c75a0185ec
Land #3897 - Fix check for apache_mod_cgi_bash_env & apache_mod_cgi_bash_env_exec
2014-09-26 17:06:23 -05:00
80d9af9b49
Fix spacing in description
2014-09-26 17:03:28 -05:00
9e540637ba
Add module for CVE-2014-5377 ManageEngine DeviceExpert User Credentials
2014-09-26 17:02:27 -05:00
3259509a9c
Use return
2014-09-26 16:04:15 -05:00
0a3735fab4
Make it better
2014-09-26 16:01:10 -05:00
3538b84693
Try to make a better check
2014-09-26 15:55:26 -05:00
6e2d297e0c
Credit the original vuln discoverer
2014-09-26 13:45:09 -05:00
e1f00a83bc
Fix Rex because domainname and domain_name were duplicated
2014-09-26 13:40:52 -05:00
5044117a78
Refactor dhclient_bash_env to use the egypt's mixin mods
2014-09-26 13:34:44 -05:00
ebf4e5452e
Added mssql_escalate_dbowner module
2014-09-26 10:29:35 -05:00
a4bc17ef89
deregister options needed for exploitation
2014-09-26 10:15:46 -05:00
54e6763990
Add injection to HOSTNAME and URL
2014-09-26 10:13:24 -05:00
a31b4ecad9
Merge branch 'review_3893' into test_land_3893
2014-09-26 08:41:43 -05:00
86f85a356d
Add DHCP server module for CVE-2014-6271
2014-09-26 01:24:42 -05:00
38c8d92131
Land #3888 - exploit module version of CVE-2014-6271
2014-09-26 00:31:41 -05:00
b878ad2b75
Add a module to exploit bash via DHCP, lands #3891
...
This module is just a starting point for folks to test their DHCP client implementations and we plan to significantly overhaul this once we get a bit of breathing room.
2014-09-25 23:38:40 -05:00
9c11d80968
Add dhclient_bash_env.rb (Bash exploit)
...
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
2014-09-26 01:37:00 -03:00
ad864cc94b
Delete unnecessary code
2014-09-25 16:18:01 -05:00
2b02174999
Yank Android->jsobfu integration. Not really needed currently.
2014-09-25 16:00:37 -05:00
9245bedf58
Make it more generic, add X86_64 target
2014-09-25 15:54:20 -05:00
be6552dae7
Clarifying VMware priv esc via bash module name
2014-09-25 14:34:09 -05:00
d8c03d612e
Avoid failures due to bad payload selection
2014-09-25 13:49:04 -05:00
91e5dc38bd
Use datastore timeout
2014-09-25 13:36:05 -05:00
8a43d635c3
Add exploit module for CVE-2014-6271
2014-09-25 13:26:57 -05:00
e0fc30c040
Land #3884 , @wvu's check and reporting for apache_mod_cgi_bash_env
2014-09-25 09:52:17 -05:00
f66c854ad6
Fix description to be less lulzy
2014-09-25 07:09:08 -05:00
9ed28408e1
Favor check_host for a scanner
2014-09-25 07:06:12 -05:00
62b74aeaed
Reimplement old check code I was testing before
...
I would like to credit @wchen-r7 for providing advice and feedback.
@jvazquez-r7, too! :)
2014-09-25 06:38:25 -05:00
d9120cd586
Fix typo in description
...
Running on fumes here...
2014-09-25 01:22:08 -05:00
790df96396
Fix missed var
2014-09-25 01:19:14 -05:00
f13289ab65
remove debugging
2014-09-25 02:16:19 -04:00
e051cf020d
Add missed mixin
2014-09-25 01:14:58 -05:00
27b8580f8d
Add protip to description
...
This gets you lots of shells.
2014-09-25 01:10:22 -05:00
8cb4ed4cb7
re-add quotes -oops
2014-09-25 02:09:12 -04:00
b1e9b3664e
Improve false positive check
2014-09-25 01:01:11 -05:00
6fb587ef96
update to use vmware-vmx-stats
2014-09-25 01:55:04 -04:00
8daf8d4339
Report vuln for apache_mod_cgi_bash_env
...
Now with fewer false positives! It's kinda like a check method.
