d5ad683ba6
More doc updates
2018-08-29 10:59:36 -05:00
bb4a4b8839
initial module setup
2018-08-29 10:28:10 -05:00
086ec5bdfb
Fix generated strings in pdf
2018-08-29 06:24:20 -05:00
c486dab574
Updating
...
Thank you bcoles :)
2018-08-29 11:45:08 +05:30
326f006146
Land #10542 , CVE ref for office_ms17_11882 exploit
2018-08-29 00:42:53 -05:00
14fa41a376
merge changes
2018-08-29 06:09:40 +02:00
b373dcc5d4
First draft of module and documentation for struts_namespace_rce against CVE-2018-11776
2018-08-28 16:53:26 -05:00
ba76292c40
Land #10543 , struts2_rest_xstream targeting fixes
2018-08-28 16:50:26 -05:00
f6b868bac2
Prefer regex for target check in exploit method
...
This is how I initially wrote it out, and I think I like it better.
Obviously we'll still check individual symbols in execute_command, since
some of the matching is disjoint.
2018-08-28 15:56:45 -05:00
2958f9a83f
Land #10541 , Correct claymore_dos.py's CVE ref
2018-08-28 15:35:16 -05:00
3dec79da23
Add Windows ARCH_CMD target and refactor again
...
Must have been an oversight that I didn't add the target.
2018-08-28 15:03:41 -05:00
6335d867ec
Add CVE reference to office_ms17_11882 exploit
...
The CVE identifier appears in a GitHub URI but is not referenced separately.
2018-08-28 13:44:01 -05:00
ed60b767a7
Correct claymore_dos.py's CVE reference
...
The CVE reference shouldn't include the `CVE-` prefix
2018-08-28 13:34:02 -05:00
94e8cdac37
Move files to correct location
2018-08-28 12:38:54 -05:00
2986a9538d
Whitespace fix
2018-08-28 11:53:08 -05:00
49c5a91fa7
Add linux target to weblogic_deserialize module
2018-08-28 11:51:04 -05:00
20daba6e2d
fix line endings
2018-08-28 11:33:17 -05:00
d21c108adf
Fix syntax error.
2018-08-28 12:00:31 -04:00
44df7939e9
Added docs. Made suggested code changes.
2018-08-28 10:56:05 -04:00
f1e4079641
move add_thread code to lib/rex/post/meterpreter/extensions/peinjector/peinjector.rb
2018-08-28 09:02:21 -05:00
015abca8af
MSFTidy module
2018-08-28 09:02:21 -05:00
bb151bb727
MSFTidy module
2018-08-28 09:02:21 -05:00
2251c4a712
Add peinjector post module
2018-08-28 09:02:21 -05:00
12e9cf6af7
Version output
2018-08-28 08:20:02 -05:00
f92d2263d0
Add check to weblogic_deserialize module
2018-08-28 08:09:30 -05:00
7431ae401b
fix more errors
2018-08-28 13:49:31 +02:00
a66556b436
fix msftidy errors
2018-08-28 13:12:43 +02:00
7d21c2094e
Improve PSH target and refactor check code
2018-08-27 20:18:35 -05:00
df5f4caaae
Uncomment PSH target in struts2_rest_xstream
...
I'm full of shit. It works.
