Tod Beardsley
2f87c880df
Add link to blog post for NTP modules
2014-08-25 12:58:10 -05:00
Tod Beardsley
c3213a73e5
Use peer when writing scanner modules
...
This fixes the module seen in PR rapid7#3684 to use the peer method at
the beginning of print_* messages, rather than the vhost method at the
end. Doing this tends to make reading the output much easier since it's
more consistent.
Incidentally, this module has an msftidy complaint:
````
--- Checking new and changed module syntax with tools/msftidy.rb ---
modules/auxiliary/scanner/http/ipboard_login.rb - [INFO] Please use
vars_get in send_request_cgi: send_request_cgi({ 'uri' =>
normalize_uri(target_uri.path,
"index.php?app=core&module=global§ion=login&do=process"
````
This should be fixed as well, or explained why it's not being honored.
2014-08-25 12:48:32 -05:00
William Vu
1ee83ff57e
Land #3696 , pile of NTP DRDoS 0days
...
Dr. DoS in da house?
2014-08-25 11:47:28 -05:00
William Vu
7a76efa7f7
Add reference and disclosure date
2014-08-25 11:46:47 -05:00
OJ
a39f7b94ec
Land #3684 - IP Board Login Scanner
2014-08-25 11:54:42 +10:00
Christopher Truncer
302e4025ba
Removed unnecessary function
2014-08-24 20:45:28 -04:00
Christopher Truncer
2b59063d6c
Updated based on feedback
2014-08-24 19:53:29 -04:00
Tom Sellers
fa502c9c69
Minor adjustments
2014-08-24 17:39:13 -05:00
jvazquez-r7
c20b4dc0ff
Land #3645 , @jlee-r7's fix for mremoge credentials gather module
2014-08-24 15:53:29 -05:00
Joe Vennix
6313b29b7a
Add #arch method to Msf::EncodedPayload.
...
This allows exploits with few one automatic target to support many
different architectures.
2014-08-24 02:22:15 -05:00
Joe Vennix
88f626184c
Remove linux platform limitation, target depends on arch only.
2014-08-24 01:39:04 -05:00
Joe Vennix
04d0b87067
Reorder module title.
2014-08-24 01:18:21 -05:00
Joe Vennix
c65ba20017
Fix incorrect Platforms key.
2014-08-24 01:15:34 -05:00
Joe Vennix
4e63faea08
Get a shell from a loose gdbserver session.
2014-08-24 01:10:30 -05:00
Tom Sellers
1fa43bfe64
Rework for Credential lib update
2014-08-23 10:53:55 -05:00
John Sawyer
0a27a18104
Committing changes from r7 comments
2014-08-23 00:08:27 -04:00
Christopher Truncer
84f4fa5c76
Updated module based on feedback
2014-08-22 21:16:53 -04:00
jvazquez-r7
0737d0dbd5
Refactor auxiliary module
2014-08-22 17:05:45 -05:00
jvazquez-r7
0031913b34
Fix nil accesses
2014-08-22 16:19:11 -05:00
jvazquez-r7
9ef09a7725
Pass msftidy
2014-08-22 13:24:59 -05:00
jvazquez-r7
38e6576990
Update
2014-08-22 13:22:57 -05:00
jvazquez-r7
e93fbbd904
Land #3685 , @pedrib's exploit for CVE-2014-3996
2014-08-22 11:45:41 -05:00
jvazquez-r7
cf147254ad
Use snake_case in the filename
2014-08-22 11:44:35 -05:00
jvazquez-r7
823649dfa9
Clean exploit, just a little
2014-08-22 11:43:58 -05:00
jvazquez-r7
9815b1638d
Refactor pick_target
2014-08-22 11:31:06 -05:00
Joe Vennix
95fbb8f1b7
Land PR #3672 , dmaloney-r7's login scanner credential rework.
2014-08-22 11:15:32 -05:00
jvazquez-r7
ecace8beec
Refactor check method
2014-08-22 11:05:36 -05:00
Brandon Turner
05f0d09828
Merge branch staging/electro-release into master
...
On August 15, shuckins-r7 merged the Metasploit 4.10.0 branch
(staging/electro-release) into master. Rather than merging with
history, he squashed all history into two commits (see
149c3ecc63
and
82760bf5b3
).
We want to preserve history (for things like git blame, git log, etc.).
So on August 22, we reverted the commits above (see
19ba7772f3
).
This merge commit merges the staging/electro-release branch
(62b81d6814
) into master
(48f0743d1b
). It ensures that any changes
committed to master since the original squashed merge are retained.
As a side effect, you may see this merge commit in history/blame for the
time period between August 15 and August 22.
2014-08-22 10:50:38 -05:00
jvazquez-r7
ced65734e9
Make some datastore options advanced
2014-08-22 10:26:04 -05:00
jvazquez-r7
b4e3e84f92
Use CamelCase for target keys
2014-08-22 10:23:36 -05:00
jvazquez-r7
b58550fe00
Indent description and fix title
2014-08-22 10:21:08 -05:00
Brandon Turner
19ba7772f3
Revert "Various merge resolutions from master <- staging"
...
This reverts commit 149c3ecc63
.
Conflicts:
lib/metasploit/framework/command/base.rb
lib/metasploit/framework/common_engine.rb
lib/metasploit/framework/require.rb
lib/msf/core/modules/namespace.rb
modules/auxiliary/analyze/jtr_postgres_fast.rb
modules/auxiliary/scanner/smb/smb_login.rb
msfconsole
2014-08-22 10:17:44 -05:00
inkrypto
7e2d474a26
Ranking, Version, Spacing Edit
2014-08-22 11:06:42 -04:00
inkrypto
7587997d73
Spell check
2014-08-21 12:47:25 -04:00
Christopher Truncer
3918acb1e1
Changed keyword used when returning
2014-08-21 12:34:54 -04:00
Christopher Truncer
a0b72bba93
Updated module based on feedback
2014-08-21 12:26:41 -04:00
Pedro Ribeiro
da752b0134
Add exploit for CVE-2014-3996
2014-08-21 15:30:28 +01:00
Christopher Truncer
383906c26c
Removed function no longer used
2014-08-20 22:51:01 -04:00
Christopher Truncer
c93bfb4673
Fixed targeturi value
2014-08-20 21:23:45 -04:00
Christopher Truncer
7f90b81711
IP Board Login Scanner Module
2014-08-20 21:18:19 -04:00
Jon Hart
9f9f28cc31
If a peer is 127.0.0.1, don't try to store it because we (currently...) can't
2014-08-20 15:48:54 -07:00
Jon Hart
9db3dc7ad8
Store peer data note in the same format as originally
2014-08-20 15:10:45 -07:00
Jon Hart
758c3fa518
Only discard monlist replies that are impossibly short
...
