sinn3r
03559dedcd
Land #3187 - Changed OptString to OptRegexp
2014-04-03 14:52:59 -05:00
William Vu
d69a9d3c45
Land #3186 , OptString should be OptRegexp
2014-04-03 13:07:23 -05:00
Christian Mehlmauer
d995d84e91
Changed OptString to OptRegexp
2014-04-03 19:40:07 +02:00
Christian Mehlmauer
b4aa08251f
changed option from string to regex
2014-04-03 19:34:40 +02:00
Brandon Perry
e2ded663a6
make more robust
2014-04-03 06:15:09 -07:00
Brandon Perry
53b8148438
make more random
2014-04-03 05:52:35 -07:00
Brandon Perry
77b64ee77d
make more random
2014-04-03 05:41:00 -07:00
Christian Mehlmauer
a4adfac312
Added feedback for http_header module
2014-04-02 23:01:23 +02:00
Brandon Perry
75dc4c459b
msftidy
2014-04-02 13:22:21 -07:00
Brandon Perry
bb82277a41
msftidy
2014-04-02 13:20:13 -07:00
Brandon Perry
abc0b31f26
exploithub wat
2014-04-02 13:18:48 -07:00
jvazquez-r7
577bd7c855
Land #3146 , @wchen-r7's flash version detection code
2014-04-02 15:13:41 -05:00
Brandon Perry
765657d55a
alienvault module
2014-04-02 13:09:46 -07:00
Brandon Perry
d3f353118a
edb update
2014-04-02 13:06:54 -07:00
Brandon Perry
32cd846fe4
emc cta xxe module
2014-04-02 13:05:53 -07:00
Christian Mehlmauer
69192edd4b
Added new http_header module
2014-04-02 22:04:54 +02:00
jvazquez-r7
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
agix
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
agix
b636a679ae
Erf, sorry, fixed now
2014-04-02 20:33:08 +01:00
agix
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
Florian Gaultier
978bdbb676
Custom Service Description
2014-04-02 20:33:07 +01:00
sinn3r
e3dda2e862
Land #3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon
2014-04-02 14:07:37 -05:00
joev
ebcf972c08
Add initial firefox xpi prompt bypass.
2014-04-01 23:48:35 -05:00
coma
149948485a
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra fixed issues
2014-04-01 12:28:41 -07:00
Sagi Shahar
8611526a01
Fix more bugs and more syntax errors
2014-04-01 01:22:12 +02:00
Sagi Shahar
becefde52f
Fix bugs and syntax
2014-04-01 00:54:51 +02:00
William Vu
cf2589ba8d
Land #3162 , Microsoft module name changes
2014-03-28 23:10:27 -05:00
sinn3r
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
sinn3r
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
William Vu
c37dbd104a
Clean up perms and whitespace for owa_login
2014-04-02 01:45:15 -05:00
Tod Beardsley
2972220f60
Land #3047 for real.
...
Merge branch 'land-3047-really' into upstream-master
2014-04-01 13:16:13 -05:00
sinn3r
367652592c
Land #2964 - Powershell CMD Encoder
2014-04-01 10:26:38 -05:00
William Vu
f9a7cfaa67
Land #3168 , EICAR payload encoding
2014-04-01 09:17:10 -05:00
Spencer McIntyre
dfec2eb53f
Cleanup an expression and avoid fail_with
2014-03-31 18:05:20 -04:00
Spencer McIntyre
07e04717c2
Allow using a single URI and/or a list of URIs
2014-03-31 18:05:20 -04:00
Joshua Smith
b21d5c1801
use TARGET_URI if given, otherwise TARGET_URIS_FILE
2014-03-31 18:05:20 -04:00
Spencer McIntyre
5e9e7e15c8
Return whether result is nil or not.
2014-03-31 18:05:20 -04:00
Spencer McIntyre
0ac112b5e7
Support checking a single URI for ntlm information.
2014-03-31 18:05:19 -04:00
Tod Beardsley
fb20759fc2
Comment doc speelling
2014-03-31 16:42:50 -05:00
Tod Beardsley
6474c7be5c
Land #3166 and also #3167
...
