bug on that.

[See RM #8777]
2014-03-20 12:09:38 -05:00
sinn3r 0c4b71c8bf
Land #3094 - Joomla weblinks-categories Unauth SQLI Arbitrary File Read 2014-03-20 12:08:18 -05:00
sinn3r 93ad818358 Fix header and e-mail format for author 2014-03-20 12:07:50 -05:00
jvazquez-r7 a5afd929b4 Land #3120, @wchen-r7's exploit for CVE-2014-0307 2014-03-20 11:16:40 -05:00
jvazquez-r7 8cb7bc3cbe Fix typo 2014-03-20 11:13:57 -05:00
Spencer McIntyre 74398c4b6e Allow using a single URI and/or a list of URIs 2014-03-20 09:54:02 -04:00
Michael Messner 4f1404eecc reboot payload for mipsbe 2014-03-20 12:37:58 +01:00
xistence 2845f834c6 changed cookie retrieval to res.get_cookies 2014-03-20 16:39:26 +07:00
xistence 7bfb8e95e6 minor changes to seportal module 2014-03-20 13:44:39 +07:00
xistence 5ef49ff64b SePortal 2.5 SQLi Remote Code Execution 2014-03-20 12:02:06 +07:00
Joshua Smith a8d919feb0 use TARGET_URI if given, otherwise TARGET_URIS_FILE 2014-03-19 23:32:04 -05:00
sinn3r c5158a3ccc Update CVE 2014-03-19 22:13:23 -05:00
Brandon Perry 9b2cfb6c84 change default targeturi to something more universal 2014-03-19 21:03:50 -05:00
Brandon Perry b52a535609 add official url 2014-03-19 20:41:32 -05:00
Brandon Perry ab42cb1bff better error handling for the user 2014-03-19 18:46:57 -05:00
William Vu b79920ba8f
Land #3089, InvalidWordCount fix for smb_login
[FixRM #8730]
2014-03-19 16:12:56 -05:00
Tod Beardsley c1cbeff5f0
Land #3122, lots of Meterpreter updates
This lands the binaries built from Meterpreter as of:

rapid7/meterpreter#80 , also known as

commit 5addac75741fadfff35f4f7839cee6fd69705455

as well as the functional changes in:

rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
2014-03-19 15:35:49 -05:00
sinn3r fe0b76e24e
Land #2994 - OWA 2013 support 2014-03-19 13:16:37 -05:00
jvazquez-r7 d6faf20981 Make title more accurate 2014-03-19 12:43:34 -05:00
jvazquez-r7 144b86fee3 Add reference 2014-03-19 12:17:53 -05:00
jvazquez-r7 27d142b387 Solve conflict by keeping file 2014-03-19 12:15:05 -05:00
jvazquez-r7 fb645b6692 Clean code 2014-03-19 12:06:20 -05:00
jvazquez-r7 0a795ab602
Land #3106, @xistence's exploit for Array Networks devices 2014-03-19 10:49:03 -05:00
jvazquez-r7 0e27d75e60 Code clean up 2014-03-19 10:48:25 -05:00
Brandon Perry 2ef2f9b47c use vars_get 2014-03-19 07:51:34 -07:00
Brandon Perry 920b2da720 Merge branch 'master' into joomla_sqli 2014-03-19 07:43:32 -07:00
Tod Beardsley d27264b402
Land #2782, fix expand_path abuse 2014-03-19 08:41:28 -05:00
xistence 056ce5d097 removed file which did not belong in this pull request 2014-03-19 15:04:19 +07:00
sinn3r 2e76faa076 Add MS14-012 Internet Explorer Use-After-Free Exploit Module
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
jvazquez-r7 379c0efd5a Update POP chain documentation 2014-03-18 16:29:30 -05:00
jvazquez-r7 77c128fbc5 Fix disclosure date and add ref 2014-03-18 16:21:44 -05:00
jvazquez-r7 b6e8bb62bb Switch exploitation technique to use default available classes 2014-03-18 16:07:50 -05:00
William Vu dfd3a81566
Land #3111, hash rockets shouldn't be in refs 2014-03-18 14:25:04 -05:00
jvazquez-r7 38176ad67d
Land #3109, @xistence's Loadbalancer.org Enterprise VA applicance exploit 2014-03-18 06:53:26 -05:00
jvazquez-r7 ddd923793a Do minor clean up 2014-03-18 06:52:50 -05:00
jvazquez-r7 ad49df4301 Register RHOST 2014-03-18 06:17:41 -05:00
jvazquez-r7 600338bd29
Land #3108, @xistence's exploit for Quantum vmPRO shell-escape 2014-03-18 06:12:18 -05:00
jvazquez-r7 f656e5fedb Do minor clean up 2014-03-18 06:11:02 -05:00
jvazquez-r7 f86fd8af5d Delete debug print 2014-03-17 21:01:41 -05:00
jvazquez-r7 3bdd906aae Add module for CVE-2014-1691 2014-03-17 20:47:45 -05:00
Tod Beardsley 8f2124f5da
Minor updates for release
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
Tod Beardsley c916b62f47
Removes hash rockets from references.
[SeeRM #8776]
2014-03-17 09:40:32 -05:00
xistence 8fdb5250d4 changes to smtp relay aux module 2014-03-17 15:09:29 +07:00
xistence 9bb4e5cfc3 Loadbalancer.org Enterprise VA SSH privkey exposure 2014-03-17 14:22:51 +07:00
xistence c116697c70 Quantum vmPRO backdoor command 2014-03-17 14:19:27 +07:00
xistence ef4a019b20 Quantum DXi V1000 SSH private key exposure 2014-03-17 14:15:00 +07:00
xistence e261975c34 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:11:16 +07:00
xistence 1043d9d8b2 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:06:55 +07:00
Daniel Miller 0b6a890137 Fix missing require in reverse_powershell
When initializing the db:

/opt/metasploit-framework/modules/payloads/singles/cmd/windows/reverse_powershell.rb:34:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
    from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
    from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:72:in `on_module_load'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:207:in `load_module'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:271:in `block in load_modules'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:58:in `block (2 levels) in each_module_reference_name'
    from /opt/metasploit-framework/lib/rex/file.rb:127:in `block in find'
    from /opt/metasploit-framework/lib/rex/file.rb:126:in `catch'
    from /opt/metasploit-framework/lib/rex/file.rb:126:in `find'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:45:in `block in each_module_reference_name'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `foreach'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `each_module_reference_name'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:264:in `load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:118:in `block in load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `each'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:56:in `block in add_module_path'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `each'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `add_module_path'
    from /opt/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:14:in `init_module_paths'
    from /opt/metasploit-framework/lib/msf/ui/console/driver.rb:228:in `initialize'
    from /opt/metasploit-framework/msfconsole:148:in `new'
    from /opt/metasploit-framework/msfconsole:148:in `<main>'
2014-03-14 19:28:00 +00:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
Brandon Perry a01dd48640 a bit better error message if injection works but no file 2014-03-13 13:38:43 -07:00
Brandon Perry b0688e0fca clarify LOAD_FILE perms in description 2014-03-13 13:11:27 -07:00
sinn3r 243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow 2014-03-13 14:13:17 -05:00
sinn3r e832be9eeb Update description and change ranking
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
sinn3r 6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell 2014-03-13 13:36:37 -05:00
Michael Messner 8db5d854c2 typo, null terminator 2014-03-13 18:38:27 +01:00
Joe Vennix 952b50f8c1
Add priv escalation mixin to the firefox local exploit. 2014-03-13 11:49:44 -05:00
Brandon Perry 2734b89062 update normalize_uri calls 2014-03-13 06:55:15 -07:00
William Vu 5aad8f2dc3
Land #3088, SNMP timestamp elements fix 2014-03-13 02:22:14 -05:00
Brandon Perry 7540dd83eb randomize markers 2014-03-12 20:11:55 -05:00
Brandon Perry 3fedafb530 whoops, extra char 2014-03-12 19:54:58 -05:00
Brandon Perry aa00a5d550 check method 2014-03-12 19:47:39 -05:00
Michael Messner f39e784d19 mipsle execve payload 2014-03-12 21:08:40 +01:00
Brandon Perry 9cb1c1a726 whoops, typoed the markers 2014-03-12 10:58:34 -07:00
Brandon Perry 6636d43dc5 initial module 2014-03-12 10:46:56 -07:00
Tod Beardsley 206660ddde
Recreate the intent of cfebdae from @parzamendi-r7
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656.

