b1453afb52
Land #4297 , fixes #4293 , Use OperatingSystems::Match::WINDOWS
...
* instead of Msf::OperatingSystems::WINDOWS
2014-12-12 18:19:58 -06:00
4fc4866fd8
Merge code in from #2395
2014-12-12 16:22:51 -06:00
488f46c8a1
Land #4324 , payload_exe rightening.
...
Fixes #4323 , but /not/ #4246 .
2014-12-12 15:04:57 -06:00
9908e0e35b
Land #4384 , fix typo.
2014-12-12 14:39:47 -06:00
50b734f996
Add Portuguese target, lands #3961 (also reorders targets)
2014-12-12 14:23:02 -06:00
008c33ff51
Fix description
2014-12-12 13:36:28 -06:00
81460198b0
Add openssl payload to distcc exploit
...
This is required to test #4274
2014-12-12 13:25:55 -06:00
b334e7e0c6
Land #4322 , @FireFart's wordpress exploit for download-manager plugin
2014-12-12 12:41:59 -06:00
aaed7fe957
Make the timeout for the calling payload request lower
2014-12-12 12:41:06 -06:00
00f66b6050
Correct named captures
2014-12-12 10:22:14 -08:00
98dca6161c
Delete unused variable
2014-12-12 12:03:32 -06:00
810bf598b1
Use fail_with
2014-12-12 12:03:12 -06:00
1e6bbc5be8
Use blank?
2014-12-12 09:51:08 -08:00
4f3ac430aa
Land #4341 , @EgiX's module for tuleap PHP Unserialize CVE-2014-8791
2014-12-12 11:48:25 -06:00
64f529dcb0
Modify default timeout for the exploiting request
2014-12-12 11:47:49 -06:00
24f1b916e0
Minor ruby style cleanup
2014-12-12 09:47:35 -08:00
1d1aa5838f
Use Gem::Version to compare versions in check
2014-12-12 09:47:01 -08:00
d01a07b1c7
Add requirement to description
2014-12-12 11:42:45 -06:00
fd09b5c2f6
Fix title
2014-12-12 10:52:18 -06:00
4871228816
Do minor cleanup
2014-12-12 10:52:06 -06:00
0f27c63720
fix msftidy warnings
2014-12-12 13:16:21 +01:00
65b316cd8c
Land #4372
2014-12-11 18:48:16 -08:00
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
de88908493
code style
2014-12-11 23:30:20 +01:00
24dbc28521
Land #4356
2014-12-11 09:03:18 -08:00
0eea9a02a1
Land #3144 , psexec refactoring
2014-12-10 17:30:39 -06:00
c813c117db
Use DNS names
2014-12-10 22:25:44 +00:00
245b76477e
Fix issue with execution of perl due to gsub not matching across newlines
2014-12-10 21:38:04 +00:00
700ccc71e7
Create tuleap_unserialize_exec.rb
2014-12-09 10:15:46 +01:00
21742b6469
Test #3729
2014-12-06 21:20:52 -06:00
42744e5650
Add actualanalyzer_ant_cookie_exec exploit
2014-12-06 19:09:20 +00:00
2f98a46241
Land #4314 , @todb-r7's module cleanup
2014-12-05 14:05:09 -06:00
7ae786a53b
Add a comment as an excuse to tag the issue
...
Fix #4246
... so it will automatically close the ticket.
2014-12-05 11:26:26 -06:00
f25e3ebaaf
Fix #4246 - More undef 'payload_exe' in other modules
...
Root cause: payload_exe is an accessor in the TFPT command stager
mixin, you need stager_instance in order to retreive that info.
2014-12-05 11:19:58 -06:00
5ea062bb9c
fix bug
2014-12-05 11:30:45 +01:00
55b8d6720d
add wordpress download-manager exploit
2014-12-05 11:17:54 +01:00
e3f7398acd
Fix #4246 - Access payload_exe information correctly
...
This fixes an undef method 'payload_exe' error. We broke this when
all modules started using Msf::Exploit::CmdStager as the only source
to get a command stager payload. The problem with that is "payload_exe"
is an accessor in CmdStagerTFTP, not in CmdStager, so when the module
wants to access that, we trigger the undef method error.
To be exact, this is the actual commit that broke it:
7ced5927d8Fix #4246
2014-12-05 02:08:13 -06:00
52851d59c0
Update GATEWAY to GATEWAY_PROBE_HOST, add GATEWAY_PROBE_PORT
2014-12-04 13:26:16 -08:00
6bd56ac225
Update any modules that deregistered NETMASK
2014-12-04 13:22:06 -08:00
79f2708a6e
Slight fixes to grammar/desc/whitespace
...
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
2fcbcc0c26
Resolve merge conflict for ie_setmousecapture_uaf ( #4213 )
...
Conflicts:
modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
2014-12-03 14:12:15 -06:00
a631ee65f6
Fix #4293 - Use OperatingSystems::Match::WINDOWS
...
