Commit Graph

6065 Commits (33da3a414b145de60f23a5534e2b2e75ab1804ed)

Author SHA1 Message Date
jvazquez-r7 d4ec858051 Clean zimbra_lfi 2013-12-18 15:46:37 -06:00
sinn3r 4bddd077ec
Land #2762 - Use new ntdll railgun functions 2013-12-18 15:18:47 -06:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix ca2de73879 It helps to actually commit the exploit. 2013-12-18 14:31:42 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Mekanismen 0c0e8c3a49 various updates 2013-12-18 20:54:35 +01:00
jvazquez-r7 ab69454f89 Land #2745, @rcvalle's exploit for CVE-2013-2068 2013-12-18 12:06:27 -06:00
jvazquez-r7 ec64382efc Fix cfme_manageiq_evm_upload_exec according to chat with @rcvalle 2013-12-18 11:53:30 -06:00
jvazquez-r7 a28ea18798 Clean pull request 2013-12-18 11:32:34 -06:00
Mekanismen 2de15bdc8b added module for Zimbra Collaboration Server CVE-2013-7091 2013-12-17 19:32:04 +01:00
sinn3r ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 20:32:27 -06:00
jvazquez-r7 52cb43e6a8 Fix typo 2013-12-16 20:28:49 -06:00
jvazquez-r7 84759a552a Save one variable 2013-12-16 16:49:44 -06:00
jvazquez-r7 042bd4f80b Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 16:19:17 -06:00
Tod Beardsley f88a3a55b6
More slight updates. 2013-12-16 15:05:39 -06:00
sinn3r afcee93309
Land #2771 - Fix description 2013-12-16 15:01:32 -06:00
sinn3r 04b7e8b174 Fix module title and add vendor patch information 2013-12-16 14:59:00 -06:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jvazquez-r7 533accaa87 Add module for CVE-2013-3346 2013-12-16 14:13:47 -06:00
Meatballs 3dec7f61a5 Check in sysnative if wow64 2013-12-15 01:12:52 +00:00
Meatballs 2dc4faad72 Resplat license 2013-12-15 01:12:51 +00:00
Meatballs 8203274256 Small fixes
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ f2e2147065 Change unless with else to if with else 2013-12-15 01:12:50 +00:00
OJ cff7008500 Fix final issues with merge
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ 41c538856a Re-add RDI mixin changes 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs 6916f7c5d2 Fixup description 2013-12-15 01:12:47 +00:00
Meatballs 3d1646d18e Exit process when complete 2013-12-15 01:12:47 +00:00
Meatballs dd32c2b0b8 Spawn 32bit process 2013-12-15 01:12:46 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs 5eca4714c2 Renamed module 2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
jvazquez-r7 e8396dc37a Delete redefinition of ntdll functions on railgun 2013-12-13 16:02:47 -06:00
sinn3r ba1a70b72e Update Microsoft patch information 2013-12-13 15:59:15 -06:00
jvazquez-r7 1ab3e891c9 Modify ms_ndproxy to use railgun additions 2013-12-13 15:54:34 -06:00
jvazquez-r7 5c1ca97e21 Create a new process to host the final payload 2013-12-12 08:26:44 -06:00
jvazquez-r7 eb4e3f8a32 Fix os detection 2013-12-12 07:39:19 -06:00
jvazquez-r7 8b518776bc Dont fail_with on check 2013-12-11 22:08:36 -06:00
jvazquez-r7 02915c751c Favor unless over if not and add reference 2013-12-11 16:28:09 -06:00
jvazquez-r7 b6fa3f28b1 Modify description 2013-12-11 08:56:31 -06:00
jvazquez-r7 c4721de4a0 Add module for CVE-2013-5065 2013-12-11 08:52:35 -06:00
sinn3r 930a907531
Land #2748 - HP LoadRunner EmulationAdmin Web Service Directory Traversal 2013-12-10 16:29:12 -06:00
sinn3r 3a9ac303f0 Use rexml for XML data generation 2013-12-10 15:37:44 -06:00
William Vu ff9cb481fb Land #2464, fixes for llmnr_response and friends
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
jvazquez-r7 3d5501326b
Land #2743, @Mekanismen's exploit for CVE-2013-0632 2013-12-10 10:00:30 -06:00
jvazquez-r7 30960e973f Do minor cleanup on coldfusion_rds 2013-12-10 09:59:36 -06:00
jvazquez-r7 230fcd87a5 Add module for zdi-13-259 2013-12-10 08:45:08 -06:00
Mekanismen 9a6e504bfe fixed path error and description 2013-12-10 09:05:34 +01:00
Mekanismen 313a98b084 moved coldfusion_rds to multi directory and fixed a bug 2013-12-10 08:45:27 +01:00
Mekanismen 0845e3ce37 updated 2013-12-10 00:45:34 +01:00
Mekanismen bca2212f7e updated 2013-12-09 23:28:17 +01:00
Mekanismen 60d32be7d9 updated 2013-12-09 23:10:13 +01:00
Tod Beardsley e737b136cc
