Commit Graph

1396 Commits (35bc1fbf28d7c2acdff2d003cdaf615d2494ac91)

Author SHA1 Message Date
William Vu 19319f15d4
Land #7626, Eir D1000 modem exploit 2017-01-04 17:02:39 -06:00
Pedro Ribeiro d95a3ff2ac made changes suggested 2017-01-04 23:02:10 +00:00
William Vu b0e79076fe Switch to wget CmdStager and tune timing
We don't want to trample the device with requests.
2017-01-04 16:42:53 -06:00
William Vu 94d76cfb06 Merge remote-tracking branch 'upstream/master' into tr-069-ntpserver-command-injection 2017-01-03 17:04:04 -06:00
Adam Cammack fe0a3c8669
Update themoon exploit to use wget command stager 2017-01-03 15:50:57 -06:00
Pedro Ribeiro 9d3e90e8e5 cleanup 2017-01-02 17:32:38 +00:00
Pedro Ribeiro 4c29d23c8a further cleaning 2016-12-31 17:02:34 +00:00
Pedro Ribeiro 956602cbfe add final wnr2000 sploits 2016-12-31 16:49:05 +00:00
William Vu 9d0ada9b83
Land #7749, make drb_remote_codeexec great again 2016-12-28 06:11:48 -06:00
William Vu cfca4b121c Clean up module 2016-12-28 06:10:46 -06:00
William Vu afd8315e1d
Remove apache_continuum_cmd_exec CmdStager flavor
It is inferred from the platform, and we don't want to override it
needlessly. :bourne is what worked during testing, but it won't always
work. Now we can override the flavor with CMDSTAGER::FLAVOR.
2016-12-27 16:24:16 -06:00
Pedro Ribeiro 870e8046b5 add sploits 2016-12-27 21:12:35 +00:00
joernchen of Phenoelit 679ebf31bd Minor fix to make dRuby great again 2016-12-23 15:12:22 +01:00
joernchen of Phenoelit d69acd116d Make dRuby great again 2016-12-22 15:37:16 +01:00
Tod Beardsley a4f681ae35
Add quoted hex encoding 2016-12-06 09:05:35 -06:00
Tod Beardsley d549c2793f
Fix module filename to be TR-064 2016-12-02 08:49:21 -06:00
Tod Beardsley 9e4e9ae614
Add a reference to the TR-064 spec 2016-12-02 08:48:09 -06:00
Tod Beardsley ddac5600e3
Reference TR-064, not TR-069 2016-12-02 08:45:15 -06:00
William Vu 1d6ee7192a
Land #7427, new options for nagios_xi_chained_rce 2016-11-30 17:11:02 -06:00
William Vu 3e8cdd1f36 Polish up USER_ID and API_TOKEN options 2016-11-30 17:10:52 -06:00
Tod Beardsley 43cd788350
Switch back to echo as cmdstager flavor 2016-11-30 10:18:09 -06:00
Tod Beardsley b75fbd454a
Add missing peer in vprint_error 2016-11-30 07:59:41 -06:00
Tod Beardsley 657d52951b
Linemax 63, switch to printf 2016-11-30 07:51:36 -06:00
Tod Beardsley 08b9684c1a
Add a FORCE_EXPLOIT option for @FireFart 2016-11-29 16:37:13 -06:00
Tod Beardsley 57d156a5e2
Revert "XML encode the command passed"
This reverts commit 9952c0ac6f.
2016-11-29 16:24:26 -06:00
Tod Beardsley b7904fe0cc
Oh silly delimiters and lack thereof 2016-11-29 15:53:05 -06:00
Tod Beardsley 9952c0ac6f
XML encode the command passed 2016-11-29 15:49:55 -06:00
Tod Beardsley 851aae3f15 Oops, wrong module
This reverts commit d55d2099c5.
2016-11-29 15:15:18 -06:00
Tod Beardsley d55d2099c5
Just one platform thanks 2016-11-29 15:08:45 -06:00
Tod Beardsley 4d6b2dfb46
Use CmdStager instead
Oh, and this is totally untested as of this commit.
