0113cbd353
Nokogiri::XML::Builder instead
2015-09-16 19:53:33 -07:00
927785cfe4
Lan #5783 , @jabra-'s module to disclose passwords from grup policy preferences
2015-09-16 21:00:03 -05:00
adab9f9548
Do final cleanup
2015-09-16 20:59:32 -05:00
4d0d806e1d
Do minor cleanup
2015-09-16 19:30:40 -05:00
d2a17074b1
update payload sizes
2015-09-16 17:24:41 -05:00
46168e816b
Merge for retab
2015-09-16 17:13:08 -05:00
ab8d12e1ac
Land #5943 , @samvartaka's awesome improvement of poisonivy_bof
2015-09-16 16:35:04 -05:00
af1cdd6dea
Return Appears
2015-09-16 16:34:43 -05:00
402044a770
Delete comma
2015-09-16 16:23:43 -05:00
75c6ace1d0
Use single quotes
2015-09-16 16:23:10 -05:00
88fdc9f123
Clean exploit method
2015-09-16 16:14:21 -05:00
d6a637bd15
Do code cleaning on the check method
2015-09-16 16:12:28 -05:00
c7afe4f663
Land #5930 , MS15-078 (atmfd.dll buffer overflow)
2015-09-16 15:33:38 -05:00
688a5c9123
Land #5972 , @xistence's portmapper amplification scanner
2015-09-16 14:58:19 -05:00
8ae884c1fc
Do code cleanup
2015-09-16 14:46:27 -05:00
37d42428bc
Land #5980 , @xistence exploit for ManageEngine OpManager
2015-09-16 13:19:49 -05:00
8f755db850
Update version
2015-09-16 13:19:16 -05:00
1b50dfc367
Change module location
2015-09-16 11:43:09 -05:00
122103b197
Do minor metadata cleanup
2015-09-16 11:41:23 -05:00
aead0618c7
Avoid the WAIT option
2015-09-16 11:37:49 -05:00
b4aab70d18
Fix another typo
2015-09-16 11:34:22 -05:00
bef658f699
typo
2015-09-16 11:32:09 -05:00
0010b418d0
Do minor code cleanup
2015-09-16 11:31:15 -05:00
f3b6606709
Fix check method
2015-09-16 11:26:15 -05:00
7985d0d7cb
Removed privesc functionality, this has been moved to another module. Renamed module
2015-09-16 23:29:26 +12:00
bdd90655e4
Split off privesc into a seperate module
2015-09-16 23:11:32 +12:00
63bb0cd0ec
Add Android Mercury Browser Intent URI Scheme & Traversal
2015-09-16 00:48:57 -05:00
24af3fa12e
Add rop chains
2015-09-15 14:46:45 -05:00
e911d60195
Land #5967 , nil bug fix in SSO gather module
2015-09-15 10:25:50 -05:00
abe65cd400
Land #5974 , java_jmx_server start order fix
2015-09-15 01:33:44 -05:00
c99444a52e
ManageEngine EventLog Analyzer Remote Code Execution
2015-09-15 07:29:16 +07:00
7bf2f158c4
ManageEngine OpManager Remote Code Execution
2015-09-15 07:24:32 +07:00
9e6d3940b3
Update simple_backdoors_exec.rb
2015-09-13 23:30:14 +08:00
ae5aa8f542
No FILE_CONTENTS option
2015-09-12 23:32:02 -05:00
4e22fce7ef
Switched to using Rex MD5 function
2015-09-13 16:23:23 +12:00
0657fdbaa7
Replaced RPORT
2015-09-13 09:19:05 +07:00
521636a016
Small changes
2015-09-13 08:31:19 +07:00
0d52a0617c
Verify win32k 6.3.9600.17837 is working
2015-09-12 15:27:50 -05:00
9626596f85
Clean template code
2015-09-12 13:43:05 -05:00
0c4604734e
Webserver starts at the beginning, stops at the end
2015-09-12 19:42:31 +02:00
79e3a7f84b
Portmap amplification scanner
2015-09-12 16:25:06 +07:00
01053095f9
Add MS15-100 Microsoft Windows Media Center MCL Vulnerability
2015-09-11 15:05:06 -05:00
5f9f66cc1f
Fix nil bug in SSO gather module
2015-09-11 02:21:01 -05:00
