c72593fae4
Store just banner for service, loot the rest. Also, minor style.
2014-10-11 11:12:49 -07:00
9550c54cd2
Correct indentation and whitespace
2014-10-11 10:39:12 -07:00
9500038695
Fix #3995 - Make negative messages less verbose
...
As an user testing against a large network, I only want to see
good news, not bad news.
2014-10-11 11:11:09 -05:00
7bd0f2c114
Changed Name, array in OptEnum and operator
2014-10-11 09:03:18 -03:00
cbde2e8cd1
Variable cmd now with interpolation
2014-10-10 18:21:16 -03:00
291bfed47e
Using Rex.sleep instead of select
2014-10-10 15:17:40 -03:00
bd315d7655
Changed print_good and OptEnum
2014-10-10 13:54:42 -03:00
08fdb4fab2
Add module to enumerate environment HP via perfd daemon
2014-10-10 13:09:36 -03:00
260aa8dc22
Fix #3984 - Fix broken check for drupal_views_user_enum
2014-10-10 10:23:20 -05:00
e689a0626d
Use Rex.sleep :-)
...
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"
user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
472985a8a8
Adding Buffalo Linkstation NAS Login Scanner
...
I have added a login scanner for the Buffalo Linkstation
NAS. I have been testing against version 1.68 of the
firmware. Also included are some specs for this module.
2014-10-10 03:16:48 +00:00
aefd15c185
Land #3376 , ARRIS SNMP enumerator from @inokii
2014-10-09 15:28:06 -05:00
520e1bccca
Land #3692 , @TomSellers's support for Metasploit Credential on enum_snmp
2014-10-09 15:18:44 -05:00
7d8eadada6
Fix #3974 - Validate and normalize URI for axis_login
2014-10-09 14:33:39 -05:00
c9c34beafa
Fix #3975 - Register TARGETURI, not URI
...
The module should register TARGETURI and call #target_uri for
URI validation.
2014-10-09 14:10:29 -05:00
4b7a446547
... and restore use of the complicated socket
2014-10-09 18:30:45 +01:00
c78651fccc
Use numbers for version tracking
2014-10-09 18:29:27 +01:00
8163b7de96
Thanks for helping me clean up Todd!
2014-10-09 18:20:31 +01:00
d366cdcd6e
Fix #3976 - validate and normalize user-supplied URI for http_login.rb
...
URI should be validated and normalized before being used in an HTTP
request.
2014-10-09 12:14:33 -05:00
9d1e206e43
Incorporate cred changes and other minor fixes
2014-10-09 17:59:38 +01:00
a535d236f6
Land #3947 , login scanner for jenkins by @nstarke
2014-10-09 12:59:02 -04:00
6ea530988e
Apply rubocop changes and remove multiline print
2014-10-09 12:57:39 -04:00
2428688565
CVE-2014-7228 Joomla/Akeeba Kickstart RCE
...
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
3305b1e9c3
Land #3984 , @nullbind's MSSQL privilege escalation module
2014-10-09 11:39:15 -05:00
10b160bedd
Do final cleanup
2014-10-09 11:38:45 -05:00
bbe435f5c9
Don't rescue everything
2014-10-09 11:25:13 -05:00
0cd7454a64
Use default value for doprint
2014-10-09 11:04:42 -05:00
db6f6d4559
Reduce code complexity
2014-10-09 10:59:14 -05:00
615b8e5f4a
Make easy method comments
2014-10-09 10:48:00 -05:00
dd03e5fd7d
Make just one connection
2014-10-09 10:46:51 -05:00
ccf677aad6
land #3978 , Fixes #3973 , Wrong datastore option URI in glassfish_login
2014-10-09 09:53:01 -05:00
df0d4f9fb2
Fix #3973 - Unneeded datastore option URI
...
When Glassfish is installed, the web root is always /, so there is
no point to make this arbitrary.
2014-10-09 00:06:15 -05:00
1584c4781c
Add reference
2014-10-09 06:58:15 +02:00
168f1e559c
fixed status
2014-10-08 21:19:50 -05:00
3ebcaa16a1
removed scanner
2014-10-08 21:18:56 -05:00
328be3cf34
Fine Tuning Jenkins Login Module
...
At the request of the maintainers, I have deregistered the
RHOST option and made the failure proof a verbose only
print.
2014-10-08 17:53:21 -05:00
4f96d88a2f
Land #3949 , @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload
2014-10-08 16:35:49 -05:00
66a8e7481b
Fix description
2014-10-08 16:35:14 -05:00
8ba8402be3
Update timeout
2014-10-08 16:32:05 -05:00
bbf180997a
Do minor cleanup
2014-10-08 16:29:11 -05:00
4817e1e953
Update trackit_sql_domain_creds.rb
2014-10-08 21:41:04 +01:00
f86c0c2bb5
Land #3970 , rm jtr_unshadow
2014-10-08 14:55:15 -05:00
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
411f6c8b2d
Land #3793 , @mfadzilr's exploit for CVE-2014-6287, HFS remote code execution
2014-10-08 12:16:09 -05:00
98b69e095c
Use %TEMP% and update ranking
2014-10-08 12:12:00 -05:00
d90fe4f724
Improve check method
2014-10-08 12:03:16 -05:00
25344aeb6a
Change filename
2014-10-08 11:55:33 -05:00
909f88680b
Make exploit aggressive
2014-10-08 11:08:01 -05:00
d02f0dc4b9
Make minor cleanup
2014-10-08 10:36:56 -05:00
d913bf1c35
Fix metadata
2014-10-08 10:29:59 -05:00
a901916b0b
Remove nonfunctional jtr_unshadow
...