[Closes #3167 ]
2014-03-31 16:21:07 -05:00
William Vu
3b6d73420e
Fix syntax error in dns_amp
2014-03-31 16:18:49 -05:00
William Vu
d9df2fbf08
Land #3158 , msftidy rank check for aux modules
2014-03-31 15:17:30 -05:00
Joshua Smith
159bc264a4
unretards the uri normalize loop
2014-03-31 15:58:21 -04:00
Joshua Smith
2290249a42
uses fail_with to bomb out on datastore probs
2014-03-31 15:52:05 -04:00
Joshua Smith
4f121e3e03
fixes if-logic for error condition
2014-03-31 15:38:05 -04:00
Tod Beardsley
894bbcae97
More fix-up on the DNS amplication scanner
2014-03-31 14:37:10 -05:00
Tod Beardsley
4d597174d0
Merge up from upstream/master
2014-03-31 14:33:28 -05:00
William Vu
387da26f8d
Land #3159 , HP LaserJet printer SNMP enumeration
2014-03-31 12:48:23 -05:00
William Vu
c6ceb8cdfd
Land #2929 , DNS recursion amplification scanner
2014-03-31 12:47:46 -05:00
William Vu
aaa15d13d9
Land #2928 , extended SMTP open relay checks
2014-03-31 12:47:10 -05:00
Tod Beardsley
ffdca3bf42
Fixup on some modules for release
...
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
Joshua Smith
2530fb9741
adds the return back in (forgot in prev commit)
2014-03-28 19:27:04 -04:00
Joshua Smith
dc4b8461e8
unbreaks & DRYs my previous change.
2014-03-28 19:15:38 -04:00
Matteo Cantoni
c559a6b39f
fix description
...
(cherry picked from commit 7c860b9553
)
2014-03-28 17:36:21 -05:00
Matteo Cantoni
ae53d75cdb
Module to HP LaserJet Printer SNMP Enumeration
...
(cherry picked from commit f18fef1864
)
2014-03-28 17:36:21 -05:00
William Vu
2344a9368e
Fix warnings generated by #3158
...
Keeping ManualRanking for DoS modules.
2014-03-31 12:35:15 -05:00
jvazquez-r7
9374777da1
Land #2996 , @mcantoni's jboss status aux module
2014-03-28 16:07:08 -05:00
jvazquez-r7
7689751c10
Module module location
2014-03-28 16:05:37 -05:00
jvazquez-r7
e3ec0e7624
Clean up jboss_status module
2014-03-28 16:04:43 -05:00
sinn3r
a173fcf2fa
Flash detection for firefox_svg_plugin
...
Good test case
2014-03-28 15:39:25 -05:00
jvazquez-r7
f7b1874e7d
Land #3151 , @wchen-r7's use of BrowserExploitServer in ms13-59's exploit
2014-03-28 14:43:38 -05:00
jvazquez-r7
69369c04b3
Land #3126 , @xistence's exploit for SePortal
2014-03-28 13:52:59 -05:00
jvazquez-r7
7b56c9edac
Add references
2014-03-28 13:51:56 -05:00
Tod Beardsley
196e07c5b1
Touch up the EICAR stuff
2014-03-28 11:45:28 -05:00
Christian Mehlmauer
94494e38e7
Land #3152 - Use normalize_uri for module wp_property_upload_exec
2014-03-28 13:22:54 +01:00
William Vu
5458200434
Fix a couple minor annoyances in PJL
2014-03-28 02:19:30 -05:00
William Vu
c1fdc4d945
Fix a couple things that were bugging me
2014-03-28 02:15:38 -05:00
Michael Messner
657b096be3
make msftidy happy
2014-03-27 19:24:25 +01:00
sinn3r
f4e62a8dcd
Land #3146 - Firefox Gather Cookies from Privileged Javascript Shell
2014-03-27 13:14:22 -05:00
sinn3r
0b3f49f22a
Land #3145 , Clean up firefox_svg_plugin, use FirefoxPrivilegeEscalation mixin
2014-03-27 12:59:49 -05:00
Kurt Grutzmacher
0b766cd412
changes per firefart
2014-03-27 10:08:44 -07:00
Michael Messner
ad94653fc0
feedback included
2014-03-27 16:12:34 +01:00
Kurt Grutzmacher
744308bd35
tab...