a1a7471154
Land #5949 , is_root? for remove_lock_root
2015-09-11 02:09:14 -05:00
f2ccca97e0
Move require 'msf/core/post/android' to post.rb
2015-09-11 01:56:21 -05:00
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
017832be88
Land #5953 , Add Bolt CMS File Upload Vulnerability
2015-09-10 18:29:13 -05:00
602a12a1af
typo
2015-09-10 18:28:42 -05:00
94aea34d5b
Land #5965 , Show the Shodan error message if no result are found
2015-09-10 17:39:25 -05:00
cddf72cd57
Show errors when no results are found
2015-09-10 14:05:40 -07:00
90ef9c11c9
Support meterpreter for OS X post modules
2015-09-10 15:57:43 -05:00
68521da2ce
Fix check method.
2015-09-10 04:40:12 -03:00
0ba03f7a06
Fix words.
2015-09-09 21:27:57 -03:00
bc3f5b43ab
Removerd WordPress mixin.
2015-09-09 21:26:15 -03:00
d3aa61d6a0
Move bolt_file_upload.rb to exploits/multi/http
2015-09-09 13:41:44 -03:00
2800ecae07
Fix alignment.
2015-09-09 01:21:08 -03:00
48bd2c72a0
Add fail_with method and other improvements
2015-09-09 01:11:35 -03:00
f08cf97224
Check method implemented
2015-09-08 23:54:20 -03:00
6de0c9584d
Fix some improvements
2015-09-08 23:15:42 -03:00
31a8907385
Update simple_backdoors_exec.rb
2015-09-09 08:30:21 +08:00
329e6f4633
Fix title
2015-09-08 15:31:14 -05:00
30cb93b4df
Land #5940 , @hmoore-r7's fixes for busybox post modules
2015-09-08 15:12:23 -05:00
122d57fc20
Land #5945 , Add auto-accept to osx/enum_keychain
2015-09-08 10:56:08 -05:00
13afbc4eae
Properly check root for remove_lock_root (android post module)
...
This uses the Msf::Post::Android::Priv mixin.
2015-09-08 10:40:08 -05:00
4e23bba14c
Update simple_backdoors_exec.rb
...
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
002aada59d
Update simple_backdoors_exec.rb
...
changed shell to res
2015-09-08 14:54:26 +08:00
467f9a8353
Update simple_backdoors_exec.rb
2015-09-08 14:45:54 +08:00
37c28ddefb
Update simple_backdoors_exec.rb
...
Updated the description
2015-09-08 13:42:12 +08:00
0f8123ee23
Simple Backdoor Shell Remote Code Execution
2015-09-08 13:08:47 +08:00
1b320bae6a
Add auto-accept to osx/enum_keychain.
2015-09-07 21:17:49 -05:00
0a0e7ab4ba
This is a modification to the original poisonivy_bof.rb exploit
...
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.
See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.
## Console output
Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.
### Version 2.3.2 (unknown password)
```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```
### Version 2.2.0 (unknown password)
```
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > show targets
Exploit targets:
Id Name
-- ----
0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1
msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
ec5cbc842e
Cosmetic cleanups
2015-09-05 22:56:11 -05:00
8c0b0ad377
Fix up jailbreak commands & regex for success detection
2015-09-05 22:54:07 -05:00
2f8dc7fdab
Update w3tw0rk_exec.rb
...
changed response to res
2015-09-05 14:21:07 +08:00
23ab702ec4
Land #5631 , @blincoln682F048A's module for Endian Firewall Proxy
...