This fixes the case where if a monlist reply only includes one peer
2014-08-20 15:02:21 -07:00
Jon Hart
7ad9300d37
Update ntp_monlist to use UDPScanner, NTP and DRDoS mixins
2014-08-20 14:41:00 -07:00
Jon Hart
8fd4ee87ab
Allow singular NTP version and mode 7 implementation testing
2014-08-20 12:21:39 -07:00
John Sawyer
1959f7a235
Updated shodan_search for new API
2014-08-20 00:48:13 -04:00
sinn3r
e2e2dfc6a3
Undo FF
2014-08-19 17:47:44 -05:00
sinn3r
777efb5e48
Land #3669 - Deprecate ff 17 svg exploit
2014-08-19 17:42:31 -05:00
sinn3r
c73ec66c7a
Land #3659 - Add HybridAuth install.php PHP Code Execution
2014-08-19 17:19:01 -05:00
Tom Sellers
74920d26a4
Update to server/capture/imap.rb for new Credential system
2014-08-19 15:25:31 -05:00
Tom Sellers
3fdad4dc91
Update auxillary/scanner/ftp with Credential Gem
2014-08-19 13:13:05 -05:00
William Vu
dc95b01cc5
Land #3670 , smb_login private_type fix
...
[FixRM #8841 ]
2014-08-19 11:30:23 -05:00
William Vu
b748cee760
Land #3664 , enum_osx dump_hash removal
2014-08-19 11:29:23 -05:00
David Maloney
473b92a060
Merge branch 'master' into feature/MSP-10992/scanner-dry
...
Conflicts:
Gemfile.lock
lib/metasploit/framework/command/console.rb
lib/metasploit/framework/common_engine.rb
lib/metasploit/framework/credential.rb
lib/metasploit/framework/credential_collection.rb
lib/metasploit/framework/login_scanner/afp.rb
lib/metasploit/framework/login_scanner/axis2.rb
lib/metasploit/framework/login_scanner/db2.rb
lib/metasploit/framework/login_scanner/ftp.rb
lib/metasploit/framework/login_scanner/http.rb
lib/metasploit/framework/login_scanner/mssql.rb
lib/metasploit/framework/login_scanner/mysql.rb
lib/metasploit/framework/login_scanner/pop3.rb
lib/metasploit/framework/login_scanner/postgres.rb
lib/metasploit/framework/login_scanner/result.rb
lib/metasploit/framework/login_scanner/smb.rb
lib/metasploit/framework/login_scanner/snmp.rb
lib/metasploit/framework/login_scanner/ssh.rb
lib/metasploit/framework/login_scanner/telnet.rb
lib/metasploit/framework/login_scanner/vnc.rb
lib/metasploit/framework/parsed_options/console.rb
lib/metasploit/framework/require.rb
lib/metasploit/framework/version.rb
lib/msf/core/modules/namespace.rb
modules/auxiliary/analyze/jtr_postgres_fast.rb
modules/auxiliary/scanner/afp/afp_login.rb
modules/auxiliary/scanner/db2/db2_auth.rb
modules/auxiliary/scanner/ftp/ftp_login.rb
modules/auxiliary/scanner/http/axis_login.rb
modules/auxiliary/scanner/http/http_login.rb
modules/auxiliary/scanner/http/tomcat_mgr_login.rb
modules/auxiliary/scanner/mssql/mssql_login.rb
modules/auxiliary/scanner/mysql/mysql_login.rb
modules/auxiliary/scanner/pop3/pop3_login.rb
modules/auxiliary/scanner/postgres/postgres_login.rb
modules/auxiliary/scanner/snmp/snmp_login.rb
modules/auxiliary/scanner/ssh/ssh_login.rb
modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
modules/auxiliary/scanner/telnet/telnet_login.rb
modules/auxiliary/scanner/vnc/vnc_login.rb
modules/auxiliary/scanner/winrm/winrm_login.rb
spec/lib/metasploit/framework/credential_spec.rb
spec/lib/msf/core/framework_spec.rb
2014-08-19 10:30:16 -05:00
sinn3r
7330e3585f
Support Glassfish 4.0 and lots of other changes
2014-08-18 19:03:26 -05:00
James Lee
f169b8dff3
Fix hashes being stored as passwords
2014-08-18 15:52:13 -05:00
joev
b93fda5cef
Remove browser_autopwn hook from deprecated FF module.
2014-08-18 15:33:43 -05:00
joev
87aa63de6e
Deprecate FF17 SVG exploit.
...
This exploit needs flash, the tostring_console injection one does not.
2014-08-18 15:32:51 -05:00
Brendan Coles
564431fd41
Use arrays in refs for consistency
2014-08-18 18:54:54 +00:00
Tod Beardsley
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
joev
5654370316
Remove hashdump functionality from enum_osx.
...
There is a specific hashdump module that is more up-to-date, no need to duplicate
functionality (and code).
2014-08-18 11:40:11 -05:00
joev
5bfbb7654e
Add android meterpreter to browser autopwn.
2014-08-18 11:09:16 -05:00
HD Moore
d8e82b9394
Lands #3655 , fixes pack operators
...
the commit.
he commit.
2014-08-17 17:25:52 -05:00
Brendan Coles
b8b2e3edff
Add HybridAuth install.php PHP Code Execution module
2014-08-16 23:31:46 +00:00
sinn3r
e656a81c63
Land #3656 - FF toString console.time Privileged Javascript Injection
2014-08-15 17:07:23 -05:00
joev
6d958475d6
Oops, this doesn't work on 23, only 22.
2014-08-15 17:00:58 -05:00
joev
fb1fe7cb8b
Add some obfuscation.
