0b1671f1b8
Undo debugging comment
2014-01-14 17:02:30 -06:00
6372ae6121
Save some parsing
2014-01-14 17:00:00 -06:00
a056d937e7
Fluch data cache and improve documentation
2014-01-14 14:06:01 -06:00
a8806887e9
Add support for MIPS reverse shell staged payloads
2014-01-14 12:25:11 -06:00
5d387c96ec
Land #2879 , minor code formatting missed in #2863
2014-01-14 11:22:09 -06:00
b4280f2876
Very minor code formatting
2014-01-14 13:35:00 +01:00
2d40f936e3
Added some additional creds that were useful
2014-01-13 23:15:51 -05:00
42fb8c48d1
Fixed the credential parsing and made output consistent
...
So in the previous refactor, we made the dedicated method to parse
usernames and passwords from the split up config values. However, that
didn't work, because on a single iteration of the loop, you only have
access to a possible username OR password. The other matching key will
be another iteration of the loop. Because of this, no credential pairs
were being reported.
The only way I can see around this (maybe because I'm a ruby newb) would
be to iterate over configs, and if the user or password regex matches,
add the matching value to a hash, which is identified by a key for both
user & pass. Then upon completion of the loop, it'd iterate over the
hash, finding keys that had both user & pass values.
2014-01-13 22:57:25 -05:00
ad832adfc1
Land #2846 - Update mipsle shell_bind_tcp shellcode
2014-01-13 17:37:08 -06:00
b7b1ddf1e8
Sercomm Exploit module fixes
...
Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
Added functionality to the CmdStagerEcho mix-in to support encoding via
octal instead of hex based on the :enc_type option. This is because many
devices would not output hex encoded values properly.
Added options on a per-target basis for the PackFormat (endian pack()
values for communication), UploadPath (because /tmp wasn't always
writable), and PayloadEncode (previously mentioned octal encoding
option)
Note for some reason, some devices communicate over one endianness, but
then require a payload for the other endianess. I'm not sure what's
causing this, but if those specific combinations are not used, the
exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00
804b26bac6
Land #2872 , switch for ARCH_MIPSBE
2014-01-13 15:10:27 -06:00
24c57b34a7
Have into account endianess
2014-01-13 15:04:23 -06:00
7c52f9b496
Update description to use %q{}
2014-01-13 14:42:25 -06:00
61b30e8b60
Land #2869 , pre-release title/desc fixes
2014-01-13 14:29:27 -06:00
207e9c413d
Add the test info for sercomm_dump_config
2014-01-13 14:27:03 -06:00
e6e6d7aae4
Land #2868 , fix Firefox mixin requires
2014-01-13 14:23:51 -06:00
fe6d10ac5d
Land #2852 , @mandreko's scanner for OSVDB 101653
2014-01-13 14:07:07 -06:00
671027a126
Pre-release title/desc fixes
2014-01-13 13:57:34 -06:00
8c3a71a2e7
Clean sercomm_backdoor scanner according to feedback
2014-01-13 13:53:47 -06:00
f11322b29f
Oh right, msftidy.
2014-01-13 13:44:34 -06:00
3db143c452
Remove explicit requires for FF payload.
...
Adds ff payload require to msf/core/payload.rb
2014-01-13 13:07:55 -06:00
771bd039a0
Land #2863 - Update realplayer_ver_attribute_bof.rb
...
Refs & ROP
2014-01-13 11:29:52 -06:00
bc9c865c25
Land #2865 - js payload to firefox_svg_plugin & add BA support for FF JS exploits
2014-01-13 11:17:36 -06:00
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
e7cc3a2345
Removed unnecessary target
2014-01-13 13:17:16 +01:00
26d17c03b1
Replaced ROP chain
2014-01-13 02:54:49 +01:00
f78ec1eeb2
Make sure we unwrap the SecurityWrapper.
2014-01-12 10:46:23 -06:00
b3b04c4159
Fix both firefox js exploits to use browser_autopwn.