Fix #4293 . Modules should use OperatingSystems::Match::WINDOWS
instead of Msf::OperatingSystems::WINDOWS, because the second
won't match anything anymore.
2014-12-02 13:46:27 -06:00
a88ee0911a
Fix os detection
...
See #3373
2014-12-02 01:15:55 -06:00
a42c7a81e7
Fix os detection
...
See #4283
2014-12-02 01:13:51 -06:00
394d132d33
Land #2756 , tincd post-auth BOF exploit
2014-12-01 12:13:37 -06:00
0f973fdf2b
Fix #4284 - Typo "neline" causing the exploit to break
...
"neline" isn't supposed to be there at all.
2014-12-01 01:24:30 -06:00
7a2c9c4c0d
Land #4263 , @jvennix-r7's OSX Mavericks root privilege escalation
...
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
b357fd88a7
Add comment
2014-11-30 21:08:38 -06:00
0ab99549bd
Change ranking
2014-11-30 21:08:12 -06:00
7772da5e3f
Change paths, add makefile and compile
2014-11-30 21:06:11 -06:00
d7d1b72bce
Rename local_variables
2014-11-30 20:40:55 -06:00
d77c02fe43
Delete unnecessary metadata
2014-11-30 20:37:34 -06:00
f7f4a191c1
Land #4255 - CVE-2014-6332 Internet Explorer
2014-11-28 10:12:27 -06:00
2a7d4ed963
Touchup
2014-11-28 10:12:05 -06:00
985838e999
Suggestions from OJ
2014-11-27 21:38:50 +00:00
25ecf73d7d
Add configurable directory, rather than relying on the session working
...
directory.
2014-11-27 17:12:37 +00:00
75e5553cd4
Change to in exploit
2014-11-26 16:53:30 +10:00
9524efa383
Fix banner
2014-11-25 23:14:20 -06:00
16ed90db88
Delete return keyword
2014-11-25 23:11:53 -06:00
85926e1a07
Improve check
2014-11-25 23:11:32 -06:00
5a2d2914a9
Fail on upload errors
2014-11-25 22:48:57 -06:00
b24e641e97
Modify exploit logic
2014-11-25 22:11:43 -06:00
4bbadc44d6
Use Msf::Exploit::FileDropper
2014-11-25 22:00:42 -06:00
7fbd5b63b1
Delete the Rex::MIME::Message gsub
2014-11-25 21:54:50 -06:00
eaa41e9a94
Added reference
2014-11-25 21:37:04 -06:00
2c207597dc
Use single quotes
2014-11-25 18:30:25 -06:00
674ceeed40
Do minor cleanup
2014-11-25 18:26:41 -06:00
6ceb47619a
Change module filename
2014-11-25 18:09:15 -06:00
1305d56901
Update from upstream master
2014-11-25 18:07:13 -06:00
3a5de9970f
Update description, rename xnu_ver -> osx_ver.
2014-11-25 12:38:29 -06:00
7a3fb12124
Add an OSX privilege escalation from Google's Project Zero.
2014-11-25 12:34:16 -06:00
583494c0db
use BrowserExploitServer
2014-11-24 18:49:27 +01:00
08a67d78c5
module for CVE-2014-6332.
2014-11-24 08:25:18 +01:00
9e9954e831
fix placeholder to show the firmware version I used
2014-11-19 21:23:39 +01:00
a718e6f83e
add exploit for r7-2014-18 / CVE-2014-4880
2014-11-19 21:07:02 +01:00
a9cb6e0d2f
Add jduck as an author on samsung_knox_smdm_url
2014-11-19 10:18:08 -06:00
1d0d5582c1
Remove datastore options
2014-11-19 15:05:36 +00:00
7004c501f8
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2
...
Conflicts:
modules/exploits/windows/smb/psexec.rb
2014-11-19 14:40:50 +00:00
542eb6e301
Handle exception in brute force exploits
2014-11-18 12:17:10 -08:00
60e31cb342
Allow sunrpc_create to raise on its own
2014-11-18 12:17:10 -08:00
7daedac399
Land #3972 @jhart-r7's post gather module for remmina Remmina
...
* Gather credentials managed with Remmina
2014-11-17 16:44:41 -06:00
286827c6e5
Land #4186 , Samsung KNOX exploit. Ty @jvennix-r7!
2014-11-17 13:29:39 -06:00
39980c7e87
Fix up KNOX caps, descriptive description
2014-11-17 13:29:00 -06:00
0f41bdc8b8
Add an OSVDB ref
2014-11-17 13:26:21 -06:00
145e610c0f
Avoid shadowing new method
2014-11-17 12:22:30 -06:00
91ba25a898
Land #4208 , psexec delay fix
2014-11-17 11:35:56 -06:00
cd61975966
Change puts to vprint_debug.
2014-11-17 10:13:13 -06:00
9243cfdbb7
Minor fixes to ruby style things
2014-11-17 17:12:17 +01:00
2a24151fa8
Remove BAP target, payload is flaky. Add warning.
