8ddc19e842
Unmerge #1476 and #1444
...
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.
First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.
FixRM #7752
2013-02-11 20:49:55 -06:00
8d013d1034
Merge branch 'master' into http/auth_methods
2013-02-04 13:11:57 -06:00
4c1e630bf3
BasicAuth datastore cleanup
...
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
027ba28e70
Merge branch 'jvazquez-r7-datalife_template'
2013-02-01 16:27:18 -06:00
a63cf6977c
Fix 1.8 support
2013-02-01 14:39:32 -06:00
bf7bb9952e
added template stuff improve
2013-02-01 11:53:42 +01:00
de8572d934
Use normalize_uri for URI
2013-01-31 16:57:48 -06:00
70b252dc7b
Merge branch 'normalize_uri_update2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-normalize_uri_update2
2013-01-31 22:32:50 +01:00
b2ce9302c6
uri normalization in the old way
2013-01-31 16:59:49 +01:00
365e1b0557
added module for cve-2013-1412
2013-01-31 16:09:14 +01:00
c174e6a208
Correctly use normalize_uri()
...
normalize_uri() should be used when you're joining URIs. Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
970591a85f
Add ZoneMinder arbitrary command execution exploit
2013-01-22 22:56:50 +10:30
9769efbf01
references and date updated
2013-01-20 17:38:37 +01:00
dc318c5aed
update php_charts_exec metadata
2013-01-21 02:12:42 +10:30
f975a42571
move and update php_charts_exec metadata
2013-01-21 02:10:48 +10:30
2348a0b066
final cleanup and testing
2013-01-16 11:55:14 +01:00
064ea63a72
Fixes
2013-01-16 05:22:43 +01:00
18f81fd6f4
Nagios3 history.cgi exploit
2013-01-15 15:32:32 +01:00
2a1ab2c99a
Improve the module
2013-01-07 19:03:58 -06:00
1d3c1ec7fc
Merge branch 'master' of github.com:CharlieEriksen/metasploit-framework into CharlieEriksen-master
2013-01-07 19:03:35 -06:00
4e0fca6d0f
Adding DB error handling
...
As per sinn3r's suggestion, adding handling for the most common MySQL
errors.
Also adding HostNotPrivileged, which I encountered during my testing.
2013-01-07 23:52:13 +00:00
33751c7ce4
Merges and resolves CJR's normalize_uri fixes
...
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules
Note that this trips all kinds of msftidy warnings, but that's for another
day.
Conflicts:
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
a8df3d71ff
Changes based on Sinn3r's feedback
...
A bucket-load of changes!
- Added a fallback for if there is no Set-Cookie header
- Added a check if the cookie we produce is simply empty, meaning we
failed something :(
- Removed use of flatten. Though I may look into making that extraction
better
- Changed cgi requests to use vars_(post|get)
- Clarified a few status prints
- A few EOL space fixes
2013-01-06 12:34:27 +00:00
a5113f0da4
Adding a check function
...
Because it makes sense. The non-vulnerable versions doesn't have
/libs/pdf.php.
So pretty simple.
2013-01-05 18:37:29 +00:00
ae72022777
Improvement for CVE 2012-4915
...
Made two tiny improvements based on Meatballs' points
- Added handling for 127.0.0.1 as DB_HOST
- Added a note in the description about it changing the pasword
2013-01-05 18:23:00 +00:00
25cadf8b87
Adding exploit for CVE 2012-4915
...
Initial commit.
Major functionality working. A bit of polish is still needed in a few
spots to handle exceptions and such.
2013-01-05 14:21:02 +00:00
b50e040e69
Fix e-mail format, and the extra comma
2013-01-04 01:11:40 -06:00
8f2dd8e2ce
msftidy: Remove $Revision$
2013-01-04 00:48:10 +01:00
25aaf7a676
msftidy: Remove $Id$
2013-01-04 00:41:44 +01:00
758edd7aed
make msftidy happy
2013-01-03 00:02:03 +01:00
97253d46a1
Multiple change for Juan
...