2016-11-29 15:03:38 -06:00
Tod Beardsley 8de17981c3
Get rid of the WiFi key stealer 2016-11-29 14:48:04 -06:00
Tod Beardsley 75bcf82a09
Never set DefaultPaylod, reverse target options 2016-11-29 14:43:10 -06:00
Tod Beardsley f55f578f8c
Title, desc, authors, refs 2016-11-29 14:39:38 -06:00
Tod Beardsley d691b86443
First commit of Kenzo's original exploit
This is a work in progress, and is merely the copy-paste
of the original PoC exploit from:

https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
2016-11-29 09:13:52 -06:00
x2020 6f70323460 Minor misspelling mistakes and corrected the check of the mysqld process 2016-11-25 19:03:23 +00:00
x2020 1119dc4abe Targets set to automatic
removed targets and set only automatic
the targets weren't used so there's no funcionallity loss
2016-11-25 17:35:28 +00:00
Brent Cook 59f3c9e769
Land #7579, rename netfilter_priv_esc to rename netfilter_priv_esc_ipv4 2016-11-21 17:59:29 -06:00
Prateep Bandharangshi 8869ebfe9b Fix incorrect disclosure date for OpenNMS exploit
Disclosure date was Nov 2015, not Nov 2014
2016-11-21 16:44:36 +00:00
William Webb 6c6221445c
Land #7543, Create exploit for CVE-2016-6563 / Dlink DIR HNAP Login 2016-11-21 09:59:50 -06:00
Brent Cook 005d34991b update architecture 2016-11-20 19:09:33 -06:00
Brent Cook f313389be4 Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch 2016-11-20 19:08:56 -06:00
x2020 acfd214195 Mysql privilege escalation
Documentation, compiled binary and final implementation.
Completed the documentation, added the missing compiled binary and a
final and tested implementation of the module.
2016-11-19 11:24:29 +00:00
h00die cfd31e32c6 renaming per @bwatters-r7 comment in #7491 2016-11-18 13:52:09 -05:00
wchen-r7 4596785217
Land #7450, PowerShellEmpire Arbitrary File Upload 2016-11-17 17:47:15 -06:00
Brendan 18bafaa2e7
Land #7531, Fix drb_remote_codeexec and create targets 2016-11-16 12:58:22 -06:00
Brent Cook b56b6a49ac
Land #7328, Extend lsa_transname_heap exploit to MIPS 2016-11-15 07:37:19 -06:00
Jeffrey Martin c458d662ed
report correct credential status as successful 2016-11-14 12:27:22 -06:00
Jeffrey Martin 4ae90cbbef
Land #7191, Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE. 2016-11-14 12:06:02 -06:00
Pedro Ribeiro 908713ce68 remove whitespace at end of module name 2016-11-14 08:35:34 +00:00
Pearce Barry 9eb9d612ca
Minor typo fixups. 2016-11-11 16:54:16 -06:00
Pearce Barry 1dae206fde
Land #7379, Linux Kernel BPF Priv Esc (CVE-2016-4557) 2016-11-11 16:50:20 -06:00
Pedro Ribeiro 50f578ba79 Add full disclosure link 2016-11-08 22:15:19 +00:00
Pedro Ribeiro 95bd950133 Point to proper link on github 2016-11-07 17:59:29 +00:00
Pedro Ribeiro f268c28415 Create dlink_hnap_login_bof.rb 2016-11-07 17:45:37 +00:00
William Vu da356e7d62 Remove Compat hash to allow more payloads 2016-11-04 13:57:05 -05:00
William Vu f0c89ffb56 Refactor module and use FileDropper 2016-11-04 13:57:05 -05:00
William Vu 6d7cf81429 Update references 2016-11-04 13:57:05 -05:00
William Vu 009d6a45aa Update description 2016-11-04 13:57:05 -05:00
William Vu bf7936adf5 Add instance_eval and syscall targets 2016-11-04 13:57:05 -05:00
Brendan dae1f26313
Land #7521, Modernize TLS protocol configuration for SMTP / SQL Server 2016-11-03 12:56:50 -05:00
William Vu eca4b73aab
Land #7499, check method for pkexec exploit 2016-11-03 10:59:06 -05:00
William Vu 1c746c0f93 Prefer CheckCode::Detected 2016-11-03 11:14:48 +01:00
William Vu 2cdff0f414 Fix check method 2016-11-03 11:14:48 +01:00
William Webb 31b593ac67
Land #7402, Add Linux local privilege escalation via overlayfs 2016-11-01 12:46:40 -05:00
Brent Cook f8912486df fix typos 2016-11-01 05:43:03 -05:00
OJ 3c56f1e1f7
Remove commented x64 arch from sock_sendpage 2016-11-01 01:29:11 +10:00
