William Vu
19319f15d4
Land #7626 , Eir D1000 modem exploit
2017-01-04 17:02:39 -06:00
Pedro Ribeiro
d95a3ff2ac
made changes suggested
2017-01-04 23:02:10 +00:00
William Vu
b0e79076fe
Switch to wget CmdStager and tune timing
...
We don't want to trample the device with requests.
2017-01-04 16:42:53 -06:00
William Vu
94d76cfb06
Merge remote-tracking branch 'upstream/master' into tr-069-ntpserver-command-injection
2017-01-03 17:04:04 -06:00
Adam Cammack
fe0a3c8669
Update themoon exploit to use wget command stager
2017-01-03 15:50:57 -06:00
Pedro Ribeiro
9d3e90e8e5
cleanup
2017-01-02 17:32:38 +00:00
Pedro Ribeiro
4c29d23c8a
further cleaning
2016-12-31 17:02:34 +00:00
Pedro Ribeiro
956602cbfe
add final wnr2000 sploits
2016-12-31 16:49:05 +00:00
William Vu
9d0ada9b83
Land #7749 , make drb_remote_codeexec great again
2016-12-28 06:11:48 -06:00
William Vu
cfca4b121c
Clean up module
2016-12-28 06:10:46 -06:00
William Vu
afd8315e1d
Remove apache_continuum_cmd_exec CmdStager flavor
...
It is inferred from the platform, and we don't want to override it
needlessly. :bourne is what worked during testing, but it won't always
work. Now we can override the flavor with CMDSTAGER::FLAVOR.
2016-12-27 16:24:16 -06:00
Pedro Ribeiro
870e8046b5
add sploits
2016-12-27 21:12:35 +00:00
joernchen of Phenoelit
679ebf31bd
Minor fix to make dRuby great again
2016-12-23 15:12:22 +01:00
joernchen of Phenoelit
d69acd116d
Make dRuby great again
2016-12-22 15:37:16 +01:00
Tod Beardsley
a4f681ae35
Add quoted hex encoding
2016-12-06 09:05:35 -06:00
Tod Beardsley
d549c2793f
Fix module filename to be TR-064
2016-12-02 08:49:21 -06:00
Tod Beardsley
9e4e9ae614
Add a reference to the TR-064 spec
2016-12-02 08:48:09 -06:00
Tod Beardsley
ddac5600e3
Reference TR-064, not TR-069
2016-12-02 08:45:15 -06:00
William Vu
1d6ee7192a
Land #7427 , new options for nagios_xi_chained_rce
2016-11-30 17:11:02 -06:00
William Vu
3e8cdd1f36
Polish up USER_ID and API_TOKEN options
2016-11-30 17:10:52 -06:00
Tod Beardsley
43cd788350
Switch back to echo as cmdstager flavor
2016-11-30 10:18:09 -06:00
Tod Beardsley
b75fbd454a
Add missing peer in vprint_error
2016-11-30 07:59:41 -06:00
Tod Beardsley
657d52951b
Linemax 63, switch to printf
2016-11-30 07:51:36 -06:00
Tod Beardsley
08b9684c1a
Add a FORCE_EXPLOIT option for @FireFart
2016-11-29 16:37:13 -06:00
Tod Beardsley
57d156a5e2
Revert "XML encode the command passed"
...
This reverts commit 9952c0ac6f
.
2016-11-29 16:24:26 -06:00
Tod Beardsley
b7904fe0cc
Oh silly delimiters and lack thereof
2016-11-29 15:53:05 -06:00
Tod Beardsley
9952c0ac6f
XML encode the command passed
2016-11-29 15:49:55 -06:00
Tod Beardsley
851aae3f15
Oops, wrong module
...
This reverts commit d55d2099c5
.
2016-11-29 15:15:18 -06:00
Tod Beardsley
d55d2099c5
Just one platform thanks
2016-11-29 15:08:45 -06:00
Tod Beardsley
4d6b2dfb46
Use CmdStager instead
...
Oh, and this is totally untested as of this commit.