2014-03-27 05:24:55 -07:00
Kurt Grutzmacher
a8c96213f0
normalize_uri for wp_property_upload_exec
2014-03-27 05:22:56 -07:00
coma
107901b481
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra msftidy fix
2014-03-26 22:37:21 -07:00
coma
30da3575e8
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra
2014-03-26 21:53:12 -07:00
sinn3r
8ec10f7438
Use BrowserExploitServer for MS13-059 module
2014-03-26 17:49:01 -05:00
Michael Messner
4319885420
we do not need pieces ...
2014-03-26 20:45:30 +01:00
jvazquez-r7
19918e3207
Land #3143 , @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf
2014-03-26 14:16:35 -05:00
jvazquez-r7
7ce71445fe
Land #3140 , @wchen-r7's requirements for ms14_012_textrange
2014-03-26 14:07:05 -05:00
Joe Vennix
b7f1cee8d3
Remove targets from post module.
2014-03-26 13:55:02 -05:00
Joe Vennix
ed8bf6279b
Use #run, not #exploit, for post modules.
2014-03-26 13:51:05 -05:00
Joe Vennix
6c51e0fd0d
Add cookie gathering post module for FF privileged sessions.
2014-03-26 13:49:53 -05:00
Michael Messner
3fc114e265
exec payload - new try
2014-03-26 19:48:14 +01:00
Joe Vennix
80808fc98c
Cleans up firefox SVG plugin.
2014-03-26 13:12:39 -05:00
Tod Beardsley
5b8d8d8009
Get Pro and Framework back in sync.
2014-03-26 09:25:19 -05:00
sinn3r
fdc355147f
Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb
2014-03-25 18:41:47 -05:00
William Vu
cd448ba46c
Land #3132 , ntp_monlist improvements
2014-03-25 15:19:45 -05:00
Joe Vennix
33651d0753
Fix formatting of hash options.
2014-03-25 14:43:53 -05:00
Joe Vennix
c8784168d5
Fix references and whitespace in mips payloads.
2014-03-25 14:39:27 -05:00
William Vu
1c4797337f
Clean up rapid7/metasploit-framework#3132
2014-03-25 14:04:43 -05:00
jvazquez-r7
c72c96f0e0
Land #3138 , @rcvalle's exploit for CVE-2013-2143
2014-03-25 13:36:03 -05:00
jvazquez-r7
d83f665466
Delete commas
2014-03-25 13:34:02 -05:00
sinn3r
6c206e4ced
Add a comment about what this build version range is covering
2014-03-25 11:43:13 -05:00
sinn3r
7108d2b90a
Add ua_ver and mshtml_build requirements
...
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
joev
1ac3944627
Merge branch 'landing-pr-3095' into upstream-master
2014-03-25 10:56:42 -05:00
joev
1680f9cc5d
Land PR #3127 , @m-1-k-3's mipsbe reboot payload, into master
2014-03-25 10:44:37 -05:00
Ramon de C Valle
e27adf6366
Fix msftidy warnings
2014-03-25 10:39:40 -03:00
Michael Messner
50efd0b5d0
change name and filename and file included
2014-03-25 09:13:04 +01:00
Michael Messner
a9952fa294
change name and filename
2014-03-25 09:11:16 +01:00
Michael Messner
fca4425f95
feedback
2014-03-25 09:09:13 +01:00
Ramon de C Valle
473f745c3c
Add katello_satellite_priv_esc.rb
...