Incooperated changes as per Juan's suggestions.
- Removed redundant space option for the payload
- Doing the uri more intelligently
- Detecting allow_url_include being disabled and reporting it
- Moved to unix/webapp
- Removed redundant handler call
- Adding to description that this requires allow_url_include to be
enabled
2013-01-02 21:19:06 +00:00
2682908ff2
Small corrections here and there
2012-12-24 18:20:46 -06:00
5b8492fc0d
module cleanup by juan
2012-12-24 23:26:40 +01:00
ac6f34dc09
module name renamed
2012-12-24 23:26:06 +01:00
bf036c97ad
added initial submission from james fitts
2012-12-24 23:25:25 +01:00
7173c9b598
update james email address
2012-12-24 22:46:47 +01:00
d69e506221
Final changes
2012-12-24 15:08:52 -06:00
3d27397429
This error will still show even if we get a shell
2012-12-24 15:06:15 -06:00
0950240d9a
module cleanup by juan
2012-12-24 18:59:45 +01:00
9020c96373
module renamed
2012-12-24 18:59:25 +01:00
09568f255e
Submission by James Fitts
2012-12-24 18:58:53 +01:00
9af8c9b457
Small corrections
2012-12-21 18:52:40 -06:00
d5f08a2405
Added module for CVE-2012-6329 for foswiki
2012-12-21 22:08:08 +01:00
115ad9ae33
Small corrections
2012-12-21 12:56:44 -06:00
76cad3dd4c
Added module for CVE-2012-6329
2012-12-21 11:30:04 +01:00
b3c0c6175d
FixRM #3398 by removing double user-agent headers
2012-12-20 14:45:18 -06:00
f5193b595c
Update references
2012-12-10 11:42:21 -06:00
d921c6f6e9
bid reference added
2012-12-08 15:09:32 +01:00
60feba164d
Add OSVDB
2012-12-07 23:18:02 -06:00
15661b82bc
Add Nagios Network Monitor Graph Explorer module
2012-12-07 23:16:25 -06:00
06927345e5
If message becomes nil, we should force a to_s for the regex
...
next_message can be nil sometimes if packet is nil (see net/ssh's
poll_message source)
2012-12-06 10:44:16 -06:00
530332b176
Apply evil-e's fix when port isn't 22
...
See #1130
2012-12-05 21:42:53 -06:00
32c5f12912
Hmm, I should change the target name
2012-12-05 21:38:31 -06:00
d3c1fa842a
Lots of improvements
...
Keyboard-interactive method isn't required to exploit Tectia SSH.
So this update will just go straight to password method. There's
also improvements for the check() method: Not only does it check
the SSH version (banner), it will also check and see if the server
is using password method to auth.
2012-12-05 21:34:33 -06:00
49999a56ea
Added CVE & vendor advisory information
2012-12-05 10:13:44 -06:00
e6c6133c90
must be password authentication
2012-12-04 09:56:51 -06:00
2467183c4f
"Appears" is better
...
"Appears" is a more accureate way describing how much we think the
host is vulnerable.
2012-12-04 09:28:05 -06:00
b5e7009283
Since we have included Tcp for check(), we don't need to reg rhost
2012-12-04 09:25:24 -06:00
3c59c2d5c0
This extra space must die.
2012-12-03 21:09:07 -06:00
211a1674f5
Add kingcope's Tectia SSH 0day
2012-12-03 21:07:32 -06:00
8b3d200986
Add a check for nil
2012-11-28 23:50:29 -06:00
d4e873df07
Fix bad reference (thanks Daniel Moeller)
2012-11-22 23:51:57 -06:00
959ea1f0c5
final cleanup
2012-11-20 12:52:00 +01:00
a93fbfea32
Add Narcissus module (OSVDB-87410)
2012-11-19 15:12:57 -06:00
09ec7dea95
fix check function after speak with egix
2012-11-15 01:34:17 +01:00
3ba3e906d7
added improvements by egix
2012-11-15 01:20:32 +01:00
af8ac2fbf6
There's a bug here, can you tell?