2014-01-11 17:34:38 -06:00
d657a2efd3
Added DEP Bypass
2014-01-11 20:31:28 +01:00
72d15645df
Added more references
2014-01-11 20:30:50 +01:00
bd91e36e06
Land #2851 , @wchen-r7's virustotal integration
2014-01-10 19:12:56 -06:00
d1d45059f2
use session_host instead
2014-01-10 18:27:03 -06:00
8534f7948a
Change the post module's default api key as well (to Metasploit's)
2014-01-10 17:59:51 -06:00
8449005b2a
Fixed CVE identifier.
2014-01-10 23:45:34 +01:00
140d1fbf90
Land #2847 - Add MIPS big endian single shell_bind_tcp payload
2014-01-10 15:06:35 -06:00
202e19674c
Land #2856 - Fix ARMLE stagers
2014-01-10 15:05:03 -06:00
96ba41a4b0
Land #2844 - Fix the mipsbe shell_reverse_tcp payload
2014-01-10 15:00:39 -06:00
cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells
2014-01-10 14:29:32 -06:00
238d052073
Update description
...
key is no longer required.
2014-01-10 04:02:01 -06:00
da273f1440
Update the use of report_note
2014-01-10 01:49:07 -06:00
807d8c12c7
Have a default API key
...
Modules now should have a default API key. See the following for
details:
http://blog.virustotal.com/2012/12/public-api-request-rate-limits-and-tool.html
2014-01-10 01:26:42 -06:00
4e8092aceb
Fix armle stagers
2014-01-09 17:34:59 -06:00
9d14dd59eb
Delete parentheses
2014-01-09 15:17:13 -06:00
4a64c4651e
Land #2822 , @mandreko's aux module for OSVDB 101653
2014-01-09 15:15:37 -06:00
410302d6d1
Fix indentation
2014-01-09 15:14:52 -06:00
b1073b3dbb
Code Review Feedback
...
Removed the parameters from get() since it works without them
2014-01-09 15:54:23 -05:00
d69b658de0
Land #2848 , @sho-luv's MS08-067 scanner
2014-01-09 14:39:25 -06:00
2a0f2acea4
Made fixes from the PR from jvazquez-r7
...
The get_once would *only* return "MMcS", and stop. I
modified it to be a get(3, 3). Additionally, the command
length was set to 0x01 when it needed to be 0x00.
2014-01-09 15:33:04 -05:00
fc616c4413
Clean up formatting
2014-01-09 14:16:31 -06:00
93668b3286
Code Review Feedback
...
Made it less verbose, converting to vprint_error
2014-01-09 14:53:33 -05:00
be6958c965
Clean sercomm_dump_config
2014-01-09 13:42:11 -06:00
e21c97fd4d
Added missing metadata
...
Add credit where due
Add disclosure date and references
2014-01-09 14:33:54 -05:00
9456d26467
Added Scanner module for SerComm backdoor
2014-01-09 14:25:28 -05:00
85203c2f2a
Land #2823 , @mandreko's exploit module for OSVDB 101653
2014-01-09 10:27:44 -06:00
40d2299ab4
Added tested device
2014-01-09 10:46:14 -05:00
c50f7697a5
Merge branch 'review_2823' of https://github.com/jvazquez-r7/metasploit-framework into sercomm_exec
2014-01-09 10:39:12 -05:00
01c5585d44
Moved auxiliary module to a more appropriate folder
2014-01-09 10:17:26 -05:00
d9e737c3ab
Code Review Feedback
...
Refactored the configuration settings so that creds could be reported to
the database more easily, while still being able to print general
configuration settings separately.
2014-01-09 10:14:34 -05:00
81adff2bff
Code Review Feedback
...
Changed datastore['rhost'] to rhost
Made the array storing configuration values into a class const
Moved superfluous array look-over to not be executed unless in verbose
mode
2014-01-09 09:19:13 -05:00
bbaaecd648
Delete commas
2014-01-09 08:01:11 -06:00
5e510dc64c
Add minor fixes, mainly formatting
2014-01-09 07:51:42 -06:00
ed6723655d
Code Review Feedback
...
Fixed some handling of errors and invalid hosts
2014-01-09 08:44:01 -05:00
8414973746
Land #2833 , rm linksys_wrt110_cmd_exec_stager
2014-01-09 01:21:22 -06:00
7fd4935263
Make the module output prettier
2014-01-09 01:03:01 -06:00
27f079ad7c
Move {begin,end}_job from libs to modules
2014-01-09 01:03:01 -06:00
131bfcaf41
Refactor away leftover get_rdymsg
2014-01-09 01:03:01 -06:00
d3bbe5b5d0
Add filesystem commands and new PoC modules
...
