infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
45,003 Commits
7 Branches
556 Tags
419 MiB
Commit Graph

23406 Commits (316e657d107569d9303dc60151ead586ec8e8b8e)

Author SHA1 Message Date
Pearce Barry 2a6b3671bf
Add connection addr+port info to http response object. 
Update owa_login to use this instead of doing lookups on its own.
 2018-01-19 13:37:33 -06:00
Steve Embling 8f75d3a46b Possible fix to changes in net::ssh usage 2018-01-19 15:10:14 +00:00
Kevin Kirsche c7d3b5dfbb
Update payload and disable check functionality 
The check functionality is broken as MSF cannot handle HttpServer and HttpClient at this time.

The payloads were updated to ensure CVE-2017-10271 is being exploited instead of CVE-2017-3506 as explained on https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/
 2018-01-18 13:26:44 -05:00
Brent Cook 7849743789
update stageless python sizes 2018-01-18 00:41:58 -06:00
Pearce Barry e9ce2374e5
Auto-resolve target if it's a hostname (owa_login). 
Ensures the module does save the creds which it claims to be saving.  See MS-2968.
 2018-01-17 16:47:21 -06:00
Aaron Soto 9328374155
Update 'author' field of metadata 2018-01-17 16:43:37 -06:00
Adam Cammack 0f0b116751
Rename scanner bits to avoid confusion 2018-01-17 14:46:31 -06:00
Aaron Soto 10cf327c26
Improve Hyper-V tests in checkvm 
All Win10 machines, physical and virtual, were being reported as 'Hyper-V' (false positives)

Added functionality to extract hostname of physical hypervisor from VM registry
 2018-01-17 14:29:03 -06:00
bwatters-r7 4c11eae774
Maybe that timeout is needed..... 2018-01-17 13:21:36 -06:00
Adam Cammack c7894f1d74
Split long lines and add comments 2018-01-17 12:04:12 -06:00
Philippe Tranca 35bec8d3cd Fixed classes names and added RMI interfaces 2018-01-17 17:10:36 +01:00
Philippe Tranca d345008b20 Added all the classes that implement RMI server 2018-01-17 17:03:32 +01:00
bwatters-r7 f439edfa1a Fixes by the fabled wvu 2018-01-17 08:20:52 -06:00
Brent Cook d6e966b079
Land #9414, wp_admin_shell_upload - remove plugin dir after exploitation 2018-01-16 21:08:22 -06:00
Adam Cammack 37bf68869f
Add scanner for the open proxy from 'SharknAT&To' 2018-01-16 21:05:19 -06:00
William Vu e5bd36da1c
Land #9402, NIS bootparamd domain name disclosure 2018-01-15 15:36:00 -06:00
Daniel Teixeira aa9b5e4419
Sync Breeze Enterprise Import Command 2018-01-15 20:46:40 +00:00
Christian Mehlmauer 2f9eebe28b
remove plugin dir 2018-01-15 14:48:59 +01:00
Philippe Tranca dfb9941e95 Fix java_jmx_server exploit 
Add test case when discovering RMI endpoint as the previous one was not complete
 2018-01-15 12:13:09 +01:00
Nicky Bloor 333ee893d3 Tidied up platform detection, check method, and minor typos. 2018-01-14 18:28:40 +00:00
Brendan Coles e1cbe4e906 Rename apport_chroot_priv_esc to apport_abrt_chroot_priv_esc 2018-01-14 08:33:43 +00:00
Brendan Coles c234d0523a Add support for abrt on Fedora 2018-01-14 08:33:10 +00:00
William Vu 736d438813 Address second round of feedback 
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
 2018-01-13 22:55:01 -06:00
Nicky Bloor 6568d29b67 Add BMC Server Automation RSCD Agent RCE exploit module. 2018-01-14 01:12:55 +00:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback 
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
 2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback 
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
 2018-01-13 15:40:11 -06:00
Brendan Coles 2f3e3b486a Use cross-compiled exploit 2018-01-13 05:44:42 +00:00
Brendan Coles d172259f5d
umlaut 2018-01-13 16:06:11 +11:00
William Vu eb8429cbd3
Revert "umlaut" 
This reverts commit ffd7073420.
 2018-01-12 22:57:22 -06:00
Brendan Coles ffd7073420
umlaut 2018-01-13 15:48:45 +11:00
Jeffrey Martin 1f1dc59d17
Land #9392, python meterpreter whitespace normalization 2018-01-12 21:24:13 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout 
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
 2018-01-12 19:34:59 -06:00
William Vu 0c9f1d71d3 Add NIS bootparamd domain name disclosure 2018-01-12 19:34:53 -06:00
Brendan Coles 842736f7b1 register_dir_for_cleanup 2018-01-12 14:21:43 +00:00
Agahlot 488f27bf76 Small Typo 2018-01-12 07:05:30 -05:00
RageLtMan c65c03722c Migrate native DNS services to Dnsruby data format 
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.

Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.

Testing:
  Internal tests for resolution of different record types locally
and over pivot sessions.
 2018-01-12 05:00:00 -05:00
Brendan Coles 8bbffd20cd Add Apport chroot Privilege Escalation exploit 2018-01-12 07:25:35 +00:00
Kevin Kirsche 04e4ff6b3c
Use stop_service to avoid cleanup overload 2018-01-11 19:14:26 -05:00
Kevin Kirsche 40f54df129
Feedback updates 2018-01-11 18:54:58 -05:00
Kevin Kirsche 172ffdfea1
Use geturi instead of building it ourselves 2018-01-11 18:27:56 -05:00
Wei Chen e6c4fb1dab
Land #9269, Add a new target for Sync Breeze Enterprise GET BoF 
Land #9269
 2018-01-11 16:54:23 -06:00
Wei Chen f395e07fc6 Land #9269, add new target for Sync Breeze Enterprise GET BoF 
Land #9269
 2018-01-11 16:53:02 -06:00
Kevin Kirsche d4056e72da
Lower the default timeout for CHECK 2018-01-11 17:38:30 -05:00
Kevin Kirsche 3617a30e34
Add URIPATH random URI 2018-01-11 17:33:14 -05:00
Kevin Kirsche a28d4a4b5b
Add check and update for some style considerations 2018-01-11 17:28:09 -05:00
Kevin Kirsche 0d9a40d2e5
Use target['Platform'] instead of target_platform 2018-01-11 15:44:07 -05:00
Kevin Kirsche c490d642e2
Was missing a comma 2018-01-11 09:42:24 -05:00
Kevin Kirsche 3132566d8f
Fix OptFloat error 2018-01-11 09:22:16 -05:00
Kevin Kirsche c05b440f26
Fix additional feedback 
This
* uses ternary operators
* uses an `RPORT` option shortcut
* removes the `xml_payload` variable and instead more explicitly uses the method directly
* Uses `OptFloat` for the timeout option to allow partial seconds
 2018-01-11 08:17:13 -05:00
William Vu 4b225c30fd
Land #9368, ye olde NIS ypserv map dumper 2018-01-10 22:02:36 -06:00
William Vu f66b11f262 Nix an unneeded variable declaration 2018-01-10 20:24:02 -06:00
Wei Chen 6510ee53bc
Land #9204, Add exploit for Samsung SRN-1670D (CVE-2017-16524) 
Land #9204
 2018-01-10 20:15:29 -06:00
Wei Chen 18c179a091 Update module and add documentation 
This updates the module to pass:

* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes

A documentation is also added.
 2018-01-10 20:13:42 -06:00
William Vu b66889ac86 Rescue additional errors and refactor code 
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
 2018-01-10 20:11:25 -06:00
Wei Chen 7e2c7837e5
Land #9325, Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module 
Land #9325
 2018-01-10 17:39:50 -06:00
Wei Chen b1f3f471f3 Update phpcollab_upload_exec code (also module documentation) 2018-01-10 17:38:52 -06:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules 
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
 2018-01-10 15:47:20 -06:00
Wei Chen 8d77f35b16
Land #9373, Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow 
Land #9373
 2018-01-09 22:40:50 -06:00
Wei Chen 25280e3319 Update labf_nfsaxe and module documentation 2018-01-09 22:39:40 -06:00
Brent Cook f125e13278
python meterpreter whitespace normalization 2018-01-09 16:08:52 -05:00
Wei Chen 777e383568
Land #9377, Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 
Land #9377
 2018-01-09 13:56:53 -06:00
Wei Chen a0c9cdd73d
Land #9376, Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 
Land #9376
 2018-01-09 13:28:03 -06:00
Brent Cook 573ee28631
Land #9378, Detect and return on bad VNC negotiations 2018-01-09 03:46:00 -05:00
William Vu 4a5a17a8e1 Add NIS ypserv map dumper 2018-01-08 14:27:53 -06:00
Kevin Kirsche ab89e552ed
Remove accidental trailing space 2018-01-08 14:42:03 -05:00
Kevin Kirsche 2252490e62
Fix using arbitrary keys to instead use "URL" 2018-01-08 14:30:03 -05:00
Kevin Kirsche e80ca348cf
Add Exploit-DB ID 2018-01-08 10:55:46 -05:00
Kevin Kirsche 6beeece708
Re-add timeout value 2018-01-07 20:21:29 -05:00
Wei Chen d138f1508c
Land #9340, Add exploit for Commvault Remote Command Injection 
Land #9340
 2018-01-07 12:17:26 -06:00
Daniel Teixeira ff1806ef5f
Update labf_nfsaxe.rb 2018-01-07 16:46:06 +00:00
Kevin Kirsche eefd432161
Make sure Platforms match our actual target list 2018-01-06 08:31:30 -05:00
Kevin Kirsche 4bd196f8b2
Fix missing single quotes and remove comma 2018-01-06 08:30:48 -05:00
Kevin Kirsche 867b32415d
Fix feedback from wvu-r7 
Fixes feedback from wvu-r7