2016-11-29 15:03:38 -06:00
Tod Beardsley
8de17981c3
Get rid of the WiFi key stealer
2016-11-29 14:48:04 -06:00
Tod Beardsley
75bcf82a09
Never set DefaultPaylod, reverse target options
2016-11-29 14:43:10 -06:00
Tod Beardsley
f55f578f8c
Title, desc, authors, refs
2016-11-29 14:39:38 -06:00
Tod Beardsley
d691b86443
First commit of Kenzo's original exploit
...
This is a work in progress, and is merely the copy-paste
of the original PoC exploit from:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
2016-11-29 09:13:52 -06:00
x2020
6f70323460
Minor misspelling mistakes and corrected the check of the mysqld process
2016-11-25 19:03:23 +00:00
x2020
1119dc4abe
Targets set to automatic
...
removed targets and set only automatic
the targets weren't used so there's no funcionallity loss
2016-11-25 17:35:28 +00:00
Brent Cook
59f3c9e769
Land #7579 , rename netfilter_priv_esc to rename netfilter_priv_esc_ipv4
2016-11-21 17:59:29 -06:00
Prateep Bandharangshi
8869ebfe9b
Fix incorrect disclosure date for OpenNMS exploit
...
Disclosure date was Nov 2015, not Nov 2014
2016-11-21 16:44:36 +00:00
William Webb
6c6221445c
Land #7543 , Create exploit for CVE-2016-6563 / Dlink DIR HNAP Login
2016-11-21 09:59:50 -06:00
Brent Cook
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
Brent Cook
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
x2020
acfd214195
Mysql privilege escalation
...
Documentation, compiled binary and final implementation.
Completed the documentation, added the missing compiled binary and a
final and tested implementation of the module.
2016-11-19 11:24:29 +00:00
h00die
cfd31e32c6
renaming per @bwatters-r7 comment in #7491
2016-11-18 13:52:09 -05:00
wchen-r7
4596785217
Land #7450 , PowerShellEmpire Arbitrary File Upload
2016-11-17 17:47:15 -06:00
Brendan
18bafaa2e7
Land #7531 , Fix drb_remote_codeexec and create targets
2016-11-16 12:58:22 -06:00
Brent Cook
b56b6a49ac
Land #7328 , Extend lsa_transname_heap exploit to MIPS
2016-11-15 07:37:19 -06:00
Jeffrey Martin
c458d662ed
report correct credential status as successful
2016-11-14 12:27:22 -06:00
Jeffrey Martin
4ae90cbbef
Land #7191 , Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE.
2016-11-14 12:06:02 -06:00
Pedro Ribeiro
908713ce68
remove whitespace at end of module name
2016-11-14 08:35:34 +00:00
Pearce Barry
9eb9d612ca
Minor typo fixups.
2016-11-11 16:54:16 -06:00
Pearce Barry
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
Pedro Ribeiro
50f578ba79
Add full disclosure link
2016-11-08 22:15:19 +00:00
Pedro Ribeiro
95bd950133
Point to proper link on github
2016-11-07 17:59:29 +00:00
Pedro Ribeiro
f268c28415
Create dlink_hnap_login_bof.rb
2016-11-07 17:45:37 +00:00
William Vu
da356e7d62
Remove Compat hash to allow more payloads
2016-11-04 13:57:05 -05:00
William Vu
f0c89ffb56
Refactor module and use FileDropper
2016-11-04 13:57:05 -05:00
William Vu
6d7cf81429
Update references
2016-11-04 13:57:05 -05:00
William Vu
009d6a45aa
Update description
2016-11-04 13:57:05 -05:00
William Vu
bf7936adf5
Add instance_eval and syscall targets
2016-11-04 13:57:05 -05:00
Brendan
dae1f26313
Land #7521 , Modernize TLS protocol configuration for SMTP / SQL Server
2016-11-03 12:56:50 -05:00
William Vu
eca4b73aab
Land #7499 , check method for pkexec exploit
2016-11-03 10:59:06 -05:00
William Vu
1c746c0f93
Prefer CheckCode::Detected
2016-11-03 11:14:48 +01:00
William Vu
2cdff0f414
Fix check method
2016-11-03 11:14:48 +01:00
William Webb
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
Brent Cook
f8912486df
fix typos
2016-11-01 05:43:03 -05:00
OJ
3c56f1e1f7
Remove commented x64 arch from sock_sendpage
2016-11-01 01:29:11 +10:00
Alex Flores
45d6012f2d
fix check method
2016-10-30 14:57:42 -04:00
OJ
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
Quentin Kaiser
c7b775ac1c
Fix detection following @bwatters-r7 recommendations. Remove safesync exploit that shouldn't be here.