This module hasn't been doing anything but print_error a go away message
since June, so may as well get rid of it.
2014-10-08 10:23:29 -05:00
e0016d4af3
Remove hash rocket from refs array #3766
...
[SeeRM #8776 ]
2014-10-08 09:16:38 +00:00
3c7be9c4c5
Remove hash rockets from references #3766
...
[SeeRM #8776 ]
2014-10-08 09:01:19 +00:00
6af6b502c3
Remove spaces at EOL
2014-10-08 08:30:30 +01:00
0a9795216a
Add OSVDB id and full disclosure URL
2014-10-08 08:25:41 +01:00
713ff5134a
Add OSVDB id
2014-10-08 08:24:44 +01:00
bd812c593c
Add full disclosure URL
2014-10-08 08:24:04 +01:00
bbac61397d
Restore :address to rhost and explain why
2014-10-08 08:23:43 +01:00
c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution
2014-10-08 00:30:07 -05:00
9cb0ad1ac2
Change the reporting address to the real value
2014-10-08 01:18:17 +01:00
6e9bebdaf9
Fix noob mistake in assignment
2014-10-08 01:04:15 +01:00
7dbfa19e65
Add exploit for Track-It! domain/sql creds vuln
2014-10-07 23:54:43 +01:00
d328b2c29d
Add exploit for Track-It! file upload vuln
2014-10-07 23:50:10 +01:00
299d9afa6f
Add module for centreon vulnerabilities
2014-10-07 14:40:51 -05:00
3daa1ed4c5
Avoid changing modules indentation in this pull request
2014-10-07 10:41:25 -05:00
341d8b01cc
Favor echo encoder for back compatibility
2014-10-07 10:24:32 -05:00
3628f73235
Fix ARCH_CMD perl encoding
2014-10-07 10:21:30 -05:00
e63b389713
Add @jlee-r7's changes to perl encoding
2014-10-07 00:16:16 -05:00
031fb19153
requested updates
2014-10-06 23:52:30 -05:00
399a61d52e
Land #3946 , ntp_readvar updates
2014-10-06 21:57:57 -05:00
e1b0ba5d3d
Removing 'require pry'
...
I accidentally left a reference to pry in my code.
Removing
2014-10-06 21:40:39 -05:00
b8c2643d56
Converting Module to LoginScanner w/ Specs
...
The previous commits for this Jenkins CI module relied on an
obsolete pattern. Consequently, it was necessary to write
this module as a LoginScanner and incorporate the appropriate
specs so that the tests will run properly.
2014-10-06 21:14:10 -05:00
0089810026
Merge to update
2014-10-06 19:09:31 -05:00
6f174a9996
Fix obvious introduced bug
2014-10-06 18:56:25 -05:00
6b52ce9101
Delete 'old' generic_sh unix cmd encoder, favor splitting
2014-10-06 18:45:10 -05:00
212762e1d6
Delete RequiredCmd for unix cmd encoders, favor EncoderType
2014-10-06 18:42:21 -05:00
d3354d01f0
Fix #3808 - NoMethodError undefined method `map'
...
NoMethodError undefined method `map' due to an incorrect use of
load_password_vars
2014-10-06 15:42:51 -05:00
8c8ccc1d54
Update Authors
2014-10-06 11:30:39 -07:00
03888bc97b
Change the check function
...
Use regex based detection
2014-10-06 18:56:01 +02:00
29111c516c
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
...
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
69400cf280
Fixing Author Declaration
...
I had accidentally listed myself three times as the author.
Fixing that issue so that I am only declaring myself once.
2014-10-05 23:17:28 -05:00
c0a3691817
Adding Jenkins-CI Login Scanner
...
Per Github issue #3871 (RM8774), I have added a
login scanner module for Jenkins-CI installations.
2014-10-05 22:08:34 -05:00
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
a341756e83
Support spoofing source IPs for NTP readvar, include status messages
2014-10-03 14:05:57 -07:00
fa4414155a
Only include the exact readvar payload, not any padding
2014-10-03 13:58:13 -07:00
65c1a8230a
Address most Rubocop complaints
2014-10-03 13:47:29 -07:00
0715c671c6
Update NTP readvar module to detect DRDoS, UDPScanner to be faster
2014-10-03 13:28:30 -07:00
f7e709dcb3
Land #3941 , new WPVDB reference
2014-10-03 10:17:02 -05:00
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
f2b9aeed74
typo
2014-10-03 11:02:56 +01:00
f60f6d9c92
add exploit for CVE-2011-1485
2014-10-03 10:54:43 +01:00
2c9446e6a8
Update f5_icontrol_exec.rb
2014-10-02 17:56:24 -05:00
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
5a8eca8946
Adds a :vuln_test option to BES, just like in BAP.