2014-09-25 00:42:14 -05:00
37753e656e
Land #3882 , @jvennix-r7's vmware/bash privilege escalation module
2014-09-25 00:42:12 -05:00
456d731aa3
Fix processes check
2014-09-25 00:24:39 -05:00
5a59b7cd89
Fix formatting
2014-09-24 23:12:11 -05:00
e6f0736797
Add peer
2014-09-24 22:48:51 -05:00
8b6519b5b4
Revert shortened reference
...
But it's so long. :(
2014-09-24 22:43:33 -05:00
ecb10ebe28
Add variable HTTP method and other stuff
2014-09-24 22:41:01 -05:00
f6708b4d83
Check for running vmware processes first.
2014-09-24 19:11:38 -05:00
a600a0655d
Scannerify the module
2014-09-24 18:58:39 -05:00
abadf65d8d
Clean up title and formatting
2014-09-24 18:42:43 -05:00
2562964581
Revert to my original code of using CMD
2014-09-24 18:00:13 -05:00
99da950734
Adds osx vmware/bash priv escalation.
2014-09-24 17:44:14 -05:00
6ae578f80f
Add Stephane Chazelas as an author
2014-09-24 17:14:18 -05:00
b2555408a4
Rename module
...
I don't think we're gonna make a supermodule like we had hoped.
2014-09-24 16:55:10 -05:00
31e9e97146
Replace unnecessary reference with a better one
2014-09-24 16:52:43 -05:00
fc04bf9d48
Update description
...
This is what I had when @todb-r7 beat me to the punch. >:P
2014-09-24 16:22:58 -05:00
2f788c2e0c
Fix description
2014-09-24 16:13:05 -05:00
b96a7ed1d0
Install a global object in firefox payloads, bump jsobfu.
2014-09-24 16:05:00 -05:00
ca63fe931d
Add CVE-2014-6271 PoC
2014-09-24 16:02:59 -05:00
5d234c0e01
Pass #send in this so jsobfu is not confused.
2014-09-24 15:07:14 -05:00
0247e4a521
Change RequiredCmd for reverse_bash_telnet_ssl cmd payload
2014-09-24 00:40:14 -05:00
f2cfbebbfb
Add module for ZDI-14-305
2014-09-24 00:22:16 -05:00
5f6e84580c
Clean up and use Metasploit::Credential
2014-09-24 01:00:23 +00:00
11b9a8a6ae
Land #3814 - Advantech WebAccess dvs.ocx GetColor BoF
2014-09-23 15:06:21 -05:00
b021ff4399
Add noche tags
2014-09-23 13:11:06 -05:00
5c6236e874
Fix rop chain to allow VirtualAlloc when end of stack is too close
2014-09-23 13:08:26 -05:00
31ecbfdc4e
Land #3756 - EMC AlphaStor Device Manager Opcode 0x75 Command Injection
2014-09-23 12:57:46 -05:00
259a368577
Land #3841 , @jabra-'s modifications to ssdp_amp to support spoofing
2014-09-22 12:28:46 -07:00
fc4c1907d3
Land #3839 , @jabra-'s updates to dns_amp to support spoofing
2014-09-22 12:14:39 -07:00
8f63075da4
Land #3837 , @jabra-'s update to chargen scanner to support spoofing
2014-09-22 12:02:01 -07:00
4e9f1282de
Land #3834 , @jabra-'s updates to UDPscanner to support spoofing
2014-09-22 11:49:53 -07:00
d9e6f2896f
Add the JSObfu mixin to a lot of places.
2014-09-21 23:45:59 -05:00
2a714a7c4d
Fix a typo
...
Downloading and deleting are two very different things. Thanks Dan.
2014-09-21 18:35:26 -05:00
b7a0847114
SRC IP spoofing added to the SSDP amplification module
2014-09-20 21:37:01 -04:00
bb018de3a1
chargen src IP spoofing
2014-09-20 16:08:52 -04:00
3fb00ece9e
refactored the code based on PR feedback
2014-09-20 14:10:00 -04:00
a2a2ca550e
add test result on different windows version
2014-09-20 20:06:30 +08:00
dd71c666dc
added osvdb reference and software download url, use FileDropper method
...