[SeeRM #8730]
2014-03-11 14:30:01 -05:00
sho-luv f7af9780dc
Rescue InvalidWordCount error
This is a cherry-pick of commit ea86da2 from PR #2656
2014-03-11 14:17:36 -05:00
William Vu 517f264000 Add last chunk of fixes 2014-03-11 12:46:44 -05:00
James Lee f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
2014-03-11 12:44:07 -05:00
William Vu 25ebb05093 Add next chunk of fixes
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
OJ 3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
Conflicts:
	lib/msf/core/post/windows/shadowcopy.rb
	modules/exploits/windows/local/bypassuac.rb
	modules/post/windows/gather/wmic_command.rb
	modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
joev 46c11ea2eb Small fixes to m-1-k-3's mipsle reboot shellcode. 2014-03-10 17:17:23 -05:00
joev 7da54eb9cf
Merge branch 'landing-3041' into upstream-master
Lands PR #3041, @m-1-k-3's reboot shellcode.
2014-03-10 17:11:06 -05:00
Tod Beardsley 2086224a4c
Minor fixes. Includes a test module. 2014-03-10 14:49:45 -05:00
Tod Beardsley 26be236896
Pass MSFTidy please 2014-03-10 14:45:56 -05:00
jvazquez-r7 8cfa5679f2 More nick instead of name 2014-03-10 16:12:44 +01:00
jvazquez-r7 bc8590dbb9 Change DoS module location 2014-03-10 16:12:20 +01:00
jvazquez-r7 1061036cb9 Use nick instead of name 2014-03-10 16:11:58 +01:00
Tod Beardsley 5485028501
Add 3 Yokogawa SCADA vulns
These represent our part for public disclosure of the issues listed
here:

http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf

Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:

YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4

@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:

https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities

Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
sinn3r e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument 2014-03-08 00:58:52 -06:00
Tod Beardsley 151e2287b8
OptPath, not OptString. 2014-03-07 10:52:45 -06:00
Tod Beardsley 5cf1f0ce4d
Since dirs are required, server will send/recv
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.

Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
2014-03-07 10:49:11 -06:00
Tod Beardsley 37fa4a73a1
Make the path options required and use /tmp
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
2014-03-07 10:41:18 -06:00
sinn3r c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack 2014-03-07 10:29:56 -06:00
Spencer McIntyre ebee365fce
Land #2742, report_vuln for MongoDB no auth 2014-03-06 19:34:45 -05:00
Spencer McIntyre 84f280d74f
Use a more descriptive MongoDB vulnerability title 2014-03-06 19:20:52 -05:00
Tod Beardsley 8a0531650c
Allow TFTP server to take a host/port argument
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.