- Consolidates payload to single method
- Replaces gsub! with standard encode method
- Note exploit discovery and proof of concept code used in authors (still seems weird to include the discovery as an author...)
- Change link
- Use `ARCH_CMD` instead of `[ARCH_CMD]`
- Remove Linux target as it's only Windows or Unix
- Remove timeout as I don't know how to pass it to `send_request_cgi`
 2018-01-06 08:12:43 -05:00
Kevin Kirsche 744f20304c
Remove hardcoded user-agent from the headers 
Remove hardcoded user-agent from the headers allowing for `send_request_cgi` to control this
 2018-01-05 18:22:27 -05:00
Daniel Teixeira a69f275a39
Update labf_nfsaxe.rb 2018-01-05 21:14:47 +00:00
Daniel Teixeira c819aebc76
Add files via upload 2018-01-05 21:11:21 +00:00
Daniel Teixeira e797ca4781
Add files via upload 2018-01-05 21:00:47 +00:00
Daniel Teixeira aca76e2a4e
Update labf_nfsaxe.rb 2018-01-05 20:58:36 +00:00
Daniel Teixeira 2643acbc25
Update labf_nfsaxe.rb 2018-01-05 20:55:49 +00:00
Daniel Teixeira b29710c66b
Add files via upload 2018-01-05 20:47:27 +00:00
Daniel Teixeira 94a1198485
Update labf_nfsaxe.rb 2018-01-05 20:41:49 +00:00
Kevin Kirsche 2478de934b
Add CVE-2017-10271 / Oracle WebLogic wls-wsat RCE 2018-01-05 15:05:21 -05:00
Daniel Teixeira b97785c7a9
Update labf_nfsaxe.rb 2018-01-05 18:46:33 +00:00
Daniel Teixeira e7946549d7
Update labf_nfsaxe.rb 2018-01-05 18:31:40 +00:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Brendan Coles 006514864b Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 2018-01-05 11:28:48 +00:00
Brendan Coles 52a5fc9e0a Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 2018-01-05 11:28:14 +00:00
Daniel Teixeira a3fb8b6619
Update labf_nfsaxe.rb 2018-01-04 20:55:38 +00:00
Daniel Teixeira e5bb4bf057
Add files via upload 2018-01-04 20:26:28 +00:00
h00die fb75cd4617 it does work! 2018-01-04 14:44:43 -05:00
h00die 65f444ddcc
land #9362 exploit for pfsense graph injection 2018-01-04 14:35:52 -05:00
wetw0rk c9d6d0a7a7 -51 2018-01-04 12:25:31 -06:00
William Vu 366a20a4a4
Fix #9215, minor style nitpick 2018-01-03 23:11:51 -06:00
Brent Cook 520e890520
Land #8581, VMware Workstation ALSA Config File Local Privilege Escalation 2018-01-03 21:35:57 -06:00
Wei Chen b8dde2e650 Land #9360, Ayukov NFTP FTP client buffer overflow vulnerability 
Land #9360
 2018-01-03 20:56:12 -06:00
Wei Chen 04cf3017c0 Update ayukov_nftp exploit and module documentation 2018-01-03 20:52:57 -06:00
Aaron Soto 7849155347
Land #9359, Improve DCE/RPC fault handling 2018-01-03 20:42:17 -06:00
William Vu c3f10c1d57
Land #9336, Linksys WVBR0-25 exploit 2018-01-03 18:13:44 -06:00
dmohanty-r7 a5fa63405f
Land #9206, Add Xplico RCE exploit module 2018-01-03 16:02:51 -06:00
Adam Cammack a98de2d9a3
Land #9358, Support password protected key files 2018-01-03 15:12:28 -06:00