2014-08-15 16:54:30 -05:00
joev
b574a4c4c5
Wow, this gets a shell all the way back to 15.0.
2014-08-15 16:39:36 -05:00
joev
5706371c77
Update browser autopwn settings.
2014-08-15 16:32:06 -05:00
joev
8c63c8f43d
Add browserautopwn hook now that this is not user-assisted.
2014-08-15 16:28:21 -05:00
joev
694d917acc
No need for web console YESSSS
2014-08-15 16:02:26 -05:00
joev
738a295f0a
Rename module to tostring_console*.
2014-08-15 15:17:37 -05:00
Meatballs
0cc3bdfb35
Moar bad packs
2014-08-15 21:11:37 +01:00
joev
f182613034
Invalid CVE format.
2014-08-15 15:09:45 -05:00
joev
edb9d32e5c
Add module for toString() injection in firefox.
2014-08-15 15:08:10 -05:00
inkrypto
7972da350d
Files move to appropriate directories and have proper formatting
2014-08-15 14:37:29 -04:00
inkrypto
92750ccc03
Remove emc files
2014-08-15 14:30:19 -04:00
Tod Beardsley
904c1b20b1
Land #3654 , update to 4.10-dev (electro)
2014-08-15 12:51:28 -05:00
Samuel Huckins
149c3ecc63
Various merge resolutions from master <- staging
...
* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
2014-08-15 11:33:31 -05:00
jvazquez-r7
4cfd2abd8d
Land #3621 , @kaospunk's exploit for gitlab-shell CVE-2013-4490 command injection
2014-08-15 09:17:16 -05:00
jvazquez-r7
4e0f6dfcc7
Do minor cleanup
2014-08-15 09:10:08 -05:00
inkrypto
5fee4df2c0
BA EMC modules
2014-08-13 23:18:43 -04:00
sinn3r
f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape
2014-08-13 20:08:13 -05:00
kaospunk
5ed3e6005a
Implement suggestions
...
This commit addresses feedback such as adding a check
function and changing the login fail case by being
more specific on what is checked for. The failing
ARCH_CMD payloads were addressed by adding BadChars.
Last, an ARCH_PYTHON target was added based on
@zerosteiner's feedback.
2014-08-13 20:26:48 -04:00
jvazquez-r7
127d094a8d
Dont share once device is opened
2014-08-13 16:13:38 -05:00
sinn3r
558cea6017
Land #3638 - Add VMTurbo Operations Manager 'vmtadmin.cgi' RCE
2014-08-13 11:55:56 -05:00
Meatballs
05a198bc96
Correct spelling
2014-08-13 14:06:25 +01:00
Meatballs
4a01c27ed4
Use get_env and good pack specifier
2014-08-13 10:59:22 +01:00
Emilio Pinna
4ff73a1467
Add version build check
2014-08-13 09:53:43 +02:00
James Lee
b7e4bd4080
Fix 'domain\user' reporting in mremote
2014-08-12 18:01:42 -05:00
jvazquez-r7
da4b572a0d
Change module name
2014-08-12 17:17:26 -05:00
jvazquez-r7
3eccc12f50
Switch from vprint to print
2014-08-12 17:11:24 -05:00
jvazquez-r7
f203fdebcb
Use Msf::Exploit::Local::WindowsKernel
2014-08-12 17:09:39 -05:00
jvazquez-r7
e1debd68ad
Merge to update
2014-08-12 16:21:39 -05:00
jvazquez-r7
183b27ee27
There is only one target
2014-08-12 16:14:41 -05:00
jvazquez-r7
c8e4048c19
Some style fixes
2014-08-12 16:11:31 -05:00
jvazquez-r7
ea3d2f727b
Dont fail_with while checking
2014-08-12 16:09:59 -05:00
Emilio Pinna
3440f82b2e
Minor description adjustment
2014-08-12 22:18:59 +02:00
Emilio Pinna
9e38ffb797
Add the check for the manual payload setting
2014-08-12 21:55:42 +02:00
sinn3r
b84192c654
Land #3642 - Be sure which the full payload is used
2014-08-12 14:52:26 -05:00
jvazquez-r7
93990f4578
Land #3631 , @wchen-r7's fixes to avoid datastore options assignment at runtime
2014-08-12 14:46:02 -05:00
jvazquez-r7
b46b6af50d
Land #3630 , @wchen-r7's fix for datastore assignments on smb_enumusers
2014-08-12 14:26:55 -05:00
jvazquez-r7
33da1a6871
Give a chance to the mixin
2014-08-12 13:49:39 -05:00
Emilio Pinna
5b6be55c50
Fix (properly) 'execute_command()' missing 'opts' parameter
2014-08-12 19:49:27 +02:00
Emilio Pinna
3af17ffad0
Fixed 'execute_command()' missing 'opts' parameter
2014-08-12 19:24:24 +02:00
jvazquez-r7
042423088c
Make sure which the full payload is used
2014-08-12 11:41:29 -05:00
David Maloney
fcfce9efec
Merge branch 'staging/electro-release' into feature/MSP-10992/scanner-dry
2014-08-12 11:22:51 -05:00
cx
c937e80521
Added Fixes#2 mentioned by Firefart
...
Details:
* MSF's HTTP::Wordpress class included and wordpress related
variables are used.
2014-08-12 15:16:43 +03:00
Emilio Pinna
f71589f534
Simplify payload upload using 'CmdStager' mixin
2014-08-12 10:49:17 +02:00
sinn3r
4aeb1eda9c
Don't use datastore options as default values
2014-08-11 18:55:32 -05:00
kaospunk
4e6a04d3ad
Modifications for login and key addition
...
This commit adds additional support for logging in
on multiple versions of Gitlab as well as adding a
key to exploit the vulnerability.
2014-08-11 19:54:10 -04:00
Emilio Pinna
cc5770558d
Remove local payload saving used for debugging
2014-08-11 19:16:14 +02:00
Emilio Pinna
4790b18424
Use FileDropper mixin to delete uploaded file
2014-08-11 19:02:09 +02:00
Emilio Pinna
ac526ca9bd
Fix print_* to vprint_* in check method
2014-08-11 18:58:11 +02:00
Emilio Pinna
4b4b24b79d
Fix errors printing
2014-08-11 18:54:43 +02:00
Emilio Pinna
c97cd75beb
Rephrase 'Author' section
2014-08-11 18:52:21 +02:00
Emilio Pinna
0138f3648d
Add VMTurbo Operations Manager 'vmtadmin.cgi' Remote Command Execution module.