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
2014-03-24 23:44:44 -03:00
sinn3r
0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping
2014-03-24 21:16:10 -05:00
sinn3r
53b25c8c93
Fix header & author e-mail format
2014-03-24 21:15:27 -05:00
Brandon Perry
d2a9a26bc8
real fix for sinn3r bug
2014-03-24 18:40:48 -05:00
Brandon Perry
ec35f4b13f
some bugs for sinn3r
2014-03-24 18:17:50 -05:00
Brandon Turner
460a1f551c
Fix for R7-2014-05
2014-03-24 14:12:12 -05:00
Tod Beardsley
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
Tod Beardsley
cd9182c77f
Msftidy warning fix on Joomla module.
...
Pre-commit hooks people.
2014-03-24 12:03:12 -05:00
jvazquez-r7
c7ba7e4d92
Land #3131 , @xistence's exploit for CVE-2014-1903
2014-03-24 08:48:06 -05:00
jvazquez-r7
c3b753f92e
Make PHPFUNC advanced option
2014-03-24 08:47:31 -05:00
jvazquez-r7
4f333d84c9
Clean up code
2014-03-24 08:15:54 -05:00
Brandon Perry
d6f397ab6d
whoops that isn't how you EDB
2014-03-22 11:48:41 -05:00
Brandon Perry
291692d6e0
Update lifesize_uvc_ping_rce.rb
2014-03-22 11:30:00 -05:00
Brandon Perry
67a3a7227b
Create lifesize_uvc_ping_rce.rb
2014-03-21 21:33:12 -05:00
Joshua Smith
312f117262
updates file read to close file more quickly
2014-03-21 14:53:15 -04:00
sinn3r
13f5c22536
Land #3129 - Fix 2782 with 2961 and stop stack-tracing download_exec
2014-03-21 11:36:59 -05:00
Matteo Cantoni
4b2a2d4dea
Improve NTP monlist auxiliary module
2014-03-21 16:39:53 +01:00
Matteo Cantoni
fbcd661504
removed snmp_enum_hp_laserjet from this pull request
2014-03-21 15:58:53 +01:00
xistence
c4f0d8e179
FreePBX config.php RCE CVE-2014-1903
2014-03-21 10:29:15 +07:00
Spencer McIntyre
aa26405c23
Cleanup an expression and avoid fail_with
2014-03-20 17:33:09 -04:00
sinn3r
b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution
2014-03-20 12:32:14 -05:00
Tod Beardsley
3d3681801a
Fix linux download_exec for #2961
...
Note! This module already seems pretty broken, in that it doesn't appear
to correctly locate curl or wget. Will open another bug on that.
[See RM #8777 ]
2014-03-20 12:09:38 -05:00
sinn3r
0c4b71c8bf
Land #3094 - Joomla weblinks-categories Unauth SQLI Arbitrary File Read
2014-03-20 12:08:18 -05:00
sinn3r
93ad818358
Fix header and e-mail format for author
2014-03-20 12:07:50 -05:00
jvazquez-r7
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
jvazquez-r7
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
Spencer McIntyre
74398c4b6e
Allow using a single URI and/or a list of URIs
2014-03-20 09:54:02 -04:00
Michael Messner
4f1404eecc
reboot payload for mipsbe
2014-03-20 12:37:58 +01:00
xistence
2845f834c6
changed cookie retrieval to res.get_cookies
2014-03-20 16:39:26 +07:00
xistence
7bfb8e95e6
minor changes to seportal module
2014-03-20 13:44:39 +07:00
xistence
5ef49ff64b
SePortal 2.5 SQLi Remote Code Execution
2014-03-20 12:02:06 +07:00
Joshua Smith
a8d919feb0
use TARGET_URI if given, otherwise TARGET_URIS_FILE
2014-03-19 23:32:04 -05:00
sinn3r
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
Brandon Perry
9b2cfb6c84
change default targeturi to something more universal
2014-03-19 21:03:50 -05:00
Brandon Perry
b52a535609
add official url
2014-03-19 20:41:32 -05:00
Brandon Perry
ab42cb1bff
better error handling for the user
2014-03-19 18:46:57 -05:00
William Vu
b79920ba8f
Land #3089 , InvalidWordCount fix for smb_login
...