Alex Flores 45d6012f2d fix check method 2016-10-30 14:57:42 -04:00
OJ 57eabda5dc
Merge upstream/master 2016-10-29 13:54:31 +10:00
Quentin Kaiser c7b775ac1c Fix detection following @bwatters-r7 recommendations. Remove safesync exploit that shouldn't be here. 2016-10-28 18:03:56 +00:00
OJ 1d617ae389
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00
Julien (jvoisin) Voisin 23ab4f1fc1 Remove one last tab 2016-10-27 12:32:40 +02:00
Julien (jvoisin) Voisin d9f07183bd Please h00die ;) 2016-10-27 12:18:33 +02:00
Julien (jvoisin) Voisin 2ac54f5028 Add a check for the linux pkexec module 2016-10-27 10:28:13 +02:00
wolfthefallen 684feb6b50 moved STAGE0 and STAGE1 into datastore 2016-10-18 11:47:38 -04:00
wolfthefallen e806466fe3 correct carriage return and link issue 2016-10-17 10:31:39 -04:00
wolfthefallen 7e68f7d2a4 EmpirePowerShell Arbitrary File Upload (Skywalker) 2016-10-17 10:03:07 -04:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
William Webb 5e7d546fa2
Land #7094, OpenNMS Java Object Deserialization RCE Module 2016-10-14 13:19:11 -05:00
Brent Cook cfddc734a8
Land #7286, WiFi pineapple preconfig command injection module 2016-10-14 12:57:42 -05:00
Brent Cook e05a325786
Land #7285, WiFi pineapple command injection via authentication bypass 2016-10-14 12:57:05 -05:00
h00die 12493d5c06 moved c code to external sources 2016-10-13 20:37:03 -04:00
h00die 9d2355d128 removed debug line 2016-10-10 10:23:51 -04:00
h00die 2ad82ff8e3 more nagios versatility 2016-10-10 10:21:49 -04:00
Pearce Barry 7b84e961ed
Minor output correction. 2016-10-09 19:01:06 -05:00
h00die 7e6facd87f added wrong file 2016-10-09 09:49:58 -04:00
h00die 2c4a069e32 prepend fork fix 2016-10-09 09:40:44 -04:00
h00die 2dfebe586e working cve-2014-0038 2016-10-08 23:58:09 -04:00
h00die 27cf5c65c4 working module 2016-10-04 23:21:53 -04:00
h00die 75bea08e0e changing branches 2016-10-04 21:08:12 -04:00
h00die e6daef62b4 egypt 2016-10-03 20:24:59 -04:00
h00die 7b0a8784aa additional doc updates 2016-09-29 19:02:16 -04:00
h00die bac4a25b2c compile or nill 2016-09-29 06:15:17 -04:00
h00die 4fac5271ae slight cleanup 2016-09-29 05:51:13 -04:00
h00die c036c258a9 cve-2016-4557 2016-09-29 05:23:12 -04:00
jvoisin 2272e15ca2 Remove some anti-patterns, in the same spirit than #7372 2016-09-29 00:15:01 +02:00
William Vu 988471b860
Land #7372, useless use of cat fix
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
William Vu 3033c16da6 Add missing rank 2016-09-28 16:37:04 -05:00
jvoisin b46073b34a Replace `cat` with Ruby's `read_file`
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
William Vu 45ee59581b
Fix inverted logic in Docker exploit
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.

Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
Julien (jvoisin) Voisin dbb2abeda1 Remove the `cat $FILE | grep $PATTERN` anti-pattern
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
Pearce Barry 6382fffc75
Land #7326, Linux Kernel Netfilter Privesc 2016-09-26 12:38:50 -05:00
h00die 23e5556a4c binary drops work! 2016-09-24 21:31:00 -04:00
h00die 7646771dec refactored for live compile or drop binary 2016-09-22 20:07:07 -04:00
Brent Cook 88cef32ea4
Land #7339, SSH module fixes from net:ssh updates 2016-09-22 00:27:32 -05:00
Brendan 04f8f7a0ea
Land #7266, Add Kaltura Remote PHP Code Execution 2016-09-21 17:14:49 -05:00
Mehmet Ince 2d3c167b78
Grammar changes again. 2016-09-20 23:51:12 +03:00
Mehmet Ince 0f16393220
Yet another grammar changes 2016-09-20 19:48:40 +03:00
Mehmet Ince fb00d1c556
Another minor grammer changes 2016-09-20 19:23:28 +03:00
Brendan 251421e4a7 Minor grammar changes 2016-09-20 10:37:39 -05:00
Mehmet Ince 385428684f
Move module and docs under the exploit/linux/http folder 2016-09-20 12:45:23 +03:00