...
I needed this to run a custom JS check for the Android
webview vuln when the exploit is served straight
through BES. The check already existed when using BAP,
so I tried to preserve that syntax, and also added a
:vuln_test_error as an optional error message.
This commit also does some mild refactoring of un-
useful behavior in BES.
2014-10-01 23:34:31 -05:00
0380c5e887
Add CVE-2014-6278 support, lands #3932
2014-10-01 18:25:41 -05:00
c1b0acf460
Add CVE-2014-6278 support to the exploit module
...
Same thing.
2014-10-01 17:58:25 -05:00
5df614d39b
Land #3928 , release fixes
2014-10-01 17:21:08 -05:00
77bb2df215
Adds support for both CVEs, lands #3931
2014-10-01 17:06:59 -05:00
51bc5f52c1
Add CVE-2014-6278 support
...
Going with an OptEnum to simplify the code for now...
2014-10-01 16:40:55 -05:00
8cf718e891
Update pureftpd bash module rank and description
2014-10-01 17:19:31 -04:00
7e05ff343e
Fix smbdirect
...
Also some whitespace and a typo in output message
2014-10-01 16:02:59 -05:00
a21752bc9c
Fix NoMethodError on os, mark DCs as 'server'
2014-10-01 16:02:46 -05:00
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
cf6029b2cf
Remove the less stable echo stager from the exploit
2014-10-01 15:15:07 -04:00
632edcbf89
Add CVE-2014-6271 exploit via Pure-FTPd ext-auth
2014-10-01 14:57:40 -04:00
9bfd013e10
Land #3923 , mv misc/pxexploit to local/pxeexploit
...
Also renamed typo'd pxexploit -> pxeexploit.
2014-09-30 17:48:06 -05:00
039e544ffa
Land #3925 , rm indeces_enum
...
Deprecated.
2014-09-30 17:45:38 -05:00
be1df68563
Remove auxiliary/scanner/elasticsearch/indeces_enum.rb
...
Time is up, so good bye.
2014-09-30 17:24:21 -05:00
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
5ea968f3ee
Update description to prefer the exploit module
2014-09-30 11:34:28 -05:00
162e42080a
Update title to reflect scanner status
2014-09-30 11:04:17 -05:00
de65ab0519
Fix broken check in exploit module
...
See 71d6b37088
2014-09-29 23:03:09 -05:00
12d7073086
Use idiomatic Ruby for the marker
2014-09-29 22:32:07 -05:00
71d6b37088
Fix bad header error from pure Bash CGI script
2014-09-29 22:25:42 -05:00
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
b2d2101be2
Land #3913 - Change hardcoded table prefixes
2014-09-29 17:55:45 -05:00
8f3e03d4f2
Land #3903 - ManageEngine OpManager / Social IT Arbitrary File Upload
2014-09-29 17:53:43 -05:00
b266233e95
fix bug
2014-09-30 00:21:52 +02:00
533b807bdc
Add OSVDB id
2014-09-29 21:52:44 +01:00
878f3d12cd
Remove kind_of? per @trosen-r7
2014-09-29 15:39:10 -05:00
77efa7c19a
Change if/else to case statement
2014-09-29 15:37:58 -05:00
bfadfda581
Fix typo on match string for opera_configoverwrite
2014-09-29 15:34:35 -05:00
ffe5aafb2f
Land #3905 - Update exploits/multi/http/apache_mod_cgi_bash_env_exec
2014-09-29 15:19:35 -05:00
21b2d9eb3f
Land #3899 - WordPress custom-contact-forms Plugin SQL Upload
2014-09-29 14:40:28 -05:00
9e5826c4eb
Land #3844 - Add the JSObfu mixin to Firefox exploits
2014-09-29 11:15:14 -05:00
ababc3d8ff
Land #3869 - HP Network Node Manager I PMD Buffer Overflow
2014-09-29 11:00:12 -05:00
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
fe12ed02de
Support a user defined header in the exploit too
2014-09-27 18:58:53 -04:00
f20610a657
Added full disclosure URL
2014-09-27 21:34:57 +01:00
030aaa4723
Add exploit for CVE-2014-6034
2014-09-27 19:33:49 +01:00
64dbc396dd
Add header specification to check module, lands #3902
2014-09-27 12:58:29 -05:00
044eeb87a0
Add variable HTTP header
...
Also switch from OptEnum to OptString for flexibility.