[FixRM #8730 ]
2014-03-19 16:12:56 -05:00
Tod Beardsley
c1cbeff5f0
Land #3122 , lots of Meterpreter updates
...
This lands the binaries built from Meterpreter as of:
rapid7/meterpreter#80 , also known as
commit 5addac75741fadfff35f4f7839cee6fd69705455
as well as the functional changes in:
rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
2014-03-19 15:35:49 -05:00
sinn3r
fe0b76e24e
Land #2994 - OWA 2013 support
2014-03-19 13:16:37 -05:00
jvazquez-r7
d6faf20981
Make title more accurate
2014-03-19 12:43:34 -05:00
jvazquez-r7
144b86fee3
Add reference
2014-03-19 12:17:53 -05:00
jvazquez-r7
27d142b387
Solve conflict by keeping file
2014-03-19 12:15:05 -05:00
jvazquez-r7
fb645b6692
Clean code
2014-03-19 12:06:20 -05:00
jvazquez-r7
0a795ab602
Land #3106 , @xistence's exploit for Array Networks devices
2014-03-19 10:49:03 -05:00
jvazquez-r7
0e27d75e60
Code clean up
2014-03-19 10:48:25 -05:00
Brandon Perry
2ef2f9b47c
use vars_get
2014-03-19 07:51:34 -07:00
Brandon Perry
920b2da720
Merge branch 'master' into joomla_sqli
2014-03-19 07:43:32 -07:00
Tod Beardsley
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
xistence
056ce5d097
removed file which did not belong in this pull request
2014-03-19 15:04:19 +07:00
sinn3r
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
jvazquez-r7
379c0efd5a
Update POP chain documentation
2014-03-18 16:29:30 -05:00
jvazquez-r7
77c128fbc5
Fix disclosure date and add ref
2014-03-18 16:21:44 -05:00
jvazquez-r7
b6e8bb62bb
Switch exploitation technique to use default available classes
2014-03-18 16:07:50 -05:00
William Vu
dfd3a81566
Land #3111 , hash rockets shouldn't be in refs
2014-03-18 14:25:04 -05:00
jvazquez-r7
38176ad67d
Land #3109 , @xistence's Loadbalancer.org Enterprise VA applicance exploit
2014-03-18 06:53:26 -05:00
jvazquez-r7
ddd923793a
Do minor clean up
2014-03-18 06:52:50 -05:00
jvazquez-r7
ad49df4301
Register RHOST
2014-03-18 06:17:41 -05:00
jvazquez-r7
600338bd29
Land #3108 , @xistence's exploit for Quantum vmPRO shell-escape
2014-03-18 06:12:18 -05:00
jvazquez-r7
f656e5fedb
Do minor clean up
2014-03-18 06:11:02 -05:00
jvazquez-r7
f86fd8af5d
Delete debug print
2014-03-17 21:01:41 -05:00
jvazquez-r7
3bdd906aae
Add module for CVE-2014-1691
2014-03-17 20:47:45 -05:00
Tod Beardsley
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
Tod Beardsley
c916b62f47
Removes hash rockets from references.
...
[SeeRM #8776 ]
2014-03-17 09:40:32 -05:00
xistence
8fdb5250d4
changes to smtp relay aux module
2014-03-17 15:09:29 +07:00
xistence
9bb4e5cfc3
Loadbalancer.org Enterprise VA SSH privkey exposure
2014-03-17 14:22:51 +07:00
xistence
c116697c70
Quantum vmPRO backdoor command
2014-03-17 14:19:27 +07:00
xistence
ef4a019b20
Quantum DXi V1000 SSH private key exposure
2014-03-17 14:15:00 +07:00
xistence
e261975c34
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:11:16 +07:00
xistence
1043d9d8b2
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:06:55 +07:00
Daniel Miller
0b6a890137
Fix missing require in reverse_powershell
...