2014-08-11 16:57:39 +02:00
cx
c90434c926
Added Fixes mentioned by Firefart
...
Details:
* string interpolation removed
* Minor styling issues are fixed
* peer var used
* target_uri added instead of datastore
2014-08-11 14:37:39 +03:00
kaospunk
a995bcf2ef
Fix URI building and failure cases
...
This update uses the normalize_uri method for building
URIs. Additionally, failure cases have been modified
for a less generic version.
2014-08-10 19:53:33 -04:00
Meatballs
351b687759
Land #3612 , Windows Local Kernel exploits refactor
2014-08-10 22:05:06 +01:00
joev
af3ca19ab2
Land #3501 , @AnwarMohamed's android meterpreter commands.
2014-08-09 16:29:59 -05:00
Tod Beardsley
08bb815bd8
Add Yokogawa unauth admin module
2014-08-09 13:30:10 -05:00
jvazquez-r7
486b5523ee
Refactor set_version
2014-08-09 02:17:07 -05:00
jvazquez-r7
d959affd6e
Delete debug message
2014-08-09 01:58:42 -05:00
jvazquez-r7
da04b43861
Add module for CVE-2014-0983
2014-08-09 01:56:38 -05:00
Jon Hart
a5e9abc227
Update R7-2014-12 NTP modules to use new DRDoS mixin
2014-08-08 23:15:54 -07:00
Jon Hart
00452b41c9
Gut admin functions from R7-2014-12 NTP modules
...
None of these are admin modules. All of that stuff should eventually go
in auxiliary/admin
2014-08-08 21:22:11 -07:00
Jon Hart
ed3ccdc9e0
Initial commit of modules for NTP vulns described in R7-2014-12
...
Not entirely functional or polished, but mostly working
2014-08-08 21:00:43 -07:00
Jon Hart
3307726c21
Land #3627 , @wchen-r7's cleanup of ctypes in smb_enumshares
2014-08-08 19:17:15 -07:00
Jon Hart
b3bb20f569
Land #3629 , @wchen-r7's HTTP traversal fixes
2014-08-08 18:08:32 -07:00
Jon Hart
c35dc4d3ac
Extract query params separately
...
Prevents stomping on data
2014-08-08 18:07:25 -07:00
sinn3r
969e5ddd39
Override the correct smb_direct
2014-08-07 18:48:46 -05:00
sinn3r
3b27102c4c
Override the correct smb_direct
2014-08-07 18:47:33 -05:00
sinn3r
436e2abfff
Fix datastore options
2014-08-07 17:59:40 -05:00
sinn3r
1963318e70
Fix datastore options
2014-08-07 17:58:25 -05:00
sinn3r
ab8f2c7d3f
Datastore option fix
2014-08-07 17:57:44 -05:00
sinn3r
6f8c7f092a
Fix direct datastore assignments to pass msftidy
2014-08-07 17:51:45 -05:00
sinn3r
2967d85e44
Land #3624 - Wordpress XMLRPC DoS
2014-08-07 17:25:22 -05:00
sinn3r
c79fe731c5
Um, this is the right way to do it.
2014-08-07 13:32:48 -05:00
sinn3r
f7bda738cf
Fix file handle leak
2014-08-07 13:30:34 -05:00
sinn3r
711630d059
Fix datastore assignments
2014-08-07 13:28:51 -05:00
sinn3r
c7090f57a5
Fix "text" ctype in smb_enumshares
...
"text" is not a valid ctype, should be text/plain
2014-08-07 11:25:55 -05:00
Christian Mehlmauer
a7be5b5164
Added fingerprinting
2014-08-07 18:12:58 +02:00
jvazquez-r7
b259e5b464
Update description again
2014-08-07 09:21:25 -05:00
jvazquez-r7
4af0eca330
Update target description
2014-08-07 09:11:01 -05:00
Christian Mehlmauer
d6e60453d6
Added Wordpress XMLRPC DoS
2014-08-07 11:38:44 +02:00
Brandon Turner
91bb0b6e10
Metasploit Framework 4.9.3-2014072301
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJT0CeVAAoJEJMMBVMNnmqO/7AP/0CBRHjtgiR9VnFKSQ+iWTQV
iPNMBevn0mpSRq/gpoKCeFBZ6b+YQYrOLXDKVk62VV9LCslkr/P8LW8ul+m+JtB0
mM6V5esUXM1XhgGEyTnTLRx6BR/WQU1RHlb56ae3nZjQlwCuH/5zEmcy5toZxpsY
6HO46zE0GGBoLr/VgyYlfT08bfoQ+ICyJN0H5ixoovCc3iW0K1MNqLMfdani8zBJ
gYJaMysV7XtepumWWQMSC+b/EuertdXXzWDy2bwe0Q3cQXNXzrkPAvtMqucWG+gy
783OLKCPtVoEZiX87xAptkwmVCRdNGPclaWH7YRZDAh1tqBfRQUg72V/TIrOHCP1
/lYO7yp5pBQg+1UNnpH+xI2YePFfYdHpYDNT5FSQGOnQjJg30ll4SqCm7cVmo2h5
BRSYXkPCsQeXGaFarxGERNb8e+qN/WzSrHzY45tQw8mDuhg94tlf3VtDag3FXxhj
zCxd6bu+tdboVm7FERS85T46kxzmeIycZ4p+Sf7d8gXitl2RKbBdKFNDi1gzeK1T
yN7bDl4sL7qtDgZLXjFrnyC8vXyAqIrAgmFr2JywMBRm6TiCGQvgnrs+sScU3RFU
W2tblGbKQq+CwDeC59uQPqxRkm72SMUrKX9448VEQ+9XbKE3TMQ5Q4qCxmnw31Op
aJ0QgKJz8thZgafZc89I
=e1z9
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJT4pb8AAoJEA+Ckxyj7hsHn+8P/3FlEYCmoqQ/JzsVtmP3Yi4Q
gBRva+crY831mCCQXFrPJBvWfmy5HOzVh+Zh7zWF0GQ1WuuMppHfR5ARFVwmiDs3
qwndhXwziDzBnznf0JKSgT5eJsH23s/ots1lyWymKJvPuT6hn6MRAHUawgnNmYR9
ttnawmHvCM9Iha2oz3nmkLcNd+83bdBfEWi5l8AQ7jJxwMC2/8VPpMscVVwXqPzd