2016-10-28 18:03:56 +00:00
OJ
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
Julien (jvoisin) Voisin
23ab4f1fc1
Remove one last tab
2016-10-27 12:32:40 +02:00
Julien (jvoisin) Voisin
d9f07183bd
Please h00die ;)
2016-10-27 12:18:33 +02:00
Julien (jvoisin) Voisin
2ac54f5028
Add a check for the linux pkexec module
2016-10-27 10:28:13 +02:00
wolfthefallen
684feb6b50
moved STAGE0 and STAGE1 into datastore
2016-10-18 11:47:38 -04:00
wolfthefallen
e806466fe3
correct carriage return and link issue
2016-10-17 10:31:39 -04:00
wolfthefallen
7e68f7d2a4
EmpirePowerShell Arbitrary File Upload (Skywalker)
2016-10-17 10:03:07 -04:00
h00die
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
William Webb
5e7d546fa2
Land #7094 , OpenNMS Java Object Deserialization RCE Module
2016-10-14 13:19:11 -05:00
Brent Cook
cfddc734a8
Land #7286 , WiFi pineapple preconfig command injection module
2016-10-14 12:57:42 -05:00
Brent Cook
e05a325786
Land #7285 , WiFi pineapple command injection via authentication bypass
2016-10-14 12:57:05 -05:00
h00die
12493d5c06
moved c code to external sources
2016-10-13 20:37:03 -04:00
h00die
9d2355d128
removed debug line
2016-10-10 10:23:51 -04:00
h00die
2ad82ff8e3
more nagios versatility
2016-10-10 10:21:49 -04:00
Pearce Barry
7b84e961ed
Minor output correction.
2016-10-09 19:01:06 -05:00
h00die
7e6facd87f
added wrong file
2016-10-09 09:49:58 -04:00
h00die
2c4a069e32
prepend fork fix
2016-10-09 09:40:44 -04:00
h00die
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
h00die
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
h00die
75bea08e0e
changing branches
2016-10-04 21:08:12 -04:00
h00die
e6daef62b4
egypt
2016-10-03 20:24:59 -04:00
h00die
7b0a8784aa
additional doc updates
2016-09-29 19:02:16 -04:00
h00die
bac4a25b2c
compile or nill
2016-09-29 06:15:17 -04:00
h00die
4fac5271ae
slight cleanup
2016-09-29 05:51:13 -04:00
h00die
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
jvoisin
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
William Vu
988471b860
Land #7372 , useless use of cat fix
...
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
William Vu
3033c16da6
Add missing rank
2016-09-28 16:37:04 -05:00
jvoisin
b46073b34a
Replace `cat` with Ruby's `read_file`
...
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
William Vu
45ee59581b
Fix inverted logic in Docker exploit
...
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.
Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
Julien (jvoisin) Voisin
dbb2abeda1
Remove the `cat $FILE | grep $PATTERN` anti-pattern
...
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
Pearce Barry
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
h00die
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
h00die
7646771dec
refactored for live compile or drop binary
2016-09-22 20:07:07 -04:00
Brent Cook
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
Brendan
04f8f7a0ea
Land #7266 , Add Kaltura Remote PHP Code Execution
2016-09-21 17:14:49 -05:00
Mehmet Ince
2d3c167b78
Grammar changes again.