Minor grammar/caps fixup for release 2013-12-09 14:01:27 -06:00
Mekanismen 14d12a2ce3 updated 2013-12-09 20:22:26 +01:00
Ramon de C Valle 21661b168b Add cfme_manageiq_evm_upload_exec.rb
This module exploits a path traversal vulnerability in the "linuxpkgs"
action of "agent" controller of the Red Hat CloudForms Management Engine
5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
2013-12-09 16:18:12 -02:00
Mekanismen 67415808da added exploit module for CVE-2013-0632 2013-12-09 15:18:34 +01:00
sinn3r 2f6a77861a
Land #2731 - vBulletin nodeid SQL injection (exploit) 2013-12-09 02:22:07 -06:00
jvazquez-r7 f77784cd0d
Land #2723, @denandz's module for OSVDB-100423 2013-12-06 17:32:07 -06:00
jvazquez-r7 3729c53690 Move uptime_file_upload to the correct location 2013-12-06 15:57:52 -06:00
jvazquez-r7 2ff9c31747 Do minor clean up on uptime_file_upload 2013-12-06 15:57:22 -06:00
jvazquez-r7 d47292ba10 Add module for CVE-2013-3522 2013-12-06 13:50:12 -06:00
Meatballs 6f02744d46
Land #2730 Typo in mswin_tiff_overflow 2013-12-06 12:32:37 +00:00
Meatballs 3aebe968bb
Land #2721 Reflective DLL Mixin
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.

Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r 89ef1d4720 Fix a typo in mswin_tiff_overflow 2013-12-06 00:44:12 -06:00
DoI 3d327363af uptime_file_upload code tidy-ups 2013-12-06 13:45:22 +13:00
jvazquez-r7 e4c6413643
Land #2718, @wchen-r7's deletion of @peer on HttpClient modules 2013-12-05 17:25:59 -06:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
DoI 07294106cb Removed redundant content-type parameter 2013-12-05 14:18:26 +13:00
DoI cfffd80d22 Added uptime_file_upload exploit module 2013-12-05 11:56:05 +13:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
Tod Beardsley f5a45bfe52
@twitternames not supported for author fields
It's kind of a dumb reason but there are metasploit metadata parsers out
there that barf all over @names. They assume user@email.address. Should
be fixed some day.
2013-12-04 13:31:22 -06:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
sinn3r bf3489203a I missed this one 2013-12-03 13:13:14 -06:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
Also [SeeRM #8140]
2013-12-03 10:51:58 -06:00
jvazquez-r7 2d77ed58d5
Land #2648, @pnegry's exploit for Kaseya File Upload 2013-12-03 09:35:05 -06:00
jvazquez-r7 2606a6ff0e Do minor clean up for kaseya_uploadimage_file_upload 2013-12-03 09:34:25 -06:00
Thomas Hibbert 21bb8fd25a Update based on jvazquez's suggestions. 2013-12-03 13:49:31 +13:00
jvazquez-r7 47bff9a416
Land #2711, @Mekanismen exploit for wordpress OptimizePress theme 2013-12-02 16:30:24 -06:00
jvazquez-r7 5c3ca1c8ec Fix title 2013-12-02 16:30:01 -06:00
jvazquez-r7 c32b734680 Fix regex 2013-12-02 16:24:21 -06:00
Tod Beardsley 55847ce074
Fixup for release
Notably, adds a description for the module landed in #2709.
2013-12-02 16:19:05 -06:00
jvazquez-r7 79a6f8c2ea Clean php_wordpress_optimizepress 2013-12-02 15:43:41 -06:00
jvazquez-r7 41f8a34683 Use attempts 2013-12-02 08:43:22 -06:00
jvazquez-r7 433d21730e Add ATTEMPTS option 2013-12-02 08:42:25 -06:00
jvazquez-r7 b9192c64aa Fix @wchen-r7's feedback 2013-12-01 19:55:53 -06:00
Mekanismen 57b7d89f4d Updated 2013-12-01 09:06:41 +01:00
Mekanismen 045b848a30 added exploit module for optimizepress 2013-11-30 21:51:56 +01:00
jvazquez-r7 3417c4442a Make check really better 2013-11-30 09:47:34 -06:00
jvazquez-r7 749e6bd65b Do better check method 2013-11-30 09:46:22 -06:00
jvazquez-r7 0a7c0eea78 Fix references 2013-11-29 23:13:07 -06:00
jvazquez-r7 691d47f3a3 Add module for ZDI-13-255 2013-11-29 23:11:44 -06:00
sinn3r 8817c0eee0 Change description a bit
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
jvazquez-r7 807e2dfd31 Fix title 2013-11-28 10:53:12 -06:00
jvazquez-r7 7dee4ffd4d Add module for ZDI-13-270 2013-11-28 10:47:04 -06:00
Thomas Hibbert d1e4975f76 Use res.get_cookies instead of homebrew parse. Use _cgi 2013-11-28 16:35:36 +13:00
sinn3r a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection 2013-11-27 19:10:44 -06:00
OJ 0b879d8f39 Comments for WfsDelay, adjustment to injection
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.

