Commit Graph

2117 Commits (2b1333048336a9d6a104816a4362779d60fc5c20)

Author SHA1 Message Date
sinn3r c79060915a Add Chap0's netop exploit 2012-04-03 11:51:58 -05:00
chap0 48d6157d6e New NetOp Guest msf module http://www.netop.com/ 2012-04-02 16:53:51 -07:00
James Lee 0547369966 Add bap support for flash mp4 and new java bug
Also fixes a silly issue where adobe_flash_mp4_cprt was adding the
/test.mp4 resource after every request instead of just once at startup.
2012-03-30 12:59:07 -06:00
Kurtis Miller 72cfbaa4d1 forgot to add renamed module 2012-03-28 14:29:31 -06:00
Kurtis Miller df116185d4 modifications recommended by sinn3r 2012-03-28 14:29:31 -06:00
Kurtis Miller 0aaa2b78bd cve-2008-0610 windows exploit module 2012-03-28 14:29:31 -06:00
Tod Beardsley e1783acd6f Adding newline to end of ricoh_dl_bof.rb 2012-03-23 16:31:11 -05:00
wchen-r7 71462bc73d Merging in freepbx_callmenum.rb and ricoh_dl_bof.rb
[Closes #266]
2012-03-23 16:23:36 -05:00
sinn3r fbfd308d79 This actually shouldn't go it now because it's still being code reviewed 2012-03-23 15:32:24 -05:00
Tod Beardsley 47493af103 Merge pull request #259 from todb-r7/edb-2
Convert Exploit-DB references to first-tier "EDB-12345" references
2012-03-23 12:09:07 -07:00
sinn3r fef1e31e2a Merge branch 'olliwolli-3cdaemonsp3' 2012-03-23 08:52:19 -05:00
sinn3r 20f0a58c6a Minor fixes 2012-03-23 08:23:30 -05:00
Oliver-Tobias Ripka 30a3d8bb96 Add Windows SP3 to targets. 2012-03-23 13:52:18 +01:00
sinn3r 6625d97599 Add Ricoh DC DL-10 FTP Buffer Overflow 2012-03-22 15:30:00 -05:00
sinn3r 0a24c354db Update ms10-002 with dyphens 2012-03-21 19:19:20 -05:00
Tod Beardsley 7d12a3ad3a Manual fixup on remaining exploit-db references 2012-03-21 16:43:21 -05:00
Tod Beardsley 2f3bbdc00c Sed replacement of exploit-db links with EDB refs
This is the result of:

find modules/ -name \*.rb -exec sed -i -e 's#\x27URL\x27,
\x27http://www.exploit-db.com/exploits/\([0-9]\+\).*\x27#\x27EDB\x27,
\1#' modules/*.rb {} \
2012-03-21 16:43:21 -05:00
sinn3r 2c16eb29b6 Add CVE-2010-0248 Internet Explorer Object Handling Use After Free exploit 2012-03-21 16:11:26 -05:00
Tod Beardsley da963fc8b2 Adding OSVDB for dell_webcam_crazytalk.rb 2012-03-20 07:52:50 -05:00
Tod Beardsley e325469f6e Grammar fix for dell_webcam_crazytalk module 2012-03-20 07:43:02 -05:00
sinn3r f4dac59894 Add Dell Webcam CrazyTalk component BackImage overflow exploit 2012-03-20 03:46:37 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
Tod Beardsley e3f2610985 Msftidy run through on the easy stuff.
Still have some hits, but that requires a little more code contortion to
fix.
2012-03-15 17:06:20 -05:00
Tod Beardsley 9144c33345 MSFTidy check for capitalization in modules
And also fixes up a dozen or so failing modules.
2012-03-15 16:38:12 -05:00
sinn3r ecb1fda682 Add OSVDB-79651: NetDecision 4.5 HTTP Server Buffer Overflow 2012-03-14 05:13:22 -05:00
Jonathan Cran 1cf25e58d5 merge description change 2012-03-12 17:22:01 -05:00
sinn3r 7d95132eab Use a cleaner way to calculate JRE ROP's NEG value 2012-03-11 17:27:47 -05:00
sinn3r 6c19466de8 Change output style 2012-03-11 13:59:18 -05:00
sinn3r 25a1552fbd Dynamic VirtualProtect dwSize. Change output style. 2012-03-11 13:49:46 -05:00
sinn3r b0e7c048c9 This module fits the GoodRanking description 2012-03-10 00:50:41 -06:00
sinn3r 1d5bad469c Add Windows 7 SP1 target 2012-03-10 00:11:25 -06:00
sinn3r 1ae779157d Disable Nops so we don't get an ugly crash after getting a shell 2012-03-08 18:56:58 -06:00
Tod Beardsley 1e4d4a5ba0 Removing EncoderType from flash module
Also not very useful
2012-03-08 16:57:41 -06:00
Tod Beardsley 302a42a495 Fixing up print statements
Dropping the ROP prints since they're not all that useful.
2012-03-08 16:56:44 -06:00
Tod Beardsley 1396fc19bd Fixup bad merge on flash mp4 2012-03-08 16:52:53 -06:00
sinn3r cb04e47304 Attempt #2: there's no cli in get_payload 2012-03-08 16:47:49 -06:00
sinn3r 3563fe1b36 The encoder "issue" was just a misconfig on my side. Also there's no cli in get_payload. 2012-03-08 16:41:32 -06:00
sinn3r fee2e1eff9 Minor spray size change 2012-03-08 16:19:51 -06:00
HD Moore 12395c719f Remove debugging code 2012-03-08 16:16:42 -06:00
HD Moore 87274987c1 Remove the now obsolete text about SWF_PLAYER 2012-03-08 16:16:13 -06:00
sinn3r 181fdb7365 A small title change 2012-03-08 16:10:16 -06:00
HD Moore 1271368b6f Redirect to a trailing slash to make sure relative resources load
properly
2012-03-08 15:37:06 -06:00
HD Moore b0db18674c Test out new player code 2012-03-08 15:05:12 -06:00
HD Moore eb847a3dfb Add a nicer prefix to the target selection message 2012-03-08 13:46:14 -06:00
Tod Beardsley 5b566b43b4 Catching an update from @hdmoore-r7
wrt the nuclear option.
2012-03-08 12:08:39 -06:00
sinn3r edb3f19c12 A little more padding for Win Vista target 2012-03-08 12:04:04 -06:00
Tod Beardsley 18962e1180 Checking in the new Flash exploit to the release
Using the checkout master directly:

 git checkout master external/source/exploits/CVE-2012-0754/Exploit.as
 git checkout master
modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
2012-03-08 11:55:01 -06:00
HD Moore 86fc45810b Remove the resource during cleanup 2012-03-07 23:04:53 -06:00
HD Moore b4e0daf3ca Small tweaks to the adobe mp4 exploit 2012-03-07 22:53:47 -06:00
sinn3r 9ece7b08fc Add vendor's advisory as a reference 2012-03-08 00:46:34 -06:00
sinn3r 5f92bff697 Make sure no encoder will break the exploit again 2012-03-08 00:44:57 -06:00
sinn3r 2e94b97c82 Fix description 2012-03-07 23:59:51 -06:00
Tod Beardsley 57376a976d Fixes descriptions on new modules.
Fixing up grammar and removing some editorial verbiage.
2012-03-07 09:18:47 -06:00
sinn3r 0550b77522 Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-03-07 20:04:04 -06:00
sinn3r 3b4ed13aee Fix typo 2012-03-07 20:03:46 -06:00
Tod Beardsley 33460b6bf4 Fixups on the Adobe Flash exploit description
Massaged the lines about the phishing campagin use in the wild.
2012-03-07 19:37:49 -06:00
sinn3r c76f43c066 Add CVE-2012-0754: Adobe Flash Player MP4 cprt overflow 2012-03-07 19:24:00 -06:00
Tod Beardsley f97dc8dee7 Fix spelling of the IBM product iSeries
Was I-Series.
2012-03-07 15:24:15 -06:00
sinn3r 7dfba9c00d Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-03-07 14:51:39 -06:00
sinn3r 0ee7788028 Add a check to detect the vulnerable version of Sysax SSH 2012-03-07 14:51:21 -06:00
Tod Beardsley ba2bf194fd Fixes descriptions on new modules.
Fixing up grammar and removing some editorial verbiage.
2012-03-07 09:17:22 -06:00
James Lee 2b9acb61ad Clean up some incosistent verbosity
Modules should use `vprint_*` instead of `print... if
datastore["VERBOSE"]` or similar constructs
2012-03-06 12:01:20 -07:00
HD Moore 99177e9d5e Small commit to fix bad reference and old comment 2012-03-06 01:44:26 -06:00
James Lee 70162fde73 A few more author typos 2012-03-05 13:28:46 -07:00
sinn3r 4b1e67f94f Add ROP target for Win2k3 SP1 and SP2 2012-03-04 17:18:34 -06:00
Steve Tornio 8f93a5abbb add osvdb ref 2012-03-03 12:28:30 -06:00
sinn3r fa916d863d Add Sysax SSH buffer overflow exploit 2012-03-03 10:11:51 -06:00
sinn3r 67f788768d Fix tabs 2012-03-01 22:31:08 -06:00
sinn3r fd2d9ae0ea Add MP4 file generating function. Update the description regarding exploit usage. 2012-03-01 22:24:35 -06:00
sinn3r b1b2ec2c7d Merge branch 'CVE-2008-5036_vlc_realtext' of https://github.com/juanvazquez/metasploit-framework into juanvazquez-CVE-2008-5036_vlc_realtext 2012-03-01 21:13:33 -06:00
sinn3r 8bad0033d3 Update description 2012-03-01 19:16:29 -06:00
sinn3r 0bc26c1665 Add CVE-2009-4656: DJ Studio .pls buffer overflow 2012-03-01 19:09:25 -06:00
juan f1a6d8f535 Added exploit module for CVE-2008-5036 2012-03-01 23:06:40 +01:00
sinn3r 5a5e5eab95 Add msvcrt ROP target for IE8 2012-03-01 15:23:41 -06:00
Steve Tornio 2d802750e3 fix osvdb ref 2012-03-01 08:07:11 -06:00
Steve Tornio 256fee3626 add osvdb ref 2012-03-01 08:06:53 -06:00
Tod Beardsley 4369f73c7a Msftidy fixes on new modules
Dropped a cryptic year reference from jducks' java module, found a
spurious space in thelightcosine's telnet module.
2012-02-29 10:42:43 -06:00
sinn3r 74cdb5dabc It's a two-space tab, not one space. OMG. 2012-02-29 10:13:29 -06:00
sinn3r 986807e525 Add CVE-2012-0201 IBM Personal Communications .ws buffer overflow 2012-02-28 19:01:54 -06:00
sinn3r 5560087006 Add OSVDB 79438 Asus Net4Switch ActiveX Buffer Overflow 2012-02-28 18:58:28 -06:00
sinn3r 339fb8d266 eh, I mean Win2k3 SP0 to SP1 2012-02-23 17:33:49 -06:00
Joshua J. Drake e262d7a7ff Add CVE-2012-0500 Sun Java Web Start exploit 2012-02-23 13:30:45 -06:00
Steve Tornio 08fb03276f add osvdb ref 2012-02-23 07:39:31 -06:00
sinn3r 144fa0dc0e Comment what \x0b\x04 is for 2012-02-22 22:59:43 -06:00
sinn3r 291e083d65 Add CVE-2011-5001: TrendMicro Control Manager 5.5 CmdProcessor Stack Bof 2012-02-22 19:44:47 -06:00
juan d6310829ea Added module for CVE-2008-1602 2012-02-21 22:36:57 +01:00
Tod Beardsley 4a631e463c Module title normalization
Module titles should read like titles. For
capitalization rules in English, see:
http://owl.english.purdue.edu/owl/resource/592/01/