David Maloney e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules 2016-09-19 15:27:37 -05:00
h00die edd1704080 reexploit and other docs and edits added 2016-09-18 09:01:41 -04:00
h00die 4f85a1171f reexploit and other docs and edits added 2016-09-18 08:51:27 -04:00
Thao Doan d2100bfc4e
Land #7301, Support URIHOST for exim4_dovecot_exec for NAT 2016-09-16 12:49:57 -07:00
Thao Doan 7c396dbf59
Use URIHOST 2016-09-16 12:48:54 -07:00
William Vu 4d0643f4d1
Add missing DefaultTarget to Docker exploit 2016-09-16 13:09:00 -05:00
William Vu da516cb939
Land #7027, Docker privesc exploit 2016-09-16 12:44:21 -05:00
William Vu e3060194c6
Fix formatting in ubiquiti_airos_file_upload
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
Jan Mitchell 7393d91bfa Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master 2016-09-16 10:46:44 +01:00
h00die 4be4bcf7eb forgot updates 2016-09-16 02:08:09 -04:00
h00die 2e42e0f091 first commit 2016-09-16 01:54:49 -04:00
David Maloney dfcd5742c1
some more minor fixes
some more minor fixes around broken
ssh modules

7321
2016-09-15 14:25:17 -05:00
David Maloney e10c133eef
fix the exagrid exploit module
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used

7321
2016-09-15 11:44:19 -05:00
William Vu c6214d9c5e Fix and clean module 2016-09-14 14:36:29 -05:00
Brent Cook 7352029497 first round of SSL damage fixes 2016-09-13 17:42:31 -05:00
aushack 11342356f8 Support LHOST for metasploit behind NAT 2016-09-13 11:23:49 +10:00
catatonic c06ee991ed Adding WiFi pineapple command injection via authenticaiton bypass. 2016-09-06 17:22:25 -07:00
catatonic 8d40dddc17 Adding WiFi pineapple preconfig command injection module. 2016-09-06 17:18:36 -07:00
Quentin Kaiser e4d118108a Trend Micro SafeSync exploit. 2016-09-06 19:33:23 +00:00
William Vu fed2ed444f Remove deprecated modules
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
Jan Mitchell 411689aa44 Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router 2016-09-01 10:05:13 +01:00
Pearce Barry 226ded8d7e
Land #6921, Support basic and form auth at the same time 2016-08-25 16:31:26 -05:00
William Vu 2b6576b038
Land #7012, Linux service persistence module 2016-08-17 22:45:35 -05:00
William Vu c64d91457f
Land #7003, cron/crontab persistence module 2016-08-17 22:45:16 -05:00
wchen-r7 c64e1b8fe6
Land #7181, NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance 2016-08-08 16:04:33 -05:00
wchen-r7 cb04ff48bc
Land #7180, Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE 2016-08-08 15:55:39 -05:00
wchen-r7 8654baf3dd
Land #6880, add a module for netcore/netdis udp 53413 backdoor 2016-08-08 15:43:34 -05:00
wchen-r7 f98efb1345 Fix typos 2016-08-08 15:41:03 -05:00
Quentin Kaiser 1320647f31 Exploit for Trend Micro Smart Protection Server (CVE-2016-6267). 2016-08-08 18:47:46 +00:00
Pedro Ribeiro 3b64b891a6 Update nuuo_nvrmini_unauth_rce.rb 2016-08-05 21:53:25 +01:00
Pedro Ribeiro 746ba4d76c Add bugtraq reference 2016-08-05 21:53:08 +01:00
Pedro Ribeiro 2aca610095 Add github link 2016-08-04 17:38:31 +01:00
Pedro Ribeiro 7d8dc9bc82 Update nuuo_nvrmini_unauth_rce.rb 2016-08-04 17:38:14 +01:00
Pedro Ribeiro b48518099c add exploit for CVE 2016-5674 2016-08-04 16:55:21 +01:00
Pedro Ribeiro 0deac80d61 add exploit for CVE 2016-5675 2016-08-04 16:54:38 +01:00
wchen-r7 1e1866f583 Fix #7158, tiki_calendar_exec incorrectly reports successful login
Fix #7158
2016-07-28 17:03:31 -05:00
Vex Woo 864989cf6c For echo command 2016-07-26 20:27:23 -05:00
Brendan 4720d77c3a
Land #6965, centreon useralias exec 2016-07-26 15:02:36 -07:00
James Lee b057a9486c
Don't use ssh agent 2016-07-19 17:07:22 -05:00
James Lee ff63e6e05a
Land #7018, unvendor net-ssh 2016-07-19 17:06:35 -05:00