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
2abfcd00b1
Use snake_case
2015-09-04 16:27:09 -05:00
15aa5de991
Use Rex::MIME::Message
2015-09-04 16:26:53 -05:00
adcd3c1e29
Use static max length
2015-09-04 16:18:55 -05:00
1ebc25092f
Delete some comments
2015-09-04 16:18:15 -05:00
cc405957db
Add some improvements
2015-09-04 16:02:30 -03:00
5646f2e0c4
successful status should include last_attempted_at
2015-09-04 13:45:44 -05:00
cf6d5fac2a
Use the latest cred API, no more report_auth_info
2015-09-04 13:43:15 -05:00
4531d17cab
Added the rest of the code
2015-09-04 15:37:42 -03:00
eaf51a2113
Land #5722 , @vallejocc's busybox work
2015-09-04 13:36:44 -05:00
5dd0cee36a
Add comment
2015-09-04 13:30:00 -05:00
b9ba12e42a
Added get_token method.
2015-09-04 15:27:28 -03:00
2b2dec3531
Fixed typo direcotry.
2015-09-04 18:52:55 +02:00
319bc2d750
Use downcase
2015-09-04 11:18:09 -05:00
6f4f8e34b4
Added method bolt_login.
2015-09-04 10:45:15 -03:00
d55757350d
Use the latest credential API, no more report_auth_info
2015-09-04 03:04:14 -05:00
a195f5bb9e
Initial commit - Skeleton
2015-09-04 04:09:16 -03:00
ef6df5bc26
Use get_target_arch
2015-09-03 16:30:46 -05:00
2588439246
Add references for the win32k info leak
2015-09-03 15:35:41 -05:00
e48bcb4e08
Land #5931 , tweak titles
2015-09-03 14:52:52 -05:00
b2c401696b
Add certutil support.
...
Tested while landing #5736
2015-09-03 14:24:37 -05:00
1e6a1f6d05
Revert "Fix spec like I shoulda done before landing #5736"
...
This reverts commit 956c8e550d
2015-09-03 14:18:55 -05:00
b4547711f3
Add certutil support.
...
Tested while landing #5736
2015-09-03 13:27:10 -05:00
697a6cd335
Rescue the process execute
2015-09-03 13:03:36 -05:00
f0ef035a0b
Update the module titles to clarify what these do
2015-09-03 12:53:25 -05:00
630057e23f
Implement suggestions from the PR discussion
2015-09-03 12:42:51 -05:00
57c8038f07
Merge branch 'master' into land-5413
2015-09-03 12:38:19 -05:00
80a1e32339
Set Manual Ranking
2015-09-03 12:24:45 -05:00
0f1530adc1
Merge branch 'master' into land-5412
2015-09-03 12:22:00 -05:00
6e4ae1238b
Land #5791 , show the VHOST in module output
2015-09-03 11:36:19 -05:00
b8eee4a9e4
Show the IP address if it doesn't match the VHOST
2015-09-03 11:35:38 -05:00
9b51352c62
Land #5639 , adds registry persistence
2015-09-03 11:26:38 -05:00
1b021464fe
Land #5919 , remove deprecated VMware modules & update resource script.