The only exceptions are function names (like 'thisFunc()') and specific
filenames (like thisfile.ocx).
2012-02-21 11:07:44 -06:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
HD Moore ab92e38628 Small cosmetic change to module descriptions 2012-02-20 19:29:51 -06:00
HD Moore af56807668 Cleanup the titles of many exploit modules 2012-02-20 19:25:55 -06:00
sinn3r dc4bade78c Use OptEnum to validate delivery method 2012-02-17 21:03:05 -06:00
Joshua J. Drake d2444e1cf6 fix a few typos 2012-02-16 03:10:22 -06:00
juan e69037959f Added CVE-2010-0842 2012-02-15 23:32:31 +01:00
Tod Beardsley 829040d527 A bunch of msftidy fixes, no functional changes. 2012-02-10 19:44:03 -06:00
Steve Tornio daca3e93a5 add osvdb ref 2012-02-10 07:05:42 -06:00
Steve Tornio 782fcb040d add osvdb ref 2012-02-10 07:05:26 -06:00
Steve Tornio 1a240648fa Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-02-10 06:51:02 -06:00
sinn3r 5ea20a332b Clearly I had the wrong disclosure date. This one is based on Adobe's security bulletin. 2012-02-10 00:13:39 -06:00
sinn3r e5ea2961f5 Add CVE-2011-2140 Adobe Flash SequenceParameterSetNALUnit (mp4) bof 2012-02-10 00:10:28 -06:00
sinn3r 2bd330da33 Add ZDI-12-009 Citrix Provisioning Services 5.6 streamprocess buffer overflow exploit 2012-02-10 00:06:48 -06:00
Steve Tornio d90fe9b9b7 add osvdb ref 2012-02-02 13:43:03 -06:00
sinn3r aa44eb955e Correct author e-mail format 2012-02-02 11:27:43 -06:00
sinn3r 6b29af5c23 Add user-agent check. Auto-migrate. 2012-02-02 03:11:10 -06:00
sinn3r 6be65acfe2 Merge branch 'CVE-2008-2551_c6_DownloaderActiveX' of https://github.com/juanvazquez/metasploit-framework into juanvazquez-CVE-2008-2551_c6_DownloaderActiveX 2012-02-02 02:54:02 -06:00
sinn3r de675c349a Upgrade exploit rank, because it fits the description 2012-02-02 02:49:06 -06:00
sinn3r 28b4f4b60d Add Sunway ForceControl NetDBServer.exe Buffer Overflow (Feature #6331) 2012-02-02 02:43:32 -06:00
juan 82eacbe2fd Added module for CVE-2008-2551 2012-02-01 23:26:28 +01:00
Tod Beardsley e371f0f64c MSFTidy commits
Whitespace fixes, grammar fixes, and breaking up a multiline SOAP
request.

Squashed commit of the following:

commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:58:53 2012 -0600

    Break up the multiline SOAP thing

commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:48:16 2012 -0600

    More whitespace and indent

commit 12c42aa1efdbf633773096418172e60277162e22
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:39:36 2012 -0600

    Whitespace fixes

commit 32d57444132fef3306ba2bc42743bfa063e498df
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:35:37 2012 -0600