for cleanup
2014-09-20 15:31:28 +08:00
19ed594e98
using FileDropper method for cleanup
2014-09-20 10:52:21 +08:00
9acccfe9ba
Fix description
2014-09-19 17:18:59 -05:00
d826132f87
Delete CVE, add EDB
2014-09-19 17:16:03 -05:00
7afbec9d6c
Land #2890 , @Ahmed-Elhady-Mohamed module for OSVDB 93034
2014-09-19 17:12:49 -05:00
1fa5c8c00c
Add check method
2014-09-19 17:11:16 -05:00
ce0b00bb0b
Change module location and filename
2014-09-19 16:59:35 -05:00
0267e889e2
Use FileDropper
2014-09-19 16:58:21 -05:00
6fd5027e05
Avoid UploadPath datastore option, parse from response
2014-09-19 16:55:28 -05:00
2ce9bdf152
Use target_uri.path.to_s instead of uri
2014-09-19 16:43:40 -05:00
eb55c7108b
Fix indentantion again
2014-09-19 16:41:07 -05:00
cbfb7e600d
Use Rex::MIME::Message
2014-09-19 16:29:09 -05:00
cffb28b5d3
Fix indentantion
2014-09-19 16:18:46 -05:00
c00094ba6e
Land #3345 , @mvdevnull's auxiliary module for OSVDB 106815, Alienvault sqli
2014-09-19 15:01:21 -05:00
62414e2214
Add Timeout to exploit sqli
2014-09-19 15:00:54 -05:00
db6372ec8b
Do minor module cleanup
2014-09-19 14:43:35 -05:00
4a9294e3bf
Mark module as not executable
2014-09-19 14:36:44 -05:00
405ac34a16
Fix author name
2014-09-19 13:56:13 -05:00
79d5fb56d4
Land #3829 , @jhart-r7's UDP emtpy probe scanner
2014-09-19 13:54:35 -05:00
737f77d31a
Cleaner output when PORTS is invalid
2014-09-19 11:12:14 -07:00
3493987300
report_service when we find something this way
2014-09-19 10:45:06 -07:00
43171141da
update for ntp modules
2014-09-19 11:14:11 -04:00
677d035ce8
added proper regex for check function
...
add comment for changed code
2014-09-19 11:30:51 +08:00
a54b23642e
Relocate empty UDP scanner
2014-09-18 12:31:52 -07:00
6cad5d9aeb
Add ManageEngine DeviceExpert User Credentials
2014-09-18 19:18:59 +00:00
5dad73a28f
Explicitly require credential_collection
...
Otherwise, you run into a require ordering problem on some platforms.
This is not a great way to fix this -- but it's a fast way, and possibly
even a good way, since you're being explicit about what your module
requirements are.
2014-09-17 15:47:30 -05:00
64ac1e6b26
Rand padding
2014-09-17 08:09:09 -05:00
50fa5745bb
Rm print_debug line
...
I forgot to remove this line while testing the module
2014-09-16 16:46:40 -05:00
e593a4c898
Add comment about gadgets origin
2014-09-16 16:38:03 -05:00
07c14f5ee8
Land #3388 - Post mod to check Win32_QuickFixEngineering
2014-09-16 16:18:04 -05:00
36a3abe036
Add a reference
2014-09-16 16:17:22 -05:00
80f02c2a05
Make module ready to go
2014-09-16 15:18:11 -05:00
169d04020d
Land #3571 - Add Wordpress XML-RPC Login Scanner (with LoginScanner)
2014-09-16 14:51:24 -05:00
4ed1fa55f5
Don't need this header
2014-09-16 14:50:32 -05:00
35b8c2be4b
Land #3800 , release fixes
2014-09-16 14:05:23 -05:00
59dfa624c4
Add a REMOTE_JS datastore option for BeEf hooks etc.
2014-09-16 13:31:03 -05:00
3e09283ce5
Land #3777 - Fix struts_code_exec_classloader on windows
2014-09-16 13:09:58 -05:00
158d4972d9
More references and pass msftidy
2014-09-16 12:54:27 -05:00
bd17c96a6e
Dropped a hyphen in the title
2014-09-16 12:47:44 -05:00
7a7b6cb443
Some refactoring
...
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
2014-09-16 17:49:45 +02:00
978803e9d8
add proper regex
2014-09-16 21:49:02 +08:00
4c615ecf94
Module for CVE-2014-5519, phpwiki/ploticus RCE
2014-09-16 00:09:41 +02:00
7d4c4c3658
Land #3699 , @dmaloney-r7's ipboard login refactor
2014-09-15 08:29:42 -05:00
783b03efb6
change line 84 as mubix advice, update disclosure date according to
...
bugtraq security list.