CoQugAYZW5VeaEiGio5+19Ix9EPkIDvs6wnfGBtfPfeaOIDZV4XOFoIFUtEeZd5o
olvEpYvdqscy4Qujzn4C++3wX3bUxkIbHTJHgrKmlD83dI7Cu1JH716G+yfLoJo0
pQBWTGeWYKEh6leK/9J5Bo1/tOJ/ylbcbvH0Y0tmdu4icHar6uYe1QBrCB9xIdh1
F+xo4guYnVo616DXJQSwjIye83b5dBxACrfA3bqCnFVFgTM5jXGV1cqiBgs9Dl++
tIDPgUJkCe/bIdQ7PntlGRzxKihHahlxhCa++YaGKqSq7gXie8Rl4qgloIrbfNZ/
z3XsoOLNdbMGO7ip88Zjwq4Khj5WZu7ijfCtXO7GU1UJZL1tJ2yK2ic7ZDLc251Y
8EGMSTG53+6yvZYFtWMZeQzjwD2cpuF04dOmHOKi6KGJJ7KRPhn6gpsbc6U1mbH9
AjGcfOzhhcsY+WAQ7OG+
=Pjob
-----END PGP SIGNATURE-----
Merge tag '2014072301' into staging/electro-release
Conflicts:
Gemfile.lock
modules/post/windows/gather/credentials/gpp.rb
This removes the active flag in the gpp.rb module. According to Lance,
the active flag is no longer used.
2014-08-06 15:58:12 -05:00
Spencer McIntyre
b602e47454
Implement improvements based on feedback
2014-08-05 21:24:37 -07:00
kaospunk
48359faaaf
Add gitlab-shell command injection module
...
This request adds a module for gitlab-shell command
injection for versions prior to 1.7.4. This has been
tested by installing version 7.1.1 on Ubuntu and then
using information at http://intelligentexploit.com/view-details.html?id=17746
to modify the version of gitlab-shell to a vulnerable one. This
was done as I could not find a better method for downloading
and deploying an older, vulnerable version of Gitlab.
2014-08-05 23:21:57 -04:00
sinn3r
9b6259e58b
Land #3569 - Updated smb_enumshares to support spidering
2014-08-05 20:23:09 -05:00
sinn3r
f520616730
This fixes a few things, see commit message for more info
...
This commit fixes the following:
1. Not handling eval_host()'s nil file return value, which can causes
a NoMethodError at runtime due to various conditions.
2. Renames datastore option VERBOSE to ShowFiles to pass msftidy
3. Avoids overwriting datastore options directly to pass msftidy
2014-08-05 19:20:11 -05:00
Alton Johnson
da845c7e89
Changed default VERBOSE option to false.
2014-08-04 18:06:35 -05:00
Jon Hart
f25bb735a0
Land #3543 , @todb-r7's Rubocop cleanup of MS08-067
2014-08-04 14:35:30 -07:00
Jon Hart
b81c7e28f4
Land #3588 , @tobd-r7's Fix SpaceBeforeModifierKeyword Rubocop warning
2014-08-04 14:25:03 -07:00
Spencer McIntyre
9cd6353246
Update mqac_write to use the mixin and restore pointers
2014-08-04 12:15:39 -07:00
Spencer McIntyre
a523898909
Apply rubocop suggestions for ms_ndproxy
2014-08-04 11:49:01 -07:00
Spencer McIntyre
86e2377218
Switch ms_ndproxy to use the new WindowsKernel mixin
2014-08-04 11:49:01 -07:00
Spencer McIntyre
58d29167e8
Refactor MS11-080 to use the mixin and for style
2014-08-04 11:49:01 -07:00
Tod Beardsley
4de59ad7d1
Add reasonable description for gnome-commander
2014-08-04 12:35:34 -05:00
jvazquez-r7
ed97751ead
Land #2999 , @j0hnf's modifiction to check_dir_file to handle file:
2014-08-04 11:55:18 -05:00
jvazquez-r7
cd45ed0e0a
Handle exceptions when connecting the SMBHSARE
2014-08-04 11:54:30 -05:00
jvazquez-r7
85b5c5a691
Refactor check_path
2014-08-04 11:48:13 -05:00
jvazquez-r7
1e29bef51b
Fix msftidy warnings
2014-08-04 11:46:27 -05:00
jvazquez-r7
04bf0b4ab6
Fix forgotten comma
2014-08-04 11:34:12 -05:00
jvazquez-r7
68d8afc18d
Land #3604 , @hmoore-r7's [FixRM #8838 ] smb_lookupsid nil class dereference
2014-08-04 10:38:42 -05:00
Joshua Smith
6c2b8f54cf
rubocop cleanup, long lines, etc
2014-08-03 23:19:08 -05:00
OJ
2b021e647d
Minor tidies to conform to standards
2014-08-03 23:19:08 -05:00
OJ
31c51eeb63
Move error messages to `check`
2014-08-03 23:19:08 -05:00
OJ
cbf15660bf
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-08-03 23:19:08 -05:00
HD Moore
3bc8d1fee9
See #RM8838. Handle null domain_sid properly
...
This switches to the local sid if the domain sid is null, even if
the ACTION is set to DOMAIN. This solves the issue identified in
```
[*] 192.168.0.4 PIPE(LSARPC) LOCAL(NAS - 5-21-2272853860-1115691317-1341221697) DOMAIN(WORKGROUP - )
[-] 192.168.0.4 No domain SID identified, falling back to the local SID...
[*] 192.168.0.4 USER=guest RID=501
[*] 192.168.0.4 GROUP=None RID=513
```
2014-08-02 14:25:17 -05:00
us3r777
cd2e225359
Refactored auxilliary jboss_bshdeployer
...