When initializing the db:
/opt/metasploit-framework/modules/payloads/singles/cmd/windows/reverse_powershell.rb:34:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:72:in `on_module_load'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:207:in `load_module'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:271:in `block in load_modules'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:58:in `block (2 levels) in each_module_reference_name'
from /opt/metasploit-framework/lib/rex/file.rb:127:in `block in find'
from /opt/metasploit-framework/lib/rex/file.rb:126:in `catch'
from /opt/metasploit-framework/lib/rex/file.rb:126:in `find'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:45:in `block in each_module_reference_name'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `foreach'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `each_module_reference_name'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:264:in `load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:118:in `block in load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `each'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:56:in `block in add_module_path'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `each'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `add_module_path'
from /opt/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:14:in `init_module_paths'
from /opt/metasploit-framework/lib/msf/ui/console/driver.rb:228:in `initialize'
from /opt/metasploit-framework/msfconsole:148:in `new'
from /opt/metasploit-framework/msfconsole:148:in `<main>'
2014-03-14 19:28:00 +00:00
David Maloney
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
Brandon Perry
a01dd48640
a bit better error message if injection works but no file
2014-03-13 13:38:43 -07:00
Brandon Perry
b0688e0fca
clarify LOAD_FILE perms in description
2014-03-13 13:11:27 -07:00
sinn3r
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
sinn3r
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
sinn3r
6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell
2014-03-13 13:36:37 -05:00
Michael Messner
8db5d854c2
typo, null terminator
2014-03-13 18:38:27 +01:00
Joe Vennix
952b50f8c1
Add priv escalation mixin to the firefox local exploit.
2014-03-13 11:49:44 -05:00
Brandon Perry
2734b89062
update normalize_uri calls
2014-03-13 06:55:15 -07:00
William Vu
5aad8f2dc3
Land #3088 , SNMP timestamp elements fix
2014-03-13 02:22:14 -05:00
Brandon Perry
7540dd83eb
randomize markers
2014-03-12 20:11:55 -05:00
Brandon Perry
3fedafb530
whoops, extra char
2014-03-12 19:54:58 -05:00
Brandon Perry
aa00a5d550
check method
2014-03-12 19:47:39 -05:00
Michael Messner
f39e784d19
mipsle execve payload
2014-03-12 21:08:40 +01:00
Brandon Perry
9cb1c1a726
whoops, typoed the markers
2014-03-12 10:58:34 -07:00
Brandon Perry
6636d43dc5
initial module
2014-03-12 10:46:56 -07:00
Tod Beardsley
206660ddde
Recreate the intent of cfebdae from @parzamendi-r7
...
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656 .
[SeeRM #8730 ]
2014-03-11 14:30:01 -05:00
sho-luv
f7af9780dc
Rescue InvalidWordCount error
...
This is a cherry-pick of commit ea86da2 from PR #2656
2014-03-11 14:17:36 -05:00
William Vu
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
James Lee
f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0
...
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
2014-03-11 12:44:07 -05:00
William Vu
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
William Vu
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
OJ
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
joev
46c11ea2eb
Small fixes to m-1-k-3's mipsle reboot shellcode.
2014-03-10 17:17:23 -05:00
joev
7da54eb9cf
Merge branch 'landing-3041' into upstream-master
...
Lands PR #3041 , @m-1-k-3's reboot shellcode.
2014-03-10 17:11:06 -05:00
Tod Beardsley
2086224a4c
Minor fixes. Includes a test module.
2014-03-10 14:49:45 -05:00
Tod Beardsley
26be236896
Pass MSFTidy please
2014-03-10 14:45:56 -05:00
jvazquez-r7
8cfa5679f2
More nick instead of name
2014-03-10 16:12:44 +01:00
jvazquez-r7
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
jvazquez-r7
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
Tod Beardsley
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
sinn3r
e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument
2014-03-08 00:58:52 -06:00
Tod Beardsley
151e2287b8
OptPath, not OptString.
2014-03-07 10:52:45 -06:00
Tod Beardsley
5cf1f0ce4d
Since dirs are required, server will send/recv
...
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.
Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
2014-03-07 10:49:11 -06:00
Tod Beardsley
37fa4a73a1
Make the path options required and use /tmp
...