2016-09-20 23:51:12 +03:00
Mehmet Ince
0f16393220
Yet another grammar changes
2016-09-20 19:48:40 +03:00
Mehmet Ince
fb00d1c556
Another minor grammer changes
2016-09-20 19:23:28 +03:00
Brendan
251421e4a7
Minor grammar changes
2016-09-20 10:37:39 -05:00
Mehmet Ince
385428684f
Move module and docs under the exploit/linux/http folder
2016-09-20 12:45:23 +03:00
David Maloney
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
h00die
edd1704080
reexploit and other docs and edits added
2016-09-18 09:01:41 -04:00
h00die
4f85a1171f
reexploit and other docs and edits added
2016-09-18 08:51:27 -04:00
Thao Doan
d2100bfc4e
Land #7301 , Support URIHOST for exim4_dovecot_exec for NAT
2016-09-16 12:49:57 -07:00
Thao Doan
7c396dbf59
Use URIHOST
2016-09-16 12:48:54 -07:00
William Vu
4d0643f4d1
Add missing DefaultTarget to Docker exploit
2016-09-16 13:09:00 -05:00
William Vu
da516cb939
Land #7027 , Docker privesc exploit
2016-09-16 12:44:21 -05:00
William Vu
e3060194c6
Fix formatting in ubiquiti_airos_file_upload
...
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
Jan Mitchell
7393d91bfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2016-09-16 10:46:44 +01:00
h00die
4be4bcf7eb
forgot updates
2016-09-16 02:08:09 -04:00
h00die
2e42e0f091
first commit
2016-09-16 01:54:49 -04:00
David Maloney
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
David Maloney
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
William Vu
c6214d9c5e
Fix and clean module
2016-09-14 14:36:29 -05:00
Brent Cook
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
aushack
11342356f8
Support LHOST for metasploit behind NAT
2016-09-13 11:23:49 +10:00
catatonic
c06ee991ed
Adding WiFi pineapple command injection via authenticaiton bypass.
2016-09-06 17:22:25 -07:00
catatonic
8d40dddc17
Adding WiFi pineapple preconfig command injection module.
2016-09-06 17:18:36 -07:00
Quentin Kaiser
e4d118108a
Trend Micro SafeSync exploit.
2016-09-06 19:33:23 +00:00
William Vu
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
Jan Mitchell
411689aa44
Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router
2016-09-01 10:05:13 +01:00
Pearce Barry
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
William Vu
2b6576b038
Land #7012 , Linux service persistence module
2016-08-17 22:45:35 -05:00
William Vu
c64d91457f
Land #7003 , cron/crontab persistence module
2016-08-17 22:45:16 -05:00
wchen-r7
c64e1b8fe6
Land #7181 , NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance
2016-08-08 16:04:33 -05:00
wchen-r7
cb04ff48bc
Land #7180 , Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE
2016-08-08 15:55:39 -05:00
wchen-r7
8654baf3dd
Land #6880 , add a module for netcore/netdis udp 53413 backdoor
2016-08-08 15:43:34 -05:00
wchen-r7
f98efb1345
Fix typos
2016-08-08 15:41:03 -05:00
Quentin Kaiser
1320647f31
Exploit for Trend Micro Smart Protection Server (CVE-2016-6267).
2016-08-08 18:47:46 +00:00
Pedro Ribeiro
3b64b891a6
Update nuuo_nvrmini_unauth_rce.rb
2016-08-05 21:53:25 +01:00
Pedro Ribeiro
746ba4d76c
Add bugtraq reference
2016-08-05 21:53:08 +01:00
Pedro Ribeiro
2aca610095
Add github link
2016-08-04 17:38:31 +01:00
Pedro Ribeiro
7d8dc9bc82
Update nuuo_nvrmini_unauth_rce.rb
2016-08-04 17:38:14 +01:00
Pedro Ribeiro
b48518099c
add exploit for CVE 2016-5674
2016-08-04 16:55:21 +01:00
Pedro Ribeiro
0deac80d61
add exploit for CVE 2016-5675
2016-08-04 16:54:38 +01:00
wchen-r7
1e1866f583
Fix #7158 , tiki_calendar_exec incorrectly reports successful login
...
Fix #7158
2016-07-28 17:03:31 -05:00
Vex Woo
864989cf6c
For echo command
2016-07-26 20:27:23 -05:00
Brendan
4720d77c3a
Land #6965 , centreon useralias exec
2016-07-26 15:02:36 -07:00
James Lee
b057a9486c
Don't use ssh agent
2016-07-19 17:07:22 -05:00
James Lee
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00