Switch modules/auxiliary/admin/http/jboss_bshdeployer.rb to use the
changes.
2014-08-02 11:10:49 +02:00
Tod Beardsley
c31fc61617
Land #3270 , @jlee-r7 deprecation ipv6 payloads
...
These are not needed, since you can just config the regular handler now
and pick either.
This resolves the conflict (rm'ed the old modules)
Conflicts:
modules/payloads/stagers/windows/reverse_ipv6_http.rb
modules/payloads/stagers/windows/reverse_ipv6_https.rb
2014-08-01 16:27:59 -05:00
David Maloney
ab7111120b
and all the rest
...
finally!
2014-08-01 14:54:18 -05:00
David Maloney
4821851ae4
telnet and ssh next
2014-08-01 14:47:08 -05:00
David Maloney
12902b0a6d
the refactor continues!
2014-08-01 14:41:03 -05:00
David Maloney
b74813b9a1
mysql and pop3 now
2014-08-01 14:30:33 -05:00
jvazquez-r7
73ca8c0f6d
Work on jboss refactoring
2014-08-01 14:28:26 -05:00
David Maloney
2e7738c788
http and mssql now
2014-08-01 14:22:58 -05:00
David Maloney
33f73a8af7
refactor db2
2014-08-01 13:00:27 -05:00
David Maloney
439b893fea
refactor axislogin
2014-08-01 12:30:16 -05:00
David Maloney
0fffb179fa
refactor afp_login
2014-08-01 12:10:52 -05:00
David Maloney
c3691ba056
finish refactoring ftp_login
2014-08-01 12:06:13 -05:00
David Maloney
a380646667
start refactoring ftp loginscanner
2014-08-01 11:47:13 -05:00
Meatballs
15c1ab64cd
Quick rubocop
2014-07-31 23:11:00 +01:00
Meatballs
d336c56b99
Merge remote-tracking branch 'upstream/master' into land_2551
2014-07-31 23:06:37 +01:00
Meatballs
bff8a734ae
Fix and be Architecture Agnostic
2014-07-31 22:58:43 +01:00
James Lee
62240537db
Refactor sso to use Credential::Creation
2014-07-31 16:06:23 -05:00
Spencer McIntyre
5a25120660
Apply rubocop changes to multi/script/web_delivery
2014-07-31 16:16:23 -04:00
Spencer McIntyre
8af4c496c9
Add a missing include and require statement for psh
2014-07-31 16:08:25 -04:00
Meatballs
53b66f3b4a
Land #2075 , Powershell Improvements
2014-07-31 00:49:39 +01:00
jvazquez-r7
4ed085d0d2
Land #3581 , @FireFart's update for W3 Total Cache Hash extract module
2014-07-30 10:45:11 -05:00
jvazquez-r7
674c3ca260
Use [] for references
2014-07-30 10:44:42 -05:00
jvazquez-r7
a79eec84ac
Land #3584 , @FireFart's update for wp_asset_manager_upload_exec
2014-07-30 10:28:51 -05:00
jvazquez-r7
9de8297848
Use [] for References
2014-07-30 10:28:00 -05:00
jvazquez-r7
313fd6ffab
Land #3582 , @FireFart's rubocop cleanup for wp_property_upload_exec
2014-07-30 10:24:58 -05:00
jvazquez-r7
58fbb0b421
Use [] for References
2014-07-30 10:24:14 -05:00
HD Moore
318418a90b
Lands #3589 , adds rhost:rport to vmware fingerprint
2014-07-29 18:50:53 -05:00
jvazquez-r7
1fe459eb42
Add info to know where the info comes from
2014-07-29 18:47:40 -05:00
Tod Beardsley
adf03e28ce
Fix SpaceBeforeModifierKeyword Rubocop warning
...
This also deals with some errant tabs where internal spaces should be,
as well as one syntax error which was preventing an old meterpreter
script from ever working correctly.
Some day, we need to get rid of those Meterpeter scripts. Srsly.
2014-07-29 17:10:54 -05:00
Christian Mehlmauer
75057b5df3
Fixed variable
2014-07-29 21:02:15 +02:00
Christian Mehlmauer
cc3285fa57
Updated checkcode
2014-07-29 20:53:54 +02:00
Christian Mehlmauer
61ab88b2c5
Updated wp_asset_manager_upload_exec module
2014-07-29 20:53:18 +02:00
Christian Mehlmauer
e438c140ab
Updated wp_property_upload_exec module
2014-07-29 20:34:34 +02:00
Christian Mehlmauer
3d2a62bc29
Updated W3 Total Cache Hash extract module
2014-07-29 19:49:48 +02:00
AnwarMohamed
c2be3d6875
fixing autoload bug
2014-07-29 17:51:56 +02:00
jvazquez-r7
820ea7e50b
Land #3577 , @FireFart's update for wordpress foxypress module
2014-07-29 09:10:07 -05:00
AnwarMohamed
6bbb2124a7
bug fixing
2014-07-29 15:49:14 +02:00
Joshua Smith
e00d892f99
rubocop cleanup, long lines, etc
2014-07-28 22:04:45 -05:00
us3r777
9e9244830a
Added spec for lib/msf/http/jboss
...
Also renamed get_undeploy_bsh and get_undeploy_stager to
gen_undeploy_bsh and gen_undeploy_stager to be consistent
with the other functions
2014-07-29 01:57:04 +02:00
William Vu
0208420a67
Land #3565 , GNOME Commander post module
2014-07-28 17:28:36 -05:00
William Vu
f4bd44d9c6
Fix outstanding issues
2014-07-28 17:28:15 -05:00
David Bloom
a904ed8507
Update gnome_commander_creds.rb
2014-07-28 22:49:13 +02:00
David Bloom
b121bf6d6c
Update gnome_commander_creds.rb
2014-07-28 22:46:50 +02:00
Christian Mehlmauer
621e85a32d
Correct version
2014-07-28 22:45:04 +02:00
Christian Mehlmauer
d334797116
Updated foxpress module
2014-07-28 22:23:22 +02:00
Christopher Truncer
7129108c58
Fixed status in MSF db for Nessus
2014-07-28 13:49:24 -04:00
jvazquez-r7
79fe342688
Land #3558 , @FireFart's improvements to wordpress mixin
2014-07-28 09:52:20 -05:00
cx
7247f8879b
Empty line fix
...