msf5 exploit(multi/http/struts2_rest_xstream) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Powershell command length: 2467
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49691) at 2018-08-27 20:00:47 -0500
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
2018-08-27 20:01:00 -05:00
0ba1d11218
Add FrontPage Credential Dump
2018-08-27 15:02:39 -04:00
4e45100251
Add FrontPage Credential Dump
2018-08-27 14:20:26 -04:00
53b369d702
avoid inserting a float into instruction generation randomly
2018-08-27 11:24:38 -05:00
47ca6c6a14
Land #10527 , Fix msftdiy EDB link check, enable HTTPS
2018-08-27 10:49:20 -05:00
79b3e4564a
Land #10487 , add php5 session file target
2018-08-27 06:22:28 -05:00
9725e90ba7
Fix msftdiy EDB link check
2018-08-26 04:18:38 +00:00
cb07ba2b6c
Land #10516 , Add brace expansion encoder and update ${IFS} encoder
2018-08-25 22:23:07 -05:00
6df235062b
Land #10505 , post-auth and default creds info
2018-08-24 18:08:15 -05:00
51c024982c
Land #8914 , refactor auxiliary/admin/http credential storage
2018-08-24 13:18:32 -05:00
0141fc109d
don't backtrace if there is not a response
2018-08-24 13:17:06 -05:00
f6674a96d9
Update poc link
2018-08-24 10:52:01 -05:00
7f3824b067
Additional path for Linux target
2018-08-24 07:18:24 -05:00
672dbb7acb
Land #9364 , HP PJL/SNMP CVE-2017-2741 exploit
...
Finally!
2018-08-23 22:47:09 -05:00
318ff95dbd
Remove trailing whitespace from netcat payloads
...
This has been bugging me for so long.
2018-08-23 21:33:58 -05:00
4ff2c1dbe8
Add brace expansion encoder
2018-08-23 21:33:43 -05:00
eeea3356ae
Update ${IFS} encoder
2018-08-23 21:33:42 -05:00
2193dd662d
Land #10504 , add Foxit Reader UAF Module and Docs
2018-08-23 18:56:07 -05:00
ecc6c473d8
Add note about unauthenticated telnetd service
2018-08-23 15:50:41 -04:00
7ceae8df58
Remove '.exe' from share name
2018-08-23 14:38:46 -05:00
56433c8ed2
Functional decomposition refactor and cleanup
2018-08-23 15:23:42 -04:00
961769c346
Fix SNMP Null class comparison
2018-08-23 15:23:42 -04:00
9c05f14a70
Modify SNMP null and error handling
2018-08-23 15:23:42 -04:00
934bb38a44
Omit parentheses for no argument method calls
2018-08-23 15:23:41 -04:00
c5958c6e38
Restore original rport value
2018-08-23 15:23:41 -04:00
70a0b9b1be
Remove payload RequiredCmd and reformat info
2018-08-23 15:23:41 -04:00
dafa62dec4
Use string interpolation over concatenation
2018-08-23 15:23:40 -04:00
7c03454a0b
Remove unnecessary explicit msf/core require
2018-08-23 15:23:40 -04:00
b1a308f3ae
Remove final debug output
2018-08-23 15:23:40 -04:00
e21ea4180f
Clean up module and payload
...
Update module info, remove intermediate ARCH_ARMLE target, simply
options and add cleanup command so that the payload kills telnetd
2018-08-23 15:23:40 -04:00
81f1555439
Rename module, exploits multiple printer models
2018-08-23 15:23:40 -04:00
df18e354e1
Add bind_busybox_telnetd payload, misc cleanup
2018-08-23 15:23:39 -04:00
c0c3e12c74
WIP - hp officejet pro exploit, enhance PJL lib
2018-08-23 14:53:54 -04:00
578d2375d7
Add full disclosure for CVE-2018-15473
2018-08-22 14:49:13 -05:00
b899839c53
Oops I made boo-boos
2018-08-21 08:53:43 -05:00
2780ae6ba9
Update false negatives
2018-08-21 08:50:26 -05:00
fd6880d0d0
Add Foxit Reader UAF Module and Docs
2018-08-21 08:21:51 -05:00
06582a00a0
Add module doc for ssh_enumusers
...
And update description in module.
2018-08-20 19:26:51 -05:00
ad0291e552
Update false negatives
2018-08-20 18:08:19 -05:00
11fee8fa2c
Land #10471 , Import target DefaultOptions into the datastore
2018-08-20 17:30:27 -05:00
d1b8846f12
Land #10479 , Add CVE-2018-15473 to ssh_enumusers
2018-08-20 17:14:58 -05:00
819b8504e2
Add a little better randomization
2018-08-20 17:10:14 -05:00
b38a442bb0
Refactor once more with feeling
...