This is almost never correct.
2014-03-06 16:13:20 -06:00
Joe Vennix 9638bc7061 Allow a custom .app bundle.
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Joe Vennix 5abb442757 Adds more descriptive explanation of 10.8+ settings. 2014-03-06 15:15:27 -06:00
Joe Vennix 43d315abd5 Hardcode the platform in the safari exploit. 2014-03-06 13:04:47 -06:00
Brendan Coles df2bdad4f9 Include 'msf/core/exploit/powershell'
Prevent:

```
[-] 	/pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
Joe Vennix 38a2e6e436 Minor fixes. 2014-03-05 19:03:54 -06:00
Joe Vennix dca807abe9 Tweaks for BES. 2014-03-05 19:00:15 -06:00
Joe Vennix 12cf5a5138 Add BES, change extra_plist -> plist_extra. 2014-03-05 18:51:42 -06:00
sinn3r 9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write 2014-03-05 16:34:54 -06:00
bcoles 1ea35887db Add OSVDB reference 2014-03-06 01:40:15 +10:30
jvazquez-r7 4e9350a82b Add module for ZDI-14-008 2014-03-05 03:25:13 -06:00
Joe Vennix cd3c2f9979 Move osx-app format to EXE. 2014-03-04 22:54:00 -06:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
sinn3r 7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read 2014-03-04 17:52:29 -06:00
sinn3r f0e97207b7 Fix email format 2014-03-04 17:51:24 -06:00
Joe Vennix 32c27f6be0 Tweak timeouts. 2014-03-04 17:16:23 -06:00
Joe Vennix 40047f01d3 Adds Safari User Assisted download launch module. 2014-03-04 17:02:51 -06:00
sinn3r caaa419ef8
Land #3054 - Fix crash in osx/x64/exec on 10.9 Mavericks 2014-03-04 15:24:02 -06:00
Brandon Perry c86764d414 update default password to root 2014-03-04 11:55:30 -08:00
Brandon Perry 2b06791ea6 updates regarding PR comments 2014-03-04 10:08:31 -08:00
William Vu e30238fe0d
Land #3062, unused arg fix for vmware_mount 2014-03-04 11:37:41 -06:00
James Lee 68205fa43c
Actually use the argument 2014-03-04 11:30:42 -06:00
sinn3r f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww 2014-03-04 11:29:52 -06:00
David Maloney db76962b4a
Land #2764, WMIC Post Mixin changes
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
Brandon Perry a3523bdcb9 Update mantisbt_admin_sqli.rb
remove extra new line and fix author line
2014-03-04 08:44:53 -06:00
OJ f0868c35bf
Land #3050 - Fix tained perl payloads 2014-03-04 10:05:47 +10:00
sgabe 408fedef93 Add module for OSVDB-98283 2014-03-04 00:51:01 +01:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
Brandon Perry 98b59c4103 update desc 2014-03-03 12:40:58 -08:00
Brandon Perry c5d1071456 add mantisbt aux module 2014-03-03 12:36:38 -08:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
Joe Vennix 6a02a2e3b3 NULL out envp pointer before execve call.
This was causing a crash on 10.9.
2014-03-03 08:56:52 -06:00
Sagi Shahar a005d69b16 Fix $PATH issues. Add FileDropper functionality 2014-03-02 20:43:17 +02:00
Sagi Shahar 8c4b663643 Fix payloads to bypass Perl's Taint mode. 2014-03-02 18:39:05 +02:00
Sagi Shahar e6c1dd3f9e Switch post module to fixed exploit module. 2014-03-02 17:42:48 +02:00
Sagi Shahar 1d9e788649 Switch post module to fixed exploit module. 2014-03-02 17:24:22 +02:00
bcoles f008c77f26 Write payload to startup for Vista+ 2014-03-02 18:10:10 +10:30
Sagi Shahar 2870c89b78 Switch exploit module with post module. 2014-03-01 13:49:42 +02:00
Sagi Shahar 17272acb27 Fix module code per recommendations 2014-03-01 00:53:24 +02:00
Meatballs 63751c1d1a
Small msftidies 2014-02-28 22:18:59 +00:00
Michael Messner 15345da9d8 remove the wget module, remove the cmd stuff, testing bind stuff ahead 2014-02-28 22:44:26 +01:00