...
Need to be aware of what happens when no version is captured.
2012-11-14 11:54:59 -06:00
88ea347e40
added cookie prefix check
2012-11-14 16:20:40 +01:00
bbb2f69b55
Add missing require for PhpExe
2012-11-13 10:17:42 -06:00
7d317e7863
Use PhpEXE, and a check() function
...
Uses the PhpEXE mixin for the payload. And then in the future
we can modify PhpEXE again to allow it to be space-free (problem
being a space is required when you use a function). Also, this
commit has a new check function.
2012-11-13 01:41:26 -06:00
42dd1ee3ff
added module for CVE-2012-5692
2012-11-10 11:35:21 +01:00
f88ec5cbc8
Add normalize_uri to modules that may have
...
been missed by PULL 1045.
Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)
ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
2c4273e478
Correct some modules with res nil
2012-10-29 04:41:30 -05:00
799c22554e
Warn user if a file/permission is being modified during new session
2012-10-24 00:54:17 -05:00
f1423bf0b4
If a message is clearly a warning, then use print_warning
2012-10-24 00:44:53 -05:00
be9a954405
Merge remote branch 'jlee-r7/cleanup/post-requires'
2012-10-23 15:08:25 -05:00
910644400d
References EDB cleanup
...
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
9c95c7992b
Require's for all the include's
2012-10-23 13:24:05 -05:00
13a5892e95
Add a mixin for uploading/executing bins with PHP
...
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
9ea208d129
Oops, overwrote egypt's changes by accident
2012-10-11 16:40:52 -05:00
82eaa322fe
Make cleanup work better
2012-10-11 16:39:54 -05:00
3a66a07844
Proposed re-wording of description
...
[See #889 ]
2012-10-11 15:48:04 -05:00
24980e735b
I found an OSVDB ID
2012-10-11 15:28:07 -05:00
55128f5bb3
Make sure res has value before passing it on to exec_php
2012-10-11 14:43:38 -05:00
033a11eff5
Add Project Pier File Upload Vulnerability
2012-10-11 13:47:40 -05:00
4fa3631e34
avoiding the python support on the barracuda one if cannot be tested
2012-10-09 18:01:23 +02:00
f33411abd1
Merge branch 'python_payload_support' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-python_payload_support
2012-10-09 18:00:44 +02:00
a12aed7ffc
Don't really need these keywords
2012-10-09 00:49:05 -05:00
c094508119
Support Python payload
...
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
f4e442bcbd
Added headers support to php_include module
2012-10-05 23:00:38 +02:00
d515b3274d
Apply wfsdelay and apply egypt's suggestions
2012-10-04 00:40:52 -05:00
e2276bfedb
Add QNX QCOMM command execution module
2012-09-30 17:21:08 +09:30
c83b49ad58
Unix linefeeds, not windows
...
That's what I get for just committing willy-nilly with a fresh install
of Gvim for Windows.
Also, this is an experiment to see if linefeeds are being respected in
this editor Window. I doubt it will be, given GitHub's resistence to
50/72 as a sensible default.
2012-09-16 18:10:35 -05:00
2fc34e0073
Auth successful, not successfully
...
Just fixing up some adverb versus adjective grammar.
2012-09-16 17:51:00 -05:00
cbc778cb47
add changes proposed by sinn3r
2012-09-15 23:53:09 +02:00
0708ec72fc
module moved to a more correct location
2012-09-15 15:31:21 +02:00
e27f736e95
BID reference added
2012-08-24 17:29:12 +02:00
0e535e6485
added module for XODA file upload RCE
2012-08-22 00:54:13 +02:00
c2cc4b3b15
juan author name updated
2012-08-06 18:59:16 +02:00
d5b165abbb
Msftidy.rb cleanup on recent modules.
...
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
31510167e6
Make setuid_nmap more robust
...