Also flesh out malformed-packet auth method. Let's not be lazy here. :-)
2018-08-20 16:25:32 -05:00
01ad152067
Update false negatives on post auth information
2018-08-20 16:05:58 -05:00
e8af2dd67c
bool params are truthy, don't cast to a string
2018-08-20 15:53:49 -05:00
3d0d8f7773
Update false negatives on post auth information
2018-08-20 15:43:07 -05:00
7c3810bbff
fix match error in ppc simple nop generator
...
before changes:
```
msf5 nop(ppc/simple) > generate 10
[-] Sled generation failed: undefined method `match' for true:TrueClass.
```
After changes
```
msf5 nop(ppc/simple) > generate 10
buf =
"\x7c\xf6\xc2\x15\x7c\xf6\xc2\x15"
```
2018-08-20 23:16:32 +05:30
107baee0a2
Updating store_loot?
2018-08-20 16:57:09 +05:30
b8b48fd37a
Land #10313 , add linux autostart persistence module
2018-08-20 18:17:50 +08:00
865898cba7
minor fixes
2018-08-20 17:51:41 +08:00
a018d24df4
Fixing some more spaces at EOL
2018-08-20 12:56:59 +05:30
71f8a66f8d
Spaces EOL
2018-08-20 12:45:15 +05:30
0ae5a16c8e
Adding store_loot
2018-08-20 12:24:31 +05:30
a926e0f7a6
Root privilege is required
2018-08-20 11:38:02 +05:30
b9809d9435
Added support for php5 as target
...
location of the session file in php5 is /var/lib/php5/sess_file
2018-08-20 03:47:04 +05:30
6684e5d0eb
PhpMyAdmin creds extractor
2018-08-19 23:40:19 +05:30
cd48e2fb8f
Add Network Manager VPNC Username Privilege Escalation module
2018-08-19 08:15:04 +00:00
ac71bc86ee
Land #10320 , add module for persistence in /etc/rc.local
2018-08-19 15:30:50 +08:00
e38775b504
minor tweaks
2018-08-19 15:27:04 +08:00
75403d7e05
Add testing note about logging
2018-08-17 20:20:12 -05:00
7287779555
Make false positive check optional
...
I couldn't repro this with pubkey-only auth. It also goes to the log.
2018-08-17 20:05:04 -05:00
8e3af2dcfc
Add CVE-2018-15473 to ssh_enumusers
2018-08-17 18:48:44 -05:00
63a58d3378
Code style random name
2018-08-17 14:24:28 +08:00
eb43e4c0bd
Rework status printing
2018-08-17 14:24:28 +08:00
fc234b09c2
Fix HEREDOC not always supported
2018-08-17 14:24:28 +08:00
e82bde993f
Cleanup indentation
2018-08-17 14:24:28 +08:00
c1d929f5fb
Use an HEREDOC for multiline string
2018-08-17 14:24:28 +08:00
e4d6eb07ca
Remove useless statement
2018-08-17 14:24:28 +08:00
9962cbebfd
Support perl payload
2018-08-17 14:24:28 +08:00
6b4870389d
Add autostart module
2018-08-17 14:24:28 +08:00
5096eee2ec
Land #10120 , npm "marked" ReDoS module
2018-08-16 15:01:12 -05:00
3c1befdacb
Clean up module
2018-08-16 15:00:56 -05:00
7e496ae067
Import target DefaultOptions into the datastore
2018-08-16 12:18:02 -05:00
7a20d05fa6
Land #10456 , known_hosts fix for SSH modules
2018-08-15 21:28:08 -05:00
60c0272270
Make style consistent
2018-08-15 21:27:40 -05:00
45e0b53fc8
Fix spacing issue with rocket
2018-08-15 14:59:52 -07:00
cd01f11fd2
Remove verifying host keys for all exploits
2018-08-15 14:54:41 -07:00
79736406b2
Land #10394 , Cleanup aws_ec2_instance_metadata
2018-08-15 14:51:12 -05:00
09434bd57c
Fix tabbing caused by incorrect VM nvim configuration
2018-08-15 07:00:45 -07:00
905f26372d
Remove host key checks on ssh scanner modules
2018-08-15 06:48:35 -07:00
85a137e0a0
Land #10420 , cgit < 1.2.1 Directory Traversal
2018-08-13 16:25:23 -05:00
5a3d040d71
Fix module, Add documentation
2018-08-13 15:48:21 -05:00
ce8cbd64d4
Land #10404 , Add Path Traversal Oracle GlassFish
2018-08-13 11:15:26 -05:00
41dd8a62cb
rename class name
...