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
2014-03-07 10:41:18 -06:00
sinn3r
c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack
2014-03-07 10:29:56 -06:00
Spencer McIntyre
ebee365fce
Land #2742 , report_vuln for MongoDB no auth
2014-03-06 19:34:45 -05:00
Spencer McIntyre
84f280d74f
Use a more descriptive MongoDB vulnerability title
2014-03-06 19:20:52 -05:00
Tod Beardsley
8a0531650c
Allow TFTP server to take a host/port argument
...
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.
This is almost never correct.
2014-03-06 16:13:20 -06:00
Joe Vennix
9638bc7061
Allow a custom .app bundle.
...
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Joe Vennix
5abb442757
Adds more descriptive explanation of 10.8+ settings.
2014-03-06 15:15:27 -06:00
Joe Vennix
43d315abd5
Hardcode the platform in the safari exploit.
2014-03-06 13:04:47 -06:00
Brendan Coles
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
Joe Vennix
38a2e6e436
Minor fixes.
2014-03-05 19:03:54 -06:00
Joe Vennix
dca807abe9
Tweaks for BES.
2014-03-05 19:00:15 -06:00
Joe Vennix
12cf5a5138
Add BES, change extra_plist -> plist_extra.
2014-03-05 18:51:42 -06:00
sinn3r
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
bcoles
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
jvazquez-r7
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
Joe Vennix
cd3c2f9979
Move osx-app format to EXE.
2014-03-04 22:54:00 -06:00
OJ
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
sinn3r
7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read
2014-03-04 17:52:29 -06:00
sinn3r
f0e97207b7
Fix email format
2014-03-04 17:51:24 -06:00
Joe Vennix
32c27f6be0
Tweak timeouts.
2014-03-04 17:16:23 -06:00
Joe Vennix
40047f01d3
Adds Safari User Assisted download launch module.
2014-03-04 17:02:51 -06:00
sinn3r
caaa419ef8
Land #3054 - Fix crash in osx/x64/exec on 10.9 Mavericks
2014-03-04 15:24:02 -06:00
Brandon Perry
c86764d414
update default password to root
2014-03-04 11:55:30 -08:00
Brandon Perry
2b06791ea6
updates regarding PR comments
2014-03-04 10:08:31 -08:00
William Vu
e30238fe0d
Land #3062 , unused arg fix for vmware_mount
2014-03-04 11:37:41 -06:00
James Lee
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
sinn3r
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
David Maloney
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
Brandon Perry
a3523bdcb9
Update mantisbt_admin_sqli.rb
...
remove extra new line and fix author line
2014-03-04 08:44:53 -06:00
OJ
f0868c35bf
Land #3050 - Fix tained perl payloads
2014-03-04 10:05:47 +10:00
sgabe
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
Meatballs
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
Brandon Perry
98b59c4103
update desc
2014-03-03 12:40:58 -08:00
Brandon Perry
c5d1071456
add mantisbt aux module
2014-03-03 12:36:38 -08:00
Tod Beardsley
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
Joe Vennix
6a02a2e3b3
NULL out envp pointer before execve call.
...
This was causing a crash on 10.9.
2014-03-03 08:56:52 -06:00
Sagi Shahar
a005d69b16
Fix $PATH issues. Add FileDropper functionality
2014-03-02 20:43:17 +02:00
Sagi Shahar
8c4b663643
Fix payloads to bypass Perl's Taint mode.
2014-03-02 18:39:05 +02:00
Sagi Shahar
e6c1dd3f9e
Switch post module to fixed exploit module.
2014-03-02 17:42:48 +02:00
Sagi Shahar
1d9e788649
Switch post module to fixed exploit module.
2014-03-02 17:24:22 +02:00
bcoles
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
Sagi Shahar
2870c89b78
Switch exploit module with post module.
2014-03-01 13:49:42 +02:00
Sagi Shahar
17272acb27
Fix module code per recommendations
2014-03-01 00:53:24 +02:00
Meatballs
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
Michael Messner
15345da9d8
remove the wget module, remove the cmd stuff, testing bind stuff ahead
2014-02-28 22:44:26 +01:00