2014-09-27 12:39:24 -05:00
161a145ec2
Create f5_icontrol_exec.rb
2014-09-27 10:40:13 -05:00
c51c19ca88
bugfix
2014-09-27 14:56:34 +02:00
9a424a81bc
fixed bug
2014-09-27 13:46:55 +02:00
1c30c35717
Added WordPress custom_contact_forms module
2014-09-27 13:42:49 +02:00
c75a0185ec
Land #3897 - Fix check for apache_mod_cgi_bash_env & apache_mod_cgi_bash_env_exec
2014-09-26 17:06:23 -05:00
80d9af9b49
Fix spacing in description
2014-09-26 17:03:28 -05:00
9e540637ba
Add module for CVE-2014-5377 ManageEngine DeviceExpert User Credentials
2014-09-26 17:02:27 -05:00
3259509a9c
Use return
2014-09-26 16:04:15 -05:00
0a3735fab4
Make it better
2014-09-26 16:01:10 -05:00
3538b84693
Try to make a better check
2014-09-26 15:55:26 -05:00
6e2d297e0c
Credit the original vuln discoverer
2014-09-26 13:45:09 -05:00
e1f00a83bc
Fix Rex because domainname and domain_name were duplicated
2014-09-26 13:40:52 -05:00
5044117a78
Refactor dhclient_bash_env to use the egypt's mixin mods
2014-09-26 13:34:44 -05:00
ebf4e5452e
Added mssql_escalate_dbowner module
2014-09-26 10:29:35 -05:00
a4bc17ef89
deregister options needed for exploitation
2014-09-26 10:15:46 -05:00
54e6763990
Add injection to HOSTNAME and URL
2014-09-26 10:13:24 -05:00
a31b4ecad9
Merge branch 'review_3893' into test_land_3893
2014-09-26 08:41:43 -05:00
86f85a356d
Add DHCP server module for CVE-2014-6271
2014-09-26 01:24:42 -05:00
38c8d92131
Land #3888 - exploit module version of CVE-2014-6271
2014-09-26 00:31:41 -05:00
b878ad2b75
Add a module to exploit bash via DHCP, lands #3891
...
This module is just a starting point for folks to test their DHCP client implementations and we plan to significantly overhaul this once we get a bit of breathing room.
2014-09-25 23:38:40 -05:00
9c11d80968
Add dhclient_bash_env.rb (Bash exploit)
...
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
2014-09-26 01:37:00 -03:00
ad864cc94b
Delete unnecessary code
2014-09-25 16:18:01 -05:00
2b02174999
Yank Android->jsobfu integration. Not really needed currently.
2014-09-25 16:00:37 -05:00
9245bedf58
Make it more generic, add X86_64 target
2014-09-25 15:54:20 -05:00
be6552dae7
Clarifying VMware priv esc via bash module name
2014-09-25 14:34:09 -05:00
d8c03d612e
Avoid failures due to bad payload selection
2014-09-25 13:49:04 -05:00
91e5dc38bd
Use datastore timeout
2014-09-25 13:36:05 -05:00
8a43d635c3
Add exploit module for CVE-2014-6271
2014-09-25 13:26:57 -05:00
e0fc30c040
Land #3884 , @wvu's check and reporting for apache_mod_cgi_bash_env
2014-09-25 09:52:17 -05:00
f66c854ad6
Fix description to be less lulzy
2014-09-25 07:09:08 -05:00
9ed28408e1
Favor check_host for a scanner
2014-09-25 07:06:12 -05:00
62b74aeaed
Reimplement old check code I was testing before
...
I would like to credit @wchen-r7 for providing advice and feedback.
@jvazquez-r7, too! :)
2014-09-25 06:38:25 -05:00
d9120cd586
Fix typo in description
...
Running on fumes here...
2014-09-25 01:22:08 -05:00
790df96396
Fix missed var
2014-09-25 01:19:14 -05:00
f13289ab65
remove debugging
2014-09-25 02:16:19 -04:00
e051cf020d
Add missed mixin
2014-09-25 01:14:58 -05:00
27b8580f8d
Add protip to description
...
This gets you lots of shells.
2014-09-25 01:10:22 -05:00
8cb4ed4cb7
re-add quotes -oops
2014-09-25 02:09:12 -04:00
b1e9b3664e
Improve false positive check
2014-09-25 01:01:11 -05:00
6fb587ef96
update to use vmware-vmx-stats
2014-09-25 01:55:04 -04:00
8daf8d4339
Report vuln for apache_mod_cgi_bash_env
...
Now with fewer false positives! It's kinda like a check method.
2014-09-25 00:42:14 -05:00
37753e656e
Land #3882 , @jvennix-r7's vmware/bash privilege escalation module
2014-09-25 00:42:12 -05:00
456d731aa3
Fix processes check
2014-09-25 00:24:39 -05:00
5a59b7cd89
Fix formatting
2014-09-24 23:12:11 -05:00
e6f0736797
Add peer
2014-09-24 22:48:51 -05:00
8b6519b5b4
Revert shortened reference
...
But it's so long. :(
2014-09-24 22:43:33 -05:00
ecb10ebe28
Add variable HTTP method and other stuff
2014-09-24 22:41:01 -05:00
f6708b4d83
Check for running vmware processes first.
2014-09-24 19:11:38 -05:00
a600a0655d
Scannerify the module
2014-09-24 18:58:39 -05:00
abadf65d8d
Clean up title and formatting
2014-09-24 18:42:43 -05:00
2562964581
Revert to my original code of using CMD
2014-09-24 18:00:13 -05:00
99da950734
Adds osx vmware/bash priv escalation.
2014-09-24 17:44:14 -05:00
6ae578f80f
Add Stephane Chazelas as an author
2014-09-24 17:14:18 -05:00
b2555408a4
Rename module
...