    Grammar fixes for new modules.
2012-02-01 10:59:58 -06:00
Jonathan Cran 47c7f47f4e Merge branch 'master' of r7.github.com:rapid7/metasploit-framework 2012-01-31 20:38:30 -06:00
Jonathan Cran d9ee43d3dc add disclosure date 2012-01-31 20:38:05 -06:00
Jonathan Cran a814a9dce7 add disclosure date 2012-01-31 20:35:58 -06:00
Oliver-Tobias Ripka 0ba7557865 Fix typo in seattlelab_pass.rb exploit.
Also remove the $ from the end of the regex which stopped
the exploit from being executed.
2012-01-31 21:09:51 +01:00
sinn3r 1dec4c0c45 These modules should use vprint_xxx() instead of print_xxx() ... if datastore['VERBOSE'] 2012-01-30 13:08:35 -06:00
sinn3r fbac9a7239 Forgot to remove this comment 2012-01-28 13:18:15 -06:00
sinn3r 7b866eee86 Use the proper function for verbose prints 2012-01-27 12:50:01 -06:00
sinn3r 64651e52a8 Credit Shane of X-Force for the discovery 2012-01-27 11:18:34 -06:00
HD Moore b4e2228404 Fix exitfunc option name 2012-01-27 09:15:31 -06:00
sinn3r 298b94d397 Add MS12-004 MIDI Heap Overflow Remote Code Execution Exploit (CVE-2012-003) 2012-01-27 03:48:39 -06:00
sinn3r 3952a06292 Minor changes 2012-01-26 11:35:43 -06:00
Christopher McBee 1af6740b24 Initial checking of hp_magentservice module 2012-01-25 13:04:30 -05:00
Tod Beardsley f6a6963726 Msftidy run over the recent changed+added modules 2012-01-24 15:52:41 -06:00
Joshua J. Drake 292332d355 Add some error handling for tns_version method 2012-01-19 13:03:19 -06:00
Tod Beardsley 8ce47ab832 Changing license for KillBill module
Talked with Solar Eclipse, and he's consented to change his module
license from GPL to BSD, thus striking a blow for freedom. Thanks!
2012-01-19 11:39:56 -06:00
sinn3r d6e8f0b54d Add Felipe as an author (plus a reference) because looks like the PoC originally came from him. 2012-01-18 13:33:27 -06:00
sinn3r 064a71fb1d Add CVE-2011-3167 HP OpenView NNM exploit (Feature #6245) 2012-01-18 12:05:18 -06:00
sinn3r e4ed3c968d Add OSVDB and BID references 2012-01-17 18:16:47 -06:00
sinn3r 75f543f3eb Hilarious, I forgot to change the disclosure date. 2012-01-17 18:11:18 -06:00
sinn3r 2e8122dc88 Better MSF style compliance 2012-01-17 14:54:50 -06:00
sinn3r a682e68073 Add CVE-2011-4786 HP Easy Printer Care XMLCacheMgr exploit (Feature #6246) 2012-01-17 12:28:47 -06:00
sinn3r 4f16caed0f Change naming style for MS type bug 2012-01-17 03:00:07 -06:00
sinn3r c15e7da0b8 Add ZDI-12-012 McAfee SaaS ShowReport code execution 2012-01-16 18:44:11 -06:00
sinn3r 4689421201 Correct variable naming style 2012-01-16 16:03:48 -06:00
Tod Beardsley 11fc423339 Merge pull request #102 from cbgabriel/bsplayer-m3u
modules/exploits/windows/fileformat/bsplayer_m3u.rb
2012-01-16 11:24:48 -08:00
Steve Tornio bd31f3f480 add osvdb ref 2012-01-13 13:21:33 -06:00
sinn3r 2eb35728f6 Randomize nops 2012-01-12 18:37:25 -06:00
root ffe81584d1 updated author 2012-01-12 19:02:34 -05:00
sinn3r e42e0004a9 Merge branch 'ms05_054_onload' of https://github.com/SamSharps/metasploit-framework into SamSharps-ms05_054_onload 2012-01-12 17:46:50 -06:00
root a8ef3417b5 Fixed the date 2012-01-12 20:54:55 -06:00
Sam Sharps e75e23b963 Removed more unused variables and fixed some formatting 2012-01-12 18:13:28 -06:00
Sam Sharps f22f54034a Removed unused variables 2012-01-12 18:05:54 -06:00
Sam Sharps 87ee6905df Modified exploit to not need egg hunter shellcode 2012-01-12 18:01:22 -06:00
root ad0b745b31 new file: modules/exploits/windows/fileformat/bsplayer_m3u.rb 2012-01-12 16:12:43 -05:00
Tod Beardsley 092b226cce Updating tns_auth_sesskey to use a user-supplied SID
Applying the patch suggested by Lukas, here: http://mail.metasploit.com/pipermail/framework/2012-January/008374.html
2012-01-11 07:31:36 -06:00
Tod Beardsley 7e25f9a6cc Death to unicode
Apologies to the authors whose names I am now intentionally misspelling.
Maybe in another 10 years, we can guarantee that all terminals and
machine parsers are okay with unicode suddenly popping up in strings.

Also adds a check in msftidy for stray unicode.
2012-01-10 14:54:55 -06:00
sinn3r bc9014e912 Add new v3.4 target by Michael Coppola (Feature #6207) 2012-01-09 23:51:11 -06:00
sinn3r 8eee54d1d0 Add e-mail addr for corelanc0d3r (found it in auxiliary/fuzzers/ftp/client_ftp.rb) 2012-01-09 14:23:37 -06:00
sinn3r 2f9d563067 Update reference 2012-01-09 02:14:29 -06:00
David Maloney 9cf2af6a94 Adds exploit/windows/htt/xampp_webdav_upload_php
This exploit abuses weak default passwords on XAMPP
for windows to uplaod a php payload and execute it.

Fixes #2170
2012-01-06 12:00:14 -08:00
Sam Sharps 06414c2413 changed author to my actual name 2012-01-06 01:03:20 -06:00
Sam Sharps b26ed37467 Added description, urls, and another author 2012-01-06 00:47:01 -06:00