Details:
* Empty line fix added to each_user_pass function
2014-07-28 12:50:41 +03:00
AnwarMohamed
283046b25d
fixing auto load on new session
2014-07-28 10:49:50 +02:00
cx
5679a72aa8
Added Fixes mentioned by jhart-r7
...
Details:
* res && res.body fix
* empty return removed
* vprint added/changed
* is_? convention fixed
* Unknown error removed
* Minor styling issues are fixed
* VERBOSE Option Removed
2014-07-27 00:40:37 +03:00
Alton Johnson
555e6c9cff
Modified a few things based on suggestions.
2014-07-25 18:23:12 -05:00
Alton Johnson
58502f139a
Updated.
2014-07-25 15:46:50 -05:00
cx
cdabfb84f4
Add Wordpress XML-RPC Login Scanner
...
This module attempts to authenticate against a Wordpress-site (via
XMLRPC) using username and password combinations indicated by the
USER_FILE, PASS_FILE, and USERPASS_FILE options.
The module, checks for XMLRPC response using `demo.sayHello` function
and sweeps users with `wp.getUsers` function.
If `verbose` is set `true`, the raw XML response will be printed.
The module might be usefull when the target's administration page
is protected.
2014-07-25 16:24:09 +03:00
Alton Johnson
d0cd5cfc7a
Updated.
2014-07-24 21:53:23 -05:00
Alton Johnson
cdc56df09f
Updated smb_enumshares.rb
2014-07-24 21:18:02 -05:00
Alton Johnson
51c488a5ea
Added smb_enumshares.
2014-07-24 21:11:18 -05:00
OJ
210342df5b
Minor tidies to conform to standards
2014-07-25 09:32:54 +10:00
OJ
9fe2dd59aa
Move error messages to `check`
2014-07-25 07:57:09 +10:00
David Bloom
e35ee1f037
Update gnome_commander_creds.rb
2014-07-24 23:36:32 +02:00
David Bloom
f4440680b6
Update gnome_commander_creds.rb
2014-07-24 23:30:26 +02:00
ikkini
03f68e21e7
Merge branch 'rsync_modules' of https://github.com/ikkini/metasploit-framework into rsync_modules
2014-07-24 23:29:14 +02:00
ikkini
ccb26637e7
List all (listable) modules from a rsync daemon
2014-07-24 23:26:41 +02:00
David Bloom
9dc37c3cc7
Update gnome_commander_creds.rb
2014-07-24 23:18:26 +02:00
David Bloom
48982b3b89
Update gnome_commander_creds.rb
2014-07-24 23:16:45 +02:00
David Bloom
2e5c2a514b
Update gnome_commander_creds.rb
2014-07-24 23:16:10 +02:00
David Bloom
9aa1b86d8f
Update gnome_commander_creds.rb
2014-07-24 23:10:00 +02:00
David Bloom
718c401472
Update gnome_commander_creds.rb
2014-07-24 23:01:30 +02:00
us3r777
cd2ec0a863
Refactored jboss mixin and modules
...
Moved fail_with() from mixin to modules. Added PACKAGE datastore to
lib/msf/http/jboss/bsh.rb.
2014-07-24 22:58:58 +02:00
Tod Beardsley
8b2ff062c3
Land #3568 , @jhart-r7 regex fix for dir traversal
2014-07-24 15:43:43 -05:00
Jon Hart
bd1970ced9
Fix basic HTTP directory traversal detection
2014-07-24 13:22:58 -07:00
ikkini
6692545eb6
Delete rsync_list.rb
2014-07-24 22:10:08 +02:00
ikkini
f12b97e8c0
List all (listable) modules from a rsync daemon
2014-07-24 22:04:00 +02:00
David Bloom
8a6fa178d6
Update gnome_commander_creds.rb
2014-07-24 08:10:28 +02:00
OJ
3ec30bdf78
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-07-24 14:48:29 +10:00
Samuel Huckins
6c1a3f4992
Merge pull request #3555 from jlee-r7/bug/MSP-10817/jtr-typo
...
Now able to complete without error.
MSP-10817 #land
2014-07-23 15:55:42 -05:00
James Lee
eee72a86ba
Fix the case when john cracks only half of LM
2014-07-23 15:25:32 -05:00
David Bloom
41e5e24b19
Update gnome_commander_creds.rb
2014-07-23 20:26:43 +02:00
David Bloom
30c00f4fd6
gnome-commander credentials add
2014-07-23 20:20:29 +02:00
us3r777
b526fc50f8
Refactored jboss mixin and modules
...
Moved VERB option to the mixin. Replaced "if datastore['VERBOSE']"
by vprint_status().
2014-07-22 23:08:42 +02:00
Jay Smith
0db3a0ec97
Update code to reflect @jlee-r7's code review
2014-07-22 15:14:24 -04:00
Jay Smith
125b2df8f5
Update code to reflect @hdmoore code suggestions
2014-07-22 14:53:24 -04:00
Spencer McIntyre
7f79e58e7f
Lots and cleanups based on PR feed back
2014-07-22 14:45:00 -04:00
Christian Mehlmauer
a6479a77d6
Implented feedback from @jhart-r7
2014-07-22 19:49:58 +02:00
David Maloney
e54f5e8ee7
working snmp_login module
2014-07-22 12:44:21 -05:00
Spencer McIntyre
5d9c6bea9d
Fix a typo and use the execute_shellcode function
2014-07-22 13:06:57 -04:00
David Maloney
c553fcac73
start refacotirng snmp_login
2014-07-22 11:46:22 -05:00
Spencer McIntyre
12904edf83
Remove unnecessary target info and add url reference
2014-07-22 11:20:07 -04:00
Christian Mehlmauer
baff003ecc
extracted check version to module
...
also added some wordpress specs and applied
rubocop
2014-07-22 17:02:35 +02:00
Spencer McIntyre
ca0dcf23b0
Add a simple check method for cve-2014-4971
2014-07-22 10:54:10 -04:00
Spencer McIntyre
6a545c2642
Clean up the mqac escalation module
2014-07-22 10:39:34 -04:00
Spencer McIntyre
da4eb0e08f
First commit of MQAC arbitrary write priv escalation
2014-07-22 10:04:12 -04:00
James Lee
917d2c718b
Use All4 instead of LanMan
...