I don't think we're gonna make a supermodule like we had hoped.
2014-09-24 16:55:10 -05:00
31e9e97146
Replace unnecessary reference with a better one
2014-09-24 16:52:43 -05:00
fc04bf9d48
Update description
...
This is what I had when @todb-r7 beat me to the punch. >:P
2014-09-24 16:22:58 -05:00
2f788c2e0c
Fix description
2014-09-24 16:13:05 -05:00
b96a7ed1d0
Install a global object in firefox payloads, bump jsobfu.
2014-09-24 16:05:00 -05:00
ca63fe931d
Add CVE-2014-6271 PoC
2014-09-24 16:02:59 -05:00
5d234c0e01
Pass #send in this so jsobfu is not confused.
2014-09-24 15:07:14 -05:00
0247e4a521
Change RequiredCmd for reverse_bash_telnet_ssl cmd payload
2014-09-24 00:40:14 -05:00
f2cfbebbfb
Add module for ZDI-14-305
2014-09-24 00:22:16 -05:00
5f6e84580c
Clean up and use Metasploit::Credential
2014-09-24 01:00:23 +00:00
11b9a8a6ae
Land #3814 - Advantech WebAccess dvs.ocx GetColor BoF
2014-09-23 15:06:21 -05:00
b021ff4399
Add noche tags
2014-09-23 13:11:06 -05:00
5c6236e874
Fix rop chain to allow VirtualAlloc when end of stack is too close
2014-09-23 13:08:26 -05:00
31ecbfdc4e
Land #3756 - EMC AlphaStor Device Manager Opcode 0x75 Command Injection
2014-09-23 12:57:46 -05:00
259a368577
Land #3841 , @jabra-'s modifications to ssdp_amp to support spoofing
2014-09-22 12:28:46 -07:00
fc4c1907d3
Land #3839 , @jabra-'s updates to dns_amp to support spoofing
2014-09-22 12:14:39 -07:00
8f63075da4
Land #3837 , @jabra-'s update to chargen scanner to support spoofing
2014-09-22 12:02:01 -07:00
4e9f1282de
Land #3834 , @jabra-'s updates to UDPscanner to support spoofing
2014-09-22 11:49:53 -07:00
d9e6f2896f
Add the JSObfu mixin to a lot of places.
2014-09-21 23:45:59 -05:00
2a714a7c4d
Fix a typo
...
Downloading and deleting are two very different things. Thanks Dan.
2014-09-21 18:35:26 -05:00
b7a0847114
SRC IP spoofing added to the SSDP amplification module
2014-09-20 21:37:01 -04:00
bb018de3a1
chargen src IP spoofing
2014-09-20 16:08:52 -04:00
3fb00ece9e
refactored the code based on PR feedback
2014-09-20 14:10:00 -04:00
a2a2ca550e
add test result on different windows version
2014-09-20 20:06:30 +08:00
dd71c666dc
added osvdb reference and software download url, use FileDropper method
...
for cleanup
2014-09-20 15:31:28 +08:00
19ed594e98
using FileDropper method for cleanup
2014-09-20 10:52:21 +08:00
9acccfe9ba
Fix description
2014-09-19 17:18:59 -05:00
d826132f87
Delete CVE, add EDB
2014-09-19 17:16:03 -05:00
7afbec9d6c
Land #2890 , @Ahmed-Elhady-Mohamed module for OSVDB 93034
2014-09-19 17:12:49 -05:00
1fa5c8c00c
Add check method
2014-09-19 17:11:16 -05:00
ce0b00bb0b
Change module location and filename
2014-09-19 16:59:35 -05:00
0267e889e2
Use FileDropper
2014-09-19 16:58:21 -05:00
6fd5027e05
Avoid UploadPath datastore option, parse from response
2014-09-19 16:55:28 -05:00
2ce9bdf152
Use target_uri.path.to_s instead of uri
2014-09-19 16:43:40 -05:00
eb55c7108b
Fix indentantion again
2014-09-19 16:41:07 -05:00
cbfb7e600d
Use Rex::MIME::Message
2014-09-19 16:29:09 -05:00
cffb28b5d3
Fix indentantion
2014-09-19 16:18:46 -05:00
c00094ba6e
Land #3345 , @mvdevnull's auxiliary module for OSVDB 106815, Alienvault sqli
2014-09-19 15:01:21 -05:00
62414e2214
Add Timeout to exploit sqli
2014-09-19 15:00:54 -05:00
db6372ec8b
Do minor module cleanup
2014-09-19 14:43:35 -05:00
4a9294e3bf
Mark module as not executable
2014-09-19 14:36:44 -05:00
405ac34a16
Fix author name
2014-09-19 13:56:13 -05:00
79d5fb56d4
Land #3829 , @jhart-r7's UDP emtpy probe scanner
2014-09-19 13:54:35 -05:00
737f77d31a
Cleaner output when PORTS is invalid
2014-09-19 11:12:14 -07:00
3493987300
report_service when we find something this way
2014-09-19 10:45:06 -07:00
43171141da
update for ntp modules
2014-09-19 11:14:11 -04:00
677d035ce8
added proper regex for check function
...
add comment for changed code
2014-09-19 11:30:51 +08:00
a54b23642e
Relocate empty UDP scanner
2014-09-18 12:31:52 -07:00
6cad5d9aeb
Add ManageEngine DeviceExpert User Credentials
2014-09-18 19:18:59 +00:00
5dad73a28f
Explicitly require credential_collection
...
