Commit Graph

20938 Commits (276ea22db3b96ca94ea5642a8160eb2449c3e926)

Author SHA1 Message Date
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
Tod Beardsley 3215453522 Empty commit to trigger a close on #2476
If this commit lands, it'll close #2476 because it accomplishes the same
thing.

[Closes #2476]
2013-10-07 12:51:34 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
Tod Beardsley ff6dec5eee
Promote joev to a first class citizen
[See #2476]
2013-10-07 12:40:43 -05:00
sinn3r e016c9a62f Use RopDb msvcrt ROP chain. Tested all targets. 2013-10-07 12:27:43 -05:00
Tod Beardsley 293927aff0
msftidy fix for coldfusion exploit 2013-10-07 12:22:48 -05:00
joev 47e7a2de83 Kill stray debugger statement. 2013-10-06 19:32:22 -05:00
joev c2a81907ba Clean up the way Apple Safari UXSS aux module does data collection.
[FIXRM #7918]
2013-10-06 19:28:16 -05:00
jvazquez-r7 5aa3709ca2
Land #2467, @wchen-r7's code to allow dynamic size paylods on ropdb 2013-10-06 18:18:13 -05:00
sinn3r 991e82a78a Land #2470 - Continue to run UAC level is 0 2013-10-05 23:20:55 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7 875e086d94
Land #2469, @bcoles exploit for FlashChat 2013-10-05 14:51:49 -05:00
jvazquez-r7 24efb55ba9 Clean flashchat_upload_exec 2013-10-05 14:50:51 -05:00
bcoles 08243b277a Add FlashChat Arbitrary File Upload exploit module 2013-10-05 22:30:38 +09:30
Markus Wulftange 836ff24998 Clean and fix CmdStagerPrintf
Clean up of the CmdStagerPrintf as discussed in mwulftange#1
2013-10-05 10:39:55 +02:00
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
Tod Beardsley f9eccae391
Land #2466, don't try to lockout SMB 2013-10-04 16:47:26 -05:00
Tod Beardsley d6c74cd0ed
Land #2463, fixes to gestoip 2013-10-04 16:43:37 -05:00
James Lee 813013fef5 Make defaults sane for the lockoutable smb_login
See #2376
2013-10-04 15:53:16 -05:00
sinn3r 77cbb7cd19 Update function documentation 2013-10-04 15:18:27 -05:00
ZeroChaos 5f4e4de267 fix for bug 8456
On systems without bundled johntheripper (either by removing the bundled version or by no compatible version shipped) the system john is used.  In this case, all of the checking for compatible bundled jtr makes no sense and as such we can shortcut out of this to not only reduce the size of msf (for embedded) but also to speed execution (saving multiple calls to some random bundled binary cpuinfo*.bin).

This patch makes it very easy to simply remove cpuinfo and msf will not try to run it when missing and default to running john from the path.
2013-10-04 15:58:47 -04:00
jvazquez-r7 113f89e40f First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
jvazquez-r7 299dfe73f1
Land #2460, @xistence's exploit for clipbucket 2013-10-04 12:26:30 -05:00
jvazquez-r7 8e0a4e08a2 Fix author order 2013-10-04 12:25:38 -05:00
Tod Beardsley ff72f0af62
Land #2461, GestioIP module 2013-10-04 11:07:08 -05:00
Tod Beardsley 9b79bb99e0 Add references, correct disclosure date 2013-10-04 09:59:26 -05:00
Tod Beardsley ab786d1466 Imply authentication when a password is set 2013-10-04 09:54:04 -05:00
Brandon Perry 0112d6253c add gestio ip module 2013-10-04 06:39:30 -07:00
jvazquez-r7 db11e88255
Land #2321, @juushya's aux module for Sentry CDU enumeration 2013-10-04 08:35:54 -05:00
Spencer McIntyre 7414dff958 Add fault tolerance for resolve_hosts. 2013-10-04 08:51:13 -04:00
sinn3r 41e87d83a6 Add rspec for Rex::Exploitation::RopDb 2013-10-04 00:54:07 -05:00
xistence 81d4a8b8c1 added clipbucket_upload_exec RCE 2013-10-04 11:43:38 +07:00
sinn3r bc8604f151 Use safe_negate_size for hxds 2013-10-03 23:15:29 -05:00
sinn3r 63d7b8c309 Use safe_negate_size for java 2013-10-03 23:13:57 -05:00
sinn3r ab62af220b Use safe_negate_size key for msvcrt (XP) 2013-10-03 23:12:58 -05:00
sinn3r 29d1c75d1c Update RopDb mixin to allow dynamic payload size for neg
This adds a new key to allow a "safe" integer value to NEG. "Safe"
means the value does not have any null bytes after the NEG instruction,
which is typically used to calculate the payload size.
2013-10-03 23:09:23 -05:00
jvazquez-r7 9df676ca7e
Land #2447, @wchen-r7's new msvcrt ROP chains without nulls 2013-10-03 22:38:29 -05:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
OJ 21afa9defe Meterpreter railgun multi call fix
Modifications accommodate changes in the multi-call railgun code that
were made to Meterpreter.

This also includes a fix for Redmine 8269, so the Windows constants
now work correctly with the multi-calls.
2013-10-04 12:04:18 +10:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
sinn3r 8059c59f15 Land #2452 - Ignore unexpected DNS answers 2013-10-03 15:54:22 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 6499178ccb
Fix Microsoft typo 2013-10-03 12:21:15 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
William Vu f1e299460f Land #2454, EOL spaces fix for astium_sqli_upload 2013-10-03 11:09:22 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
Spencer McIntyre ecf286a8c4 Add support for stdapi_net_resolve_host. 2013-10-03 10:31:54 -04:00
Karn Ganeshen 581e27f151 Merge pull request #2 from jvazquez-r7/review-pr2321
Retab and fix PR2321
2013-10-03 04:20:18 -07:00
jvazquez-r7 1fe0c50df0 Ignore unexpected answers 2013-10-02 20:41:02 -05:00