Squashed commit of the following:
commit e1a1f84f9b1ce6466e82c72e39070c34607d6769
Author: James Lee <egypt@metasploit.com>
Date: Fri Aug 3 14:13:33 2012 -0600
Fix 1.8 compat
commit 26533219896b6e874b2f2113e7cbc6d5d7d1ac79
Author: Daniel Miller <bonsaiviking@gmail.com>
Date: Thu Aug 2 09:50:38 2012 -0500
Handle early Nmap versions that don't take absolute paths
commit 00db80131deba1f4a3bcc289b394feb5057fbbe9
Author: Daniel Miller <bonsaiviking@gmail.com>
Date: Fri Jul 27 11:58:36 2012 -0500
Add compatibility args to setuid_nmap command
Nmap before 4.75 would not run a script without a port scan being
performed. Example: 4.53 installed on Metasploitable would not work.
Added "-p80 localhost" to the command to ensure it works with these
older versions.
[Closes #649 ]
2012-08-03 14:15:09 -06:00
2f66aa7c4f
Added module for OSVDB 83891
2012-07-21 12:14:29 +02:00
efe478f847
Merge branch 'master' into omg-post-exploits
2012-07-16 09:20:23 -06:00
a57e712630
Be less verbose
2012-07-15 22:19:12 -05:00
b133428bc1
Better error handling in two web app modules
2012-07-15 21:56:00 -05:00
4af75ff7ed
Added module for CVE-2011-4542
2012-07-10 18:40:18 +02:00
6d6b4bfa92
Merge remote branch 'rapid7/master' into omg-post-exploits
2012-07-08 17:32:39 -06:00
44290c2c89
add osvdb ref
2012-07-07 08:40:25 -05:00
1e6c4301b6
We worked on it, so we got credit
2012-07-06 02:12:10 -05:00
f8123ef316
Add a "#" in the end after the payload
2012-07-06 02:09:31 -05:00
187731f2cb
Add a check function to detect the vuln
2012-07-06 01:58:01 -05:00
dcddc712d2
Missing a "&"
2012-07-06 01:50:18 -05:00
3c8a836091
Add lcashdol's module from #568
...
Initial version being worked on by sinn3r & juan
2012-07-06 01:41:34 -05:00
850242e733
Remove the extra comma and a tab char
2012-07-05 14:05:23 -05:00
aee7d1a966
Added module for CVE-2012-0911
2012-07-05 20:58:27 +02:00
e5dd6fc672
Update milw0rm references.
...
milw0rm.com is long gone, so all milw0rm references are just
a bunch of broken links. Change to exploit-db instead.
2012-06-28 14:27:12 -05:00
f63a3959e0
Update web app module references
2012-06-28 00:37:37 -05:00
8927c8ae57
Make it more verbose, and do some exception handling for cleanup
2012-06-25 17:27:33 -05:00
7b0f3383d2
delete default credentials
2012-06-25 23:53:56 +02:00
7dc1a572e5
trying to fix serialization issues
2012-06-25 23:25:38 +02:00
4c453f9b87
Added module for CVE-2012-0694
2012-06-25 17:21:03 +02:00
815d80a2cc
Merge branch 'rapid7' into omg-post-exploits
2012-06-21 17:02:55 -06:00
d40e39b71b
Additional exploit fail_with() changes to remove raise calls
2012-06-19 19:43:41 -05:00
fb7f6b49f0
This mega-diff adds better error classification to existing modules
2012-06-19 12:59:15 -05:00
96c16a498a
Add a check for distcc_exec
...
Just executes the exploit with an "echo <random>" payload to see if it
works.
2012-06-18 14:34:02 -06:00
c39a42da3d
No need to alter time out
2012-06-12 23:58:20 -06:00
0e8fb0fe98
Add a post-exploitation exploit for suid nmap
...
Tested on Ubuntu with nmap 6.00 and nmap 5.00
2012-06-12 23:58:20 -06:00
4ae786590a
php_wordpress_foxypress from patrick updated. Related to Pull Request #475
2012-06-12 17:39:05 +02:00
3752c10ccf
Adding FireFart's RPORT(80) cleanup
...