This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Thomas Hibbert bb0753fcdd Updated module to comply with indentation standard and to use suggestions from reviewers 2013-11-27 16:00:00 +13:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
sinn3r a914fbc400
Land #2693 - case sensitive 2013-11-26 11:16:57 -06:00
Tod Beardsley 671c0d9473
Fix nokogiri typo
[SeeRM #8730]
2013-11-26 10:54:31 -06:00
jvazquez-r7 253719d70c Fix title 2013-11-26 08:11:29 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 0079413e81 Full revert the change 2013-11-25 22:04:02 -06:00
sinn3r fa97c9fa7c Revert this change 2013-11-25 20:54:39 -06:00
sinn3r 3247106626 Heap spray adjustment by @jvazquez-r7 2013-11-25 20:50:53 -06:00
jvazquez-r7 4c249bb6e9 Fix heap spray 2013-11-25 20:06:42 -06:00
sinn3r 385381cde2 Change target address
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
sinn3r 57f4f68559
Land #2652 - Apache Roller OGNL Injection 2013-11-25 15:14:35 -06:00
sinn3r 8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln 2013-11-25 13:06:09 -06:00
sinn3r 4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln 2013-11-25 12:58:45 -06:00
bcoles a03cfce74c Add table prefix and doc root as fallback options 2013-11-25 17:44:26 +10:30
sinn3r fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability 2013-11-24 00:47:14 -06:00
bcoles d8700314e7 Add Kimai v0.9.2 'db_restore.php' SQL Injection module 2013-11-24 02:32:16 +10:30
sinn3r 9987ec0883 Hmm, change ranking 2013-11-23 00:51:58 -06:00
sinn3r 6ccc3e3c48 Make payload execution more stable 2013-11-23 00:47:45 -06:00
sinn3r d748fd4003 Final commit 2013-11-22 23:35:26 -06:00
sinn3r f871452b97 Slightly change the description
Because it isn't that slow
2013-11-22 19:27:00 -06:00
sinn3r eddedd4746 Working version 2013-11-22 19:14:56 -06:00
jvazquez-r7 7e4487b93b Update description 2013-11-22 17:37:23 -06:00
sinn3r c8fd761c53 Progress 2013-11-22 16:57:29 -06:00
jvazquez-r7 a7ad107e88 Add ruby code for ms13-022 2013-11-22 16:41:56 -06:00
sinn3r 953a96fc2e This one looks promising 2013-11-22 12:27:10 -06:00
sinn3r 8476ca872e More progress 2013-11-22 11:53:57 -06:00
sinn3r f1d181afc7 Progress 2013-11-22 04:51:55 -06:00
sinn3r 6d5c1c230c Progress 2013-11-22 03:55:40 -06:00
sinn3r 4d2253fe35 Diet 2013-11-22 02:25:09 -06:00
sinn3r 8382d31f46 More progress 2013-11-21 18:48:12 -06:00
jvazquez-r7 885fedcc3b Fix target name 2013-11-21 17:42:31 -06:00
sinn3r 22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2 2013-11-21 15:30:42 -06:00
sinn3r 56d1c545e7 Oh look, more code 2013-11-21 14:42:07 -06:00
jvazquez-r7 851cf6f0d1
Land #2650, @pnegry's exploit for DesktopCentral 8 2013-11-21 09:30:17 -06:00
jvazquez-r7 77aa665385 Add Privileged flag 2013-11-21 09:28:28 -06:00
jvazquez-r7 2ab3ab8b66 Delete empty Payload metadata section 2013-11-21 09:27:25 -06:00
jvazquez-r7 6bd3c4c887 Fix target name 2013-11-21 09:07:25 -06:00
jvazquez-r7 4c2ad4ca9a Fix metadata 2013-11-21 09:06:47 -06:00
jvazquez-r7 8e4c5dbb5e improve upload_file response check 2013-11-21 09:02:11 -06:00
jvazquez-r7 8fdfeb73db Fix use of FileDropper and improve check method 2013-11-21 09:01:41 -06:00
jvazquez-r7 4abf01c64c Clean indentation 2013-11-21 08:32:54 -06:00
sinn3r ddd5b0abb9 More progress 2013-11-21 04:27:41 -06:00
sinn3r e13e457d8f Progress 2013-11-20 17:11:13 -06:00
William Vu 9f45121b23 Remove EOL spaces 2013-11-20 15:08:13 -06:00
jvazquez-r7 cec4166766 Fix description 2013-11-20 12:49:22 -06:00
jvazquez-r7 18e69bee8c Make OGNL expressions compatible with struts 2.0.11.2 2013-11-20 12:42:10 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
Thomas Hibbert 4cc20f163b Update References field to be compliant. 2013-11-20 13:01:21 +13:00