This commit also refactors some of the code.
2014-01-09 01:03:01 -06:00
af66310e3a
Address @jlee-r7's comments
2014-01-09 01:03:01 -06:00
bab32d15f3
Address @wchen-r7's comments
2014-01-09 01:03:00 -06:00
1c889beada
Add Rex::Proto::PJL and PoC modules
2014-01-09 01:03:00 -06:00
d2458bcd2a
Code Review Feedback
...
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
a8fcf13972
Added credits and clean initialize
...
Added wvu to creds as he did most of work. ;)
2014-01-08 21:16:09 -05:00
8993c74083
Fix even moar outstanding issues
2014-01-08 19:38:54 -06:00
a99e2eb567
Update the post module
2014-01-08 18:41:22 -06:00
130a99f52b
Add a post module that checks with VirusTotal with a checksum
...
This post module will submit a SHA1 checksum to VirusTotal to see
if it's a malicious file.
2014-01-08 18:26:40 -06:00
1dd29d3b64
Fix moar outstanding issues
2014-01-08 18:11:18 -06:00
945a2a296a
Fix outstanding issues
2014-01-08 17:09:41 -06:00
4e581a35ac
Fix encoder architecture
2014-01-08 16:18:30 -06:00
35ac9712ab
Added auxiliary check for MS08_067
...
I simply copied the check from ms08_0867_netapi.rb and put them in
a auxiliary check so I could scan for it. This was done because
Nmap's check is not safe and this is more stable.
2014-01-08 16:41:44 -05:00
a0879b39e0
Add mips be shell_bind_tcp payload
2014-01-08 14:48:54 -06:00
1727b7fb37
Allow the Msf::Payload::Linux's generate to make its work
2014-01-08 12:41:10 -06:00
83e5169734
Don't use temporal register between syscals and save some bytes on the execve
2014-01-08 11:45:27 -06:00
5f7582b72d
Don't use a temporary registerfor the dup2 loop counter
2014-01-07 18:02:55 -06:00
c2dce19768
Don't use a temporary registerfor the dup2 loop counter
2014-01-07 17:39:27 -06:00
a85492a2d7
Fix my own busted dup2 sequence
2014-01-07 16:27:01 -06:00
fb1a038024
Update async API to actually be async in all cases.
...
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
3230b193e1
Make better comment
2014-01-07 15:32:46 -06:00
80dcda6f76
Fix bind call
2014-01-07 15:31:42 -06:00
266b040457
Update cachedump.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:14:10 +01:00
d567737657
Update reverse_tcp_rc4_dns.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:12:38 +01:00
385ae7ec38
Update reverse_tcp_rc4.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:11:16 +01:00
693d95526b
Update bind_tcp_rc4.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:09:53 +01:00
1479ef3903
Update typo3_winstaller_default_enc_keys.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:08:10 +01:00
b5524654d5
Delete comment
2014-01-07 14:50:26 -06:00
45c86d149f
Modify authors field
2014-01-07 14:50:12 -06:00
d6639294aa
Save some instructions with dup2
2014-01-07 14:41:33 -06:00
e79ccb08cb
Update rails_secret_deserialization.rb
...
When using aws-sdk with Ruby 2.1.0-rc1, many "Digest::Digest is deprecated; use Digest" warnings are printed.
Even in Ruby 1.8.7-p374, OpenSSL::Digest::Digest is only provided for backward compatibility.
2014-01-07 21:41:15 +01:00
9cf221cdd6
Delete delay slots after syscall
2014-01-07 13:18:20 -06:00
590547ebc7
Modify title to avoid versions
2014-01-07 13:01:10 -06:00
c34af35230
Add wrt100 to the description and title.
...
* The wrt110 and wrt100 share the same firmware, and are both vulnerable to this
bug.
2014-01-07 10:26:15 -06:00
jvazquez-r7
William Vu
sgabe
Matt Andreko
sinn3r
Tod Beardsley
Joe Vennix
sho-luv
Niel Nielsen