rename for snake case
2018-08-10 17:27:19 +02:00
bb208118c3
Ruby decrypt
...
The decryption of the key in the msf has been added
2018-08-10 16:25:33 +02:00
d9fc99ec4a
Correct false negative post_auth? status
2018-08-09 23:34:03 -05:00
9122c5945e
Add a comment explaining the last sleep(10)
2018-08-09 14:51:56 -05:00
66e5685ed2
Moved to exploit/windows
2018-08-09 11:35:14 -05:00
228bd4c3ab
Add weblogic_deserialize module CVE-2018-2628
2018-08-08 17:55:41 -05:00
6223685c37
Update auth requirement for json metadata
2018-08-07 16:42:00 -05:00
0e8180f263
delete space
...
delete bad spaces
2018-08-06 19:01:32 +02:00
5e7a77dea8
add new functiom
...
added checking directory of VNC
2018-08-06 18:45:24 +02:00
d6a60bd10e
remove dependencies
...
removed not necessary dependencies
2018-08-06 17:20:25 +02:00
e194922855
Add vnc password osx
...
This module show Apple VNC Password from Mac OS X High Sierra.
2018-08-06 17:11:42 +02:00
14b12f38d0
Fixing
2018-08-05 23:26:18 +05:30
9502c26dc1
Updated
2018-08-05 19:14:12 +05:30
8a175f50cd
Indentation
2018-08-05 00:15:04 +05:30
ebcc9a3c20
Fixing Indentation
2018-08-04 19:16:12 +05:30
502c103d37
cgit < 1.2.1 Directory Traversal
2018-08-04 18:52:24 +05:30
78f66986e9
Land #10386 , Add IEC104 client module
2018-08-04 07:43:15 -05:00
ae48ba635a
Land #10417 , Update check method of Hadoop exploit
2018-08-04 07:28:45 -05:00
919da41aab
Land #9692 , Add DoS module for Siemens Siprotec 4
2018-08-04 07:20:57 -05:00
458fca6ff0
Fixing
...
Thanks bcoles
2018-08-04 13:15:25 +05:30
1c82592882
Land #10358 , Add Dicoogle PACS Directory Traversal scanner module
2018-08-04 05:31:16 +00:00
e5dcfa62c9
remove encoding and escaping
2018-08-03 20:23:33 -04:00
dc2f893b31
Amended code formating
...
This commit incorporates suggested formatting changes based on feedback and rubocop tool run:
Corrected indentation issues
Using "<<" instead of "+=" for string append
Modified if/else branches as per tool suggestion
2018-08-03 20:13:48 +02:00
d2c53e1c88
Update the check method.
2018-08-03 01:39:37 -04:00
0785d59146
Land #10412 , Add Cisco directory traversal auxiliary module
2018-08-02 16:44:59 -05:00
d60aa55e07
Modified regex
...