Otherwise, you run into a require ordering problem on some platforms.
This is not a great way to fix this -- but it's a fast way, and possibly
even a good way, since you're being explicit about what your module
requirements are.
2014-09-17 15:47:30 -05:00
64ac1e6b26
Rand padding
2014-09-17 08:09:09 -05:00
50fa5745bb
Rm print_debug line
...
I forgot to remove this line while testing the module
2014-09-16 16:46:40 -05:00
e593a4c898
Add comment about gadgets origin
2014-09-16 16:38:03 -05:00
07c14f5ee8
Land #3388 - Post mod to check Win32_QuickFixEngineering
2014-09-16 16:18:04 -05:00
36a3abe036
Add a reference
2014-09-16 16:17:22 -05:00
80f02c2a05
Make module ready to go
2014-09-16 15:18:11 -05:00
169d04020d
Land #3571 - Add Wordpress XML-RPC Login Scanner (with LoginScanner)
2014-09-16 14:51:24 -05:00
4ed1fa55f5
Don't need this header
2014-09-16 14:50:32 -05:00
35b8c2be4b
Land #3800 , release fixes
2014-09-16 14:05:23 -05:00
59dfa624c4
Add a REMOTE_JS datastore option for BeEf hooks etc.
2014-09-16 13:31:03 -05:00
3e09283ce5
Land #3777 - Fix struts_code_exec_classloader on windows
2014-09-16 13:09:58 -05:00
158d4972d9
More references and pass msftidy
2014-09-16 12:54:27 -05:00
bd17c96a6e
Dropped a hyphen in the title
2014-09-16 12:47:44 -05:00
7a7b6cb443
Some refactoring
...
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
2014-09-16 17:49:45 +02:00
978803e9d8
add proper regex
2014-09-16 21:49:02 +08:00
4c615ecf94
Module for CVE-2014-5519, phpwiki/ploticus RCE
2014-09-16 00:09:41 +02:00
7d4c4c3658
Land #3699 , @dmaloney-r7's ipboard login refactor
2014-09-15 08:29:42 -05:00
783b03efb6
change line 84 as mubix advice, update disclosure date according to
...
bugtraq security list.
2014-09-15 17:21:05 +08:00
9860ed340e
run msftidy, make correction for CVE format and space at EOL (line 77)
2014-09-15 13:13:25 +08:00
f1d3c44f4f
exploit module for HTTP File Server version 2.3b, exploiting HFS scripting commands 'save' and 'exec'.
2014-09-15 12:59:27 +08:00
74ef83812a
update module vulnerability information
2014-09-15 01:43:18 +08:00
8b4b66fcaa
initial test
2014-09-14 12:26:02 +08:00
b8a1010ba4
Switch to Array#union and rename preserved_registers
2014-09-13 22:48:14 -05:00
3a6066792d
Work in rop chain...
2014-09-13 17:38:19 -05:00
83bf220a10
Land #3730 , @TomSellers's post module for Remote Desktop Connection Manager
2014-09-12 15:38:33 -05:00
5da6a450f1
fix find condition
2014-09-12 15:21:50 -05:00
1749fc73c2
Change module filename
2014-09-12 15:05:33 -05:00
95b6529579
Fix run method
2014-09-12 14:27:25 -05:00
373861abb0
Land #3526 , @jhart-r7's soap_xml scanner cleanup
2014-09-12 13:29:52 -05:00
12f949781a
Use double quote for xml strings
2014-09-12 13:18:48 -05:00
67c0ee654b
Use Gem::Version
2014-09-12 10:35:12 -05:00
0d054d8354
Update with master changes
2014-09-12 09:52:32 -05:00
e2ef927177
Add first version for ZDI-14-255
2014-09-12 08:57:54 -05:00
60b29cbd5e
Fix word splitting problem
2014-09-12 06:50:53 -05:00
8a6a205e39
Land #3724 , NetworkManager creds module
2014-09-12 05:48:35 -05:00
131401f024
Remove unused method
2014-09-12 05:48:11 -05:00
706655f755
Land #3779 , Glassfish LoginScanner exception
...
MSP-11343
2014-09-11 15:57:47 -05:00
d2f2b142b4
Land #3760 , Arris WEP/WPA leak from @dheiland-r7
2014-09-11 15:39:19 -05:00
4fc1ec09c7
Land #3759 , Android UXSS, with ref/desc fixes
...
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)
Also fixes #3782 (opened by accident).
2014-09-11 14:27:51 -05:00
fbba4b32e0
Update the title and desc to be more descriptive
...
See #3759
2014-09-11 14:06:14 -05:00
d627ab7628
Add refs for Android UXSS
...