This was tested by creating a resource script to load every changed
module and displaying the options, like so:
````
use auxiliary/admin/2wire/xslt_password_reset
show options
use auxiliary/admin/http/contentkeeper_fileaccess
show options
````
...etc. This was run in both the master branch and FireFart's branch
while spooling out the results of msfconsole, then diffing those
results. All modules loaded successfully, and there were no changes to
the option sets, so it looks like a successful fix.
Thanks FireFart!
Squashed commit of the following:
commit 7c1eea53fe3743f59402e445cf34fab84cf5a4b7
Author: Christian Mehlmauer <FireFart@gmail.com>
Date: Fri May 25 22:09:42 2012 +0200
Cleanup Opt::RPORT(80) since it is already registered by Msf::Exploit::Remote::HttpClient
2012-06-02 09:53:19 -05:00
54fb6d2f7a
Fixes unreal ircd race condition
...
Handler would exit before finishing staging
2012-05-29 17:16:07 -05:00
e774df5c32
target info plus relocation
2012-05-25 20:16:13 +02:00
c4fad0dea5
module added for OSVDB-73609
2012-05-25 17:18:09 +02:00
d668e2321d
Rename this to a more suitable location
2012-05-04 09:59:40 -05:00
6cf6a9548d
Fix up the PHP CGI exploit, remove debug lines
2012-05-04 09:58:10 -05:00
9a36017271
no unicode
2012-05-04 00:01:03 -05:00
2d1f4d4f3e
Add hdm's better check method
2012-05-03 19:00:40 -06:00
40ec3d9d40
Add an exploit module for the recent php cgi bug (CVE-2012-1823)
2012-05-03 18:51:54 -06:00
a8eada6016
This module should be able to support more payloads
2012-04-16 14:43:36 -05:00
edadc19757
This module should be able to support more payloads than it should be
2012-04-16 14:41:11 -05:00
56404f5edd
Fixing EDB reference
2012-03-28 14:33:25 -06:00
2bcf259301
Setting correct LFs on freepbx_callmenum.rb
2012-03-23 16:29:42 -05:00
71462bc73d
Merging in freepbx_callmenum.rb and ricoh_dl_bof.rb
...
[Closes #266 ]
2012-03-23 16:23:36 -05:00
47493af103
Merge pull request #259 from todb-r7/edb-2
...
Convert Exploit-DB references to first-tier "EDB-12345" references
2012-03-23 12:09:07 -07:00
17a044db89
Print the full URI
...
Makes everything obvious from output alone, don't need to show options
to see what RHOST is.
2012-03-22 18:44:55 -06:00
7d12a3ad3a
Manual fixup on remaining exploit-db references
2012-03-21 16:43:21 -05:00
2f3bbdc00c
Sed replacement of exploit-db links with EDB refs
...
This is the result of:
find modules/ -name \*.rb -exec sed -i -e 's#\x27URL\x27,
\x27http://www.exploit-db.com/exploits/ \([0-9]\+\).*\x27#\x27EDB\x27,
\1#' modules/*.rb {} \
2012-03-21 16:43:21 -05:00
aeb691bbee
Massive whitespace cleanup
2012-03-18 00:07:27 -05:00
70162fde73
A few more author typos
2012-03-05 13:28:46 -07:00
5e6c40edfd
Remove unnecessary space restrictions.
...
This allows using the full range of PHP payloads
2012-02-21 23:21:07 -07:00
7ca573a1b4
Give these two old modules a chance to work by setting a proper arch
...
These must have been broken for quite some time. =/ They should
probably both be ARCH_PHP but I'm reluctant to make that big of a change
without having the target software to test.
2012-02-21 22:59:20 -07:00
Tod Beardsley
David Maloney
sinn3r
HD Moore
jvazquez-r7
bcoles
Jose Selvi
Charlie Eriksen
Christian Mehlmauer
James Lee
Chris John Riley
Michael Schierl
ethicalhack3r
Daniel Miller
Steve Tornio
wchen-r7
Tod Beardsley