Based on the comment: https://github.com/rapid7/metasploit-framework/pull/10394#discussion_r207042496
2018-08-02 15:55:24 +02:00
8785ec21b6
Land #9884 , add linux ufo priv esc module
2018-08-02 17:53:36 +08:00
ff418afd1a
add a default payload
2018-08-02 17:48:44 +08:00
cbe85acef5
fix bad link in bpf priv esc
2018-08-02 17:28:22 +08:00
1c810249b1
ufo privesc is x64 only
2018-08-02 17:24:44 +08:00
41fdb75502
Land #10405 , Cleanup dropped files for CMSMS
2018-08-01 14:44:33 -05:00
54abc65c55
Land #10406 , Fix notes service, port, protocol
2018-08-01 14:39:34 -05:00
10d4061672
changed default port
2018-08-01 13:30:19 -05:00
de83926e6c
separated list_users into two functions
2018-08-01 12:59:53 -05:00
0264eb2ea3
cleaned up module
2018-08-01 09:51:45 -05:00
4eef9e64ea
Implement dropper target in axis_srv_parhand_rce
2018-07-31 21:43:29 -05:00
021264fd5a
listing files and grabbing logged in user names
2018-07-31 16:03:17 -05:00
090624fe17
Correctly set proto and sname in joomla_pages
2018-07-31 11:51:34 -05:00
41ce96b19d
Clean up module
2018-07-31 11:01:02 -05:00
6c11d5800f
Register files on same line
2018-07-31 10:03:59 -05:00
569ddd9d59
Remove files from application
2018-07-31 09:47:39 -05:00
323c814abf
Fixing some tweaks
2018-07-31 19:52:39 +05:30
55dce52bea
Fixing some tabbed indent
2018-07-31 18:24:28 +05:30
3a7d18a98d
Fixing, Warning of EOL
2018-07-31 18:11:09 +05:30
d9e94f94dc
Oracle GlassFish
2018-07-31 17:59:03 +05:30
80d5d1d4ee
use variable port instead of datastore
2018-07-31 07:38:09 +02:00
b0fa17ccfb
Better output added to joomla_pages
2018-07-31 07:29:56 +02:00
bcfb3d099b
Land #10255 , Adding Micro Focus Secure Messaging Gateway RCE
2018-07-30 21:07:02 -05:00
48a903f0b3
Fixing r and sql variables use same object issue
2018-07-31 00:57:32 +03:00
ca8a01d27c
getting filenames in http responses
2018-07-30 16:25:45 -05:00
7cf2c840a3
metadata set up
2018-07-30 14:25:58 -05:00
129fd44350
Land #10305 , SonicWall XML-RPC RCE
2018-07-30 14:14:26 -05:00
38f6b8aada
Clean up module
2018-07-30 14:06:33 -05:00
ce9f447a29
Land #10384 , upload_exec fixes
2018-07-30 13:55:40 -05:00
7c8190573c
remove unused juniper options
2018-07-30 14:20:01 -04:00
4ed2cc8189
Land #10397 , Added line in psexec_psh to support SMB2
2018-07-30 13:06:00 -05:00
cdefb88770
Added line to support SMB2
2018-07-30 12:37:06 -05:00
952ab801e8
Land #10060 , vTiger CRM v6.3.0 Upload RCE
2018-07-30 12:32:24 -05:00
62f663207b
Change option type
2018-07-30 12:15:59 -05:00
fe9315dc89
Update module, Add documentation
2018-07-30 12:11:08 -05:00
d58785f959
Land #10247 , add WordPress Arbitrary File Deletion
2018-07-30 09:05:23 -05:00
ece9a72d13
Removed tabs
2018-07-30 15:07:55 +02:00
5962fa752e
Fixes in aws_ec2_instance_metadata
...
@@ -36,7 +36,7 @@ def initialize(info = {})
- unless resp =~ /^instance-id.$/m
+ unless resp =~ /^instance-id$/m
The original regex requires one character after 'instance-id' which is not present in the instance.