See #3759
2014-09-11 14:05:50 -05:00
8aa06b8605
Better api for check_setup
2014-09-10 23:43:54 -05:00
71228b48a0
Update 3 more encoders to be StageEncoder compatible
...
This could probably use some DRY love via a mixin
2014-09-10 20:21:35 -05:00
c1658e5d51
Add a check_setup method
2014-09-10 20:09:46 -05:00
84e4db9035
Don't raise in the middle
...
MSP-11343
This means we don't bomb out with an unhandled exception, instead
continuing attempting logins against the host even though it will never
succeed. Next up: verify state before running scan!()
2014-09-10 20:09:33 -05:00
815e007f48
Fix two cosmetic typos
2014-09-10 19:07:40 -05:00
872ba6a53b
Update arris_dg950 module with required changes
...
Collapsed several levels of the if/else statement and changed out 2 with
case. Changed print_good to print_line. Removed rescue ::Interrupt and
altered variable names to make them more readable
2014-09-10 19:07:53 -04:00
373eb3dda0
Make struts_code_exec_classloader to work on windows
2014-09-10 18:00:16 -05:00
e317bfe0d5
Add preliminary module for discovering services with empty UDP probes
2014-09-10 10:58:22 -07:00
280e16c241
Land #3677 - Updated shodan_search for new API
2014-09-10 11:39:00 -05:00
006393360e
Add conditions to check healthy shodan results
2014-09-10 11:38:06 -05:00
257f0fc93e
Quick fix for ssh_login_pubkey
...
Fixes #3772 , closes #3774
2014-09-10 09:57:17 -05:00
495e1c14a1
Land #3721 , @brandonprry's module for Railo CVE-2014-5468
2014-09-09 19:10:46 -07:00
26d8432a22
Minor style and usability changes to @brandonprry's #3721
2014-09-09 19:09:45 -07:00
db6052ec6a
Update check method
2014-09-09 18:51:42 -05:00
0a6ce1f305
Land #3727 - SolarWinds Storage Manager exploit AND Msf::Payload::JSP
2014-09-09 17:21:03 -05:00
2ae23bbe99
Remove STAGERNAME option
...
This option wasn't really required, the stager can be removed as
soon as the WAR is deployed. This commit does the modifications needed
to remove the stager right after the WAR deployment.
2014-09-09 21:44:08 +02:00
6c0dae953d
Stage encoding is now SaveRegister aware
2014-09-09 14:21:51 -05:00
027f543bdb
Land #3732 - Eventlog Analzyer exploit
2014-09-09 11:33:20 -05:00
75269fd0fa
Make sure we're not doing a 'negative' timeout
2014-09-09 11:26:49 -05:00
7793ed4fea
Add some common UXSS scripts.
2014-09-09 02:31:27 -05:00
b8000517cf
Land #3746 , reinstate DB_ALL_CREDS
2014-09-08 17:24:12 -05:00
2ac15f2088
some fixes based on Christruncer's feedback
...
fixed some stuff i borked, back to you chris
2014-09-08 15:27:01 -05:00
cd3cdc5384
Merge branch 'master' into feature/ipboard-login-refactor
2014-09-08 14:48:37 -05:00
4abee39ab2
Fixup for release
...
Ack, a missing disclosure date on the GDB exploit. I'm deferring to the
PR itself for this as the disclosure and URL reference.
2014-09-08 14:00:34 -05:00
09e6c2f51f
Merge branch 'master' into feature/MSP-11162/db-all-creds
2014-09-08 12:52:25 -05:00
ae5a8f449c
Land #3691 , gdbserver hax
2014-09-08 11:48:39 -05:00
9a6ee5090a
Add Arris DG950A SNMP data extraction module
...
This module will extract critical data such as WPA and WEP keys from
the Arris DG950a model cable modem via the SNMP protocal.
2014-09-08 11:04:31 -04:00
0ccb39c057
Land #3726 - Fix typos in wordpress login
2014-09-08 09:40:57 -05:00
1b5e40ff78
New Creds model added
2014-09-08 11:42:05 +03:00
27889ea411
Add a safety fallback on js load.
2014-09-08 00:46:47 -05:00
8407d45c9c
Rework the timers.
2014-09-08 00:40:00 -05:00
5c9c8edfcf
Fix refs.
2014-09-07 23:33:45 -05:00
5efaf7d4cf
rename module, handle asyncness.
2014-09-07 23:25:08 -05:00
10bb77af9f
Land #3716 , @wchen-r7's Glassfish LoginScanner update
2014-09-07 21:54:34 -05:00
1bf89fb6bd
Add Android <= 4.3 AOSP UXSS module.