... Which was the original behavior. A full incremental LanMan can take
many hours instead of the few seconds this module was intended to run.
2014-07-21 18:24:35 -05:00
us3r777
ae2cd63391
Refactored Jboss mixin
...
Moved TARGETURI option to the JBoss mixin. The mixin now includes
Msf::Exploit::Remote::HttpClient which provides USERNAME and PASSWORD
2014-07-21 23:41:58 +02:00
sinn3r
6048f21875
Land #3552 - Correct DbVisualizer title name
2014-07-21 13:07:33 -05:00
sinn3r
73e665b863
Land #3542 - Multi Manage DbVisualizer Query
2014-07-21 13:02:19 -05:00
sinn3r
fbbaaf2e2a
Fix spaces and module description
2014-07-21 13:01:18 -05:00
jvazquez-r7
fe0b6fa79e
Land #3532 , @luisco's joomla login bruteforcer
2014-07-21 12:56:15 -05:00
jvazquez-r7
aefaa3dd96
Make rubocop more happy
2014-07-21 12:55:45 -05:00
Tod Beardsley
ffafd4c01f
Add NTP fuzzer from @jhart-r7
...
Looks good to me!
2014-07-21 12:38:12 -05:00
Tod Beardsley
a41768fd7d
Correct DbVisualizer title name
...
I think "DbVis Software" is the name of the company and the product
itself is called DbVisualizer.
Also fixed the description on the WPTouch module.
2014-07-21 12:35:01 -05:00
sinn3r
aa27af96f4
Land #3547 - rubocop changes
2014-07-21 12:26:51 -05:00
jvazquez-r7
478e43170a
Report credentials to database
2014-07-21 12:26:13 -05:00
jvazquez-r7
63fca1bfdd
Make some datastore options required
2014-07-21 12:10:52 -05:00
jvazquez-r7
436ac706e8
Rescue Rex::ConnectionError while finding the uri
2014-07-21 12:00:24 -05:00
jvazquez-r7
30de4cdf8d
Fix get_login_hidden
2014-07-21 11:57:37 -05:00
jvazquez-r7
ff3a21b520
Refactor do_web_login
2014-07-21 11:35:19 -05:00
jvazquez-r7
22f41e4435
Use vars_post
2014-07-21 11:07:00 -05:00
jvazquez-r7
92fd3bc72b
Deleting REQUEST_TYPE option because I don't think has sense here
2014-07-21 10:53:43 -05:00
jvazquez-r7
986b8e5d02
First style issues cleanup
2014-07-21 09:49:05 -05:00
Meatballs
b0a596b4a1
Update newer modules
2014-07-20 21:59:10 +01:00
Meatballs
474ee81807
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-20 21:01:54 +01:00
HD Moore
5ba96d6054
Fix peer(rhost)->peer() usage in mediawiki_svg_fileaccess
2014-07-19 15:56:41 -05:00
scriptjunkie
8fe508207c
Merge Meatballs' gpp_again pull into new branch
2014-07-19 11:10:14 -05:00
Christian Mehlmauer
a809c9e0b5
Changed to vprint and added comment
2014-07-18 22:15:56 +02:00
Christian Mehlmauer
c6e129c622
Fix rubocop warnings
2014-07-18 21:58:33 +02:00
root
7a5f3b8991
Implementing Ruby Style Guide and replace send_request_raw send_request_cgi
2014-07-18 14:31:38 -05:00
Tod Beardsley
942112d18e
Land #3538 , SAP fix from @jvazquez-r7
...
This looks good to me, the whole print statement is enclosed in a check
for results.
2014-07-18 10:27:47 -05:00
us3r777
088f208c7c
Added auxiliary module jboss_bshdeployer
...
The module allows to deploy a WAR (a webshell for instance) using the
BSHDeployer.
Also refactored modules/exploits/multi/http/jboss_bshdeployer.rb to
use the new Mixin (lib/msf/http/jboss).
2014-07-18 11:51:46 +02:00
root
1f02891dc7
Change name of module and implementation of the recommended changes 2
2014-07-18 00:17:35 -05:00
root
0168a99eaa
Change name of module and implementation of the recommended changes
2014-07-17 23:49:25 -05:00
root
f2eabdba94
implementation of the recommended changes
2014-07-17 23:36:37 -05:00
jvazquez-r7
ad2e7c3713
print header only if there are results...
2014-07-17 18:02:24 -05:00
us3r777
58adc350b5
Refactor: Creation of a JBoss mixin
...
The jboss_bsheployer as is does not allow to deploy a custom WAR file.
It is convenient when ports are blocked to be able to deploy a webshell
instead of just launching a payload. This will require a auxiliary
module which will use the JBoss mixin methods.
2014-07-18 00:56:32 +02:00
sinn3r
c59d72b0c6
Land #3530 - dbvis database administrator
2014-07-17 14:36:34 -05:00
sinn3r
6d35867f7f
Update module description
2014-07-17 14:24:57 -05:00
sinn3r
8e7361d952
Fix indent again
2014-07-17 14:12:04 -05:00
sinn3r
aed8af3abc
Retabbed
2014-07-17 14:03:27 -05:00
Jay Smith
2be6eb16a2
Add in exploit check and version checks
...
Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
2014-07-17 14:56:34 -04:00
sinn3r
d6ab418d6f
Fix spaces
2014-07-17 13:52:00 -05:00
Tod Beardsley
b050b5d1df
Rubocop -a on MS08-067
...
This reduces the number of style guide violations from 230ish to 36.
Nearly all of it has to do with errant parameters, element alignment,
and comment blocks.
Obviously, since this was all automatically fixed, some pretty severe
testing should occur before landing this.
I kind of don't like the automatic styling of the arrays for the
references, but maybe I can get used to it. It's open for discussion.
@jhart-r7 please take a look at this as well -- anything jumping out at
you on this that we should be avoiding for Rubocop?
2014-07-17 12:29:20 -05:00