2015-09-03 10:23:48 -05:00
dbe901915e
Improve version detection
2015-09-03 09:54:38 -05:00
394b1155b2
Apply stager patch in master
2015-09-03 08:30:09 -05:00
1440f31756
Land #5637 , resiliency improvements to TCP stagers
2015-09-02 22:50:12 -05:00
3fd9e0311c
Update payload sizes
2015-09-03 12:01:11 +10:00
de25a6c23c
Add metadata
2015-09-02 18:32:45 -05:00
9f9bbce034
Land #5840 , add LLMNR & mDNS modules
2015-09-02 18:30:29 -05:00
0120e5c443
Cosmetic tweaks, don't report duplicate responses
2015-09-02 18:30:03 -05:00
8f70ec8256
Fix Disclosure date
2015-09-02 18:21:36 -05:00
b912e3ce65
Add exploit template
2015-09-02 17:28:35 -05:00
42a2a86f32
Back out all changes to ms11_030_dnsapi
2015-09-02 13:53:10 -07:00
6d1ab101ed
Back out all changes to llmnr_response
2015-09-02 13:52:38 -07:00
4090c2c8ea
Land #5880 , adds ScriptHost UAC bypass for Win7/2008
2015-09-02 14:14:18 -05:00
582cc795ac
Remove newlines
2015-09-02 19:42:04 +01:00
43d3e69fb2
Land #5917 , update local exploit checks
2015-09-02 12:55:45 -05:00
126fc9881e
Cleanup and tweaks
2015-09-02 12:48:53 -05:00
3d04d53e3a
first pass at better output and report_service
2015-09-02 10:31:46 -07:00
b89b6b653a
Update trace.rb
2015-09-03 01:26:45 +08:00
73bf812dfd
Update trace.rb
...
removed the cookie
2015-09-03 00:35:23 +08:00
5ecee6aaba
Update trace.rb
...
removed some spaces so that msftidy will be happy
2015-09-03 00:27:22 +08:00
34e0819a6e
Modified the HTTP Trace Detection to XST Checker
...
This was suggested by HD Moore in https://github.com/rapid7/metasploit-framework/pull/5612
2015-09-03 00:19:08 +08:00
8f25a006a8
Change to automatic target
2015-09-02 09:13:25 +01:00
8e993d7793
Remove deprecated vmware modules
2015-09-02 13:00:15 +05:00
0c4b020089
Land #5913 , Add WP NextGEN Gallery Directory Traversal Vuln
2015-09-02 00:01:35 -05:00
4275a65407
Update local exploit checks to follow the guidelines.
...
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
347698e93f
Land #5915 , fix a warning with the regex
2015-09-01 23:08:01 -05:00
381297ba93
Fix the regex flags
2015-09-01 23:07:48 -05:00
626704079d
Changed output store_loot
2015-09-02 00:18:10 -03:00
96600a96ab
Changed html parse by @wchen-r7
2015-09-01 22:03:21 -03:00
3c72467b7d
Fixes bug where "cert.rb:47: warning: flags ignored" happens due to some issuer patterns.
2015-09-02 01:02:46 +02:00
56a1cfd9c8
updated cached payload sizes
2015-09-01 18:02:16 -05:00
9dd14eb747
Merge branch 'upstream-master' into land-5899-android
2015-09-01 17:11:58 -05:00
27775fbe58
Restrict to 7 and 2k8
2015-09-01 22:23:37 +01:00
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
35661d0182
Add WP NextGEN Gallery Directory Traversal Vuln
2015-09-01 13:28:04 -03:00
bfc24aea16
change exitfunc to thread
2015-09-01 10:52:25 +02:00
115f409fef
change exitfunc to thread
2015-09-01 10:48:07 +02:00
5398bf78eb
change exitfunc to thread
2015-09-01 10:46:54 +02:00
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
1b778d0650
Land #5898 , use gem version of php & python meterp
2015-08-31 16:16:36 -05:00
ff6fbfa738
Land #5895 , rework of ADSI modules
2015-08-31 14:10:41 -07:00
d670a62000
Land #5822 , migrate obsolete payload compatibility options
2015-08-31 15:20:20 -05:00
9a2696aed4
Add Reference
2015-08-31 12:03:17 -07:00
Jon Hart
jvazquez-r7
Brent Cook
wchen-r7
Daniel Jensen
Mo Sadek
William Vu
xistence
JT
Hans-Martin Münch (h0ng10)
HD Moore
Roberto Soares
joev
samvartaka
jvicente
James Lee
OJ
Meatballs
Waqas Ali
Alexander Salmin
Christian Mehlmauer