@@ -50,15 +50,16 @@ def check_curl
- base_resp.split(/\r\n/).each do |l|
- new_uri = base_uri.merge("./#{l}")
+ base_resp.split(/\r?\n/).each do |l|
+ new_uri = "#{base_uri}#{l}"
- key_uri = new_uri.merge("./#{key_id}/")
- key_resp = simple_get(key_uri)
+ new_uri = new_uri.slice(0..(new_uri.index(%r{/public-keys/})+'/public-keys'.length))
+ key_uri = "#{new_uri}#{key_id}/"
+ key_resp = simple_get(key_uri)
1. merge function was causing 'rescue in merge' errors
2. the split function could not succeed, there were no '\r\n' between the lines but '\n' only
3. the special case was not handled correctly
was trying to curl http://169.254.169.254/latest/meta-data/public-keys/0=Key0/ instead of http://169.254.169.254/latest/meta-data/public-keys/0/
@@ -94,6 +95,6 @@ def setup
- cmd_exec("curl #{url}")
+ cmd_exec("curl -s #{url}")
Curl was causing issues when not in silent mode.
2018-07-30 14:02:15 +02:00
6790ac1998
Reset to original
2018-07-30 10:48:32 +02:00
c440eeaa31
rogue end
2018-07-29 10:35:33 -04:00
53cca07442
bcoles suggestions
2018-07-29 10:31:01 -04:00
32384cf850
Land #10387 , Update mov_ss and add mov_ss_dll
2018-07-27 14:52:21 -05:00
6d4c70d019
ughhhhh EOL
2018-07-27 11:35:31 -05:00
036e2b2247
shut up, Rubocop
2018-07-27 11:11:32 -05:00
b4792e08a4
Combine the modules and update the binaries
2018-07-27 11:08:04 -05:00
aaf1a22c7c
Rubocop changes
2018-07-27 10:15:45 -05:00
eab62c18c6
Update mov_ss and add mov_ss_dll
2018-07-27 09:40:34 -05:00
7b5e8463ba
msftidy-final
2018-07-27 14:52:10 +02:00
4e42834be3
msftidy 538
2018-07-27 14:48:04 +02:00
44c1fa9197
msftidy558
2018-07-27 14:29:32 +02:00
da1363721f
msftidy 90-91-2
2018-07-27 14:07:10 +02:00
07896b0a3c
msftidy 90-91
2018-07-27 13:58:15 +02:00
5435c7a5eb
msftidy fix
2018-07-27 13:43:37 +02:00
09320ece91
iec104 client
2018-07-27 11:46:26 +02:00
1bcf2f9b37
Land #10383 , Add WP Responsive Thumbnail Slider Plugin Exploit Module
2018-07-26 23:53:25 -05:00
72d634b10b
Update module and its documentation
2018-07-26 23:08:20 -05:00
0433cb92ba
Fix upload_exec for absolute paths
...
Also prefer chmod 700 over 755, since it's our file.
2018-07-26 19:48:12 -05:00
32d6344e6b
Land #9964 , android post module to extract subscriber info
2018-07-26 16:58:27 -05:00
71646da97f
fix error handling
2018-07-26 16:48:34 -05:00
be1bf8b1fc
modified status
2018-07-26 15:41:19 -05:00
6accca4181
added documentation and check method
2018-07-26 15:32:37 -05:00
ed4c4046ba
parsing for uploaded file, gets session
2018-07-26 14:23:24 -05:00
2dff66aacb
Check nil
2018-07-26 11:23:16 -05:00
c23ffcbf62
successfully uploads payload and gets a session
2018-07-26 11:09:01 -05:00
Jacob Robles
Shelby Pace
Dhiraj Mishra
William Vu
Christian Mehlmauer
asoto-r7
Adam Cammack
Ben Schmeckpeper
bwatters-r7
AverageSecurityGuy
alpiste
Brent Cook
Brendan Coles
Wei Chen
Matthew Kienow
Auxilus
Tim W
Chirag Jariwala
Eliott Teissonniere
Kevin Kirsche
Kevin Gonzalvo
h00die
Michael John
Green-m
reka193
Alexander Halbarth
Mehmet İnce
michaelj0hn