2014-09-07 20:44:03 -05:00
c86d01a667
Fix win.ini signature
2014-09-07 01:46:38 -05:00
44b9dc9b28
Update tmlisten_traversal
2014-09-06 01:18:11 -05:00
df278dd2dc
Conver to exploit
2014-09-05 14:47:33 -05:00
d4a8b7e00d
Move to exploits
2014-09-05 10:38:28 -05:00
892f72e4ce
Move module path
2014-09-05 10:30:27 -05:00
d041ee6629
Delete exploit modules from this branch
2014-09-05 10:29:24 -05:00
abffdd8705
Update alienvault_newpolicyform_sqli.rb
...
cleaned up according to msftidy.rb suggestions
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:17 - [WARNING] Spaces at EOL
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:18 - [WARNING] Tabbed indent: "\tlack of input filtering to read an arbitrary file from the file system.\n"
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:29 - [WARNING] Space-Tab mixed indent: "\t [ 'OSVDB', '106815' ],\n"
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:29 - [WARNING] Tabbed indent: "\t [ 'OSVDB', '106815' ],\n"
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:30 - [WARNING] Space-Tab mixed indent: "\t [ 'EDB', '33317'],\n"
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:30 - [WARNING] Tabbed indent: "\t [ 'EDB', '33317'],\n"
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb:110 - [WARNING] Spaces at EOL
2014-09-04 21:46:37 -04:00
664cc131e3
Update alienvault_newpolicyform_sqli.rb
...
added 'ctx' variable relating to jvazquez-r7 note added on Jun 9
2014-09-04 21:34:24 -04:00
08ce278cca
Got these wrong
2014-09-04 17:05:51 -05:00
cb490fc00e
[SeeRM #8836 ] Change boot.ini to win.ini
2014-09-04 17:03:21 -05:00
d83131f1d9
Land #3750 , @wvu favoring unless
2014-09-04 16:17:07 -05:00
ff210a7c0a
delete parenthesis
2014-09-04 16:16:29 -05:00
85b48fd437
Land #3736 - Revert initial ff xpi prompt bypass for Firefox 22-27
2014-09-04 16:08:15 -05:00
f063dcf0f4
Land #3741 , @pedrib's module for CVE-2014-5005 Desktop Central file upload
2014-09-04 15:44:21 -05:00
f466b112df
Minor cleaning on check
2014-09-04 15:43:59 -05:00
74b8e8eb40
Change module filename
2014-09-04 15:39:34 -05:00
c32b977a27
Land #3747 , @wvu changes to printer_ready_message
2014-09-04 15:26:52 -05:00
2d8c7a7a4d
Refactor if statement to early return
...
This eliminates the protracted if statement and aligns the code body.
2014-09-04 15:05:30 -05:00
614c7c178d
Land #3749 , jtr_oracle_fast missing require fix
2014-09-04 15:03:37 -05:00
c1bca5c138
Land #3742 , @pedrib's changes to desktopcentral_file_upload check method
2014-09-04 14:47:36 -05:00
7563c0bd0e
Use Gem::Version
2014-09-04 14:40:13 -05:00
34455b5dc6
Fix missing require for jtr_oracle_fast
2014-09-04 14:38:07 -05:00
50ac8366fd
Refactor CHANGE/RESET to actions
...
Missed in c1fdc4d945
2014-09-04 14:36:04 -05:00
2615a7a3be
Favor \&\& and || operands
2014-09-04 14:35:37 -05:00
0dcf481d76
This one is good to go
2014-09-04 14:13:33 -05:00
84f9ec0aad
Refactor implicit options hash
...
Missed in c1fdc4d945
2014-09-04 13:30:06 -05:00
00ec47fb83
call new prepend cred methods
...
add method calls o all the lgoinscanner modules
so that they call the prepend_db_* methods as approrpiate
these methods automatically check to see if DB_ALL_CREDS was
selected
2014-09-04 12:32:35 -05:00
c5755824a6
pass in vhost and useragent
...
have http loginscanner modules pass in VHOST
and Useragent to the LoginScanner classes
2014-09-04 11:02:19 -05:00
dd4fd7bb39
The reporting part
2014-09-03 16:32:23 -05:00
e1694ec3e5
LoginScanner update for hp_sys_mgmt_login
...
Work in progress
2014-09-03 16:23:57 -05:00
0e18d69aab
Add extended mode to prevent service from dying.
2014-09-03 16:07:27 -05:00
4293500a5e
Implement running exe in multi.
2014-09-03 15:56:21 -05:00
f0e3fa18a3
Restore the original filename
2014-09-03 21:32:05 +01:00
268d42cf07
Add PrependFork to payload options.
2014-09-03 14:56:22 -05:00
185ce36859
Land #3701 , @wchen-ru's AppleTV modules
2014-09-03 12:30:50 -05:00
10dee28fbd
Add http socket to the module sockets and allow the framework to cleanup
2014-09-03 12:01:48 -05:00
5acbcc80e2
no threading
2014-09-03 11:37:30 -05:00
ded085f5cc
Add CVE ID
2014-09-03 07:22:10 +01:00
ee3e5c9159
Add check method
2014-09-02 21:35:47 -05:00
Jon Hart
sinn3r
Roberto Soares Espreto
0a2940
nstarke
Tod Beardsley
jvazquez-r7
Pedro Ribeiro
Spencer McIntyre
us3r777
Christian Mehlmauer
nullbind
William Vu
Jay Smith
Brendan Coles
James Lee
Brandon Perry
Joe Vennix
HD Moore
Meatballs
Ramon de C Valle
Samuel Huckins
Rob Fuller
Josh Abraham
mfadzilr
Luke Imhoff
Deral Heiland
David Maloney
cx
Chris Hebert