2014-09-15 17:21:05 +08:00
9860ed340e
run msftidy, make correction for CVE format and space at EOL (line 77)
2014-09-15 13:13:25 +08:00
f1d3c44f4f
exploit module for HTTP File Server version 2.3b, exploiting HFS scripting commands 'save' and 'exec'.
2014-09-15 12:59:27 +08:00
74ef83812a
update module vulnerability information
2014-09-15 01:43:18 +08:00
8b4b66fcaa
initial test
2014-09-14 12:26:02 +08:00
3a6066792d
Work in rop chain...
2014-09-13 17:38:19 -05:00
83bf220a10
Land #3730 , @TomSellers's post module for Remote Desktop Connection Manager
2014-09-12 15:38:33 -05:00
5da6a450f1
fix find condition
2014-09-12 15:21:50 -05:00
1749fc73c2
Change module filename
2014-09-12 15:05:33 -05:00
95b6529579
Fix run method
2014-09-12 14:27:25 -05:00
373861abb0
Land #3526 , @jhart-r7's soap_xml scanner cleanup
2014-09-12 13:29:52 -05:00
12f949781a
Use double quote for xml strings
2014-09-12 13:18:48 -05:00
67c0ee654b
Use Gem::Version
2014-09-12 10:35:12 -05:00
0d054d8354
Update with master changes
2014-09-12 09:52:32 -05:00
e2ef927177
Add first version for ZDI-14-255
2014-09-12 08:57:54 -05:00
60b29cbd5e
Fix word splitting problem
2014-09-12 06:50:53 -05:00
8a6a205e39
Land #3724 , NetworkManager creds module
2014-09-12 05:48:35 -05:00
131401f024
Remove unused method
2014-09-12 05:48:11 -05:00
706655f755
Land #3779 , Glassfish LoginScanner exception
...
MSP-11343
2014-09-11 15:57:47 -05:00
d2f2b142b4
Land #3760 , Arris WEP/WPA leak from @dheiland-r7
2014-09-11 15:39:19 -05:00
4fc1ec09c7
Land #3759 , Android UXSS, with ref/desc fixes
...
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)
Also fixes #3782 (opened by accident).
2014-09-11 14:27:51 -05:00
fbba4b32e0
Update the title and desc to be more descriptive
...
See #3759
2014-09-11 14:06:14 -05:00
d627ab7628
Add refs for Android UXSS
...
See #3759
2014-09-11 14:05:50 -05:00
8aa06b8605
Better api for check_setup
2014-09-10 23:43:54 -05:00
c1658e5d51
Add a check_setup method
2014-09-10 20:09:46 -05:00
84e4db9035
Don't raise in the middle
...
MSP-11343
This means we don't bomb out with an unhandled exception, instead
continuing attempting logins against the host even though it will never
succeed. Next up: verify state before running scan!()
2014-09-10 20:09:33 -05:00
872ba6a53b
Update arris_dg950 module with required changes
...
Collapsed several levels of the if/else statement and changed out 2 with
case. Changed print_good to print_line. Removed rescue ::Interrupt and
altered variable names to make them more readable
2014-09-10 19:07:53 -04:00
373eb3dda0
Make struts_code_exec_classloader to work on windows
2014-09-10 18:00:16 -05:00
e317bfe0d5
Add preliminary module for discovering services with empty UDP probes
2014-09-10 10:58:22 -07:00
280e16c241
Land #3677 - Updated shodan_search for new API
2014-09-10 11:39:00 -05:00
006393360e
Add conditions to check healthy shodan results
2014-09-10 11:38:06 -05:00
257f0fc93e
Quick fix for ssh_login_pubkey
...
Fixes #3772 , closes #3774
2014-09-10 09:57:17 -05:00
495e1c14a1
Land #3721 , @brandonprry's module for Railo CVE-2014-5468
2014-09-09 19:10:46 -07:00
26d8432a22
Minor style and usability changes to @brandonprry's #3721
2014-09-09 19:09:45 -07:00
sinn3r
jvazquez-r7
nullbind
James Lee
HD Moore
Ramon de C Valle
Joe Vennix
Samuel Huckins
William Vu
Rob Fuller
Tod Beardsley
Brendan Coles
Jon Hart
Josh Abraham
mfadzilr
Vincent Herbulot
Luke Imhoff
Deral Heiland