2014-11-17 02:02:37 -06:00
9fe4994492
Chris McNab has been working with MITRE to add these CVEs
...
These CVEs are not live yet, but have been confirmed by cve-assign
t
2014-11-16 18:42:53 -06:00
5de69ab6a6
minor syntax fixes.
2014-11-15 21:39:37 -06:00
3fb6ee4f7d
Remove dead constant.
2014-11-15 21:38:11 -06:00
7a62b71839
Some URL fixes from @jduck and exploit ideas from Andre Moulu.
...
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
2014-11-15 21:33:16 -06:00
28135bcb09
Land #4159 , MantisBT PHP code execution by @itseco
2014-11-15 07:49:54 +01:00
27d5ed624f
fix for IE9 exploit config
2014-11-14 17:21:59 -08:00
17ab0cf96e
ADD winxpIE8 exploit for MS13-080
2014-11-14 17:16:51 -08:00
e194d5490d
See #4162 - Don't delay before deleting a file via SMB
...
So I was looking at issue #4162 , and on my box I was seeing this
problem of the exploit failing to delete the payload in C:\Windows,
and the error was "Rex::Proto::SMB::Exceptions::NoReply The SMB
server did not reply to our request". I ended up removing the sleep(),
and that got it to function properly again. The box was a Win 7 SP1.
I also tested other Winodws boxes such as Win XP SP3, Windows Server
2008 SP2 and not having the sleep() doesn't seem to break anything.
So I don't even know why someone had to add the sleep() in the first
place.
2014-11-14 15:45:37 -06:00
ee9b1aa83a
Manage Rex::ConnectionRefused exceptions
2014-11-14 10:53:03 -06:00
428fe00183
Handle Rex::ConnectionTimeout
2014-11-13 22:34:28 -06:00
57aef9a6f5
Land #4177 , @hmoore-r7's fix for #4169
2014-11-13 18:29:57 -08:00
4a0e9b28a4
Use peer
2014-11-13 19:26:01 -06:00
4a06065774
Manage Exceptions to not wait the full wfs_delay
2014-11-13 19:17:09 -06:00
73ce4cbeaa
Use primer
2014-11-13 18:21:19 -06:00
0bcb99c47d
Fix metadata
2014-11-13 18:00:11 -06:00
a5c8152f50
Use fail_with
2014-11-13 17:57:26 -06:00
6ddf6c3863
Fail when the loader cannot find the java payload class
2014-11-13 17:55:49 -06:00
3faa48d810
small bugfix
2014-11-13 22:51:41 +01:00
7d6b6cba43
some changes
2014-11-13 22:46:53 +01:00
dd1920edd6
Minor typos and grammar fixes
2014-11-13 14:48:23 -06:00
17032b1eed
Fix issue reported by FireFart
2014-11-13 04:48:45 -05:00
31f3aa1f6d
Refactor create packager methods
2014-11-13 01:16:15 -06:00
38a96e3cfc
Update target info
2014-11-13 00:56:42 -06:00
e25b6145f9
Add module for MS14-064 bypassing UAC through python for windows
2014-11-13 00:56:10 -06:00
ea6d8860a1
Not root, just arbitrary permissions.
2014-11-12 21:51:55 -06:00
1895311911
Change URL to single line.
2014-11-12 10:56:51 -06:00
8689b0adef
Add module for samsung knox root exploit.
2014-11-12 09:53:20 -06:00
c35dc2e6b3
Add module for CVE-2014-6352
2014-11-12 01:10:49 -06:00
6b4eb9a8e2
Differentiate failed binds from connects, closes #4169
...
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
ac17780f6d
Fix by @FireFart to recover communication with the application after a meterpreter session
2014-11-11 05:49:18 -05:00
6bf1f613b6
Fix issues reported by FireFart
2014-11-11 00:41:58 -05:00
d4bbf0fe39
Fix issues reported by wchen-r7 and mmetince
2014-11-10 15:27:10 -05:00
9d848c8c3b
Adding tincd post-auth stack buffer overflow exploit module for several OS
...
Minor changes to comments
Updated URLs
Added Fedora ROP, cleaned up
Fixing URLs again, typos
Added support for Archlinux (new target)
Added support for OpenSuse (new target)
Tincd is now a separate file, uses the TCP mixin/REX sockets.
Started ARM exploiting
Style changes, improvements according to egyp7's comments
Style changes according to sane rubocop messages
RSA key length other than 256 supported. Different key lengths for client/server supported.
Drop location for binary can be customized
Refactoring: Replaced pop_inbuffer with slice
Refactoring: fail_with is called, renamed method to send_recv to match other protocol classes,
using rand_text_alpha instead of hardcoded \x90,
Fixed fail command usage
Version exploiting ARM with ASLR brute force
Cleaned up version with nicer program flow
More elegant solution for data too large for modulus
Minor changes in comments only (comment about firewalld)
Correct usage of the TCP mixin
Fixes module option so that the path to drop the binary on the server is not validated against the local filesystem
Added comments
Minor edits
Space removal at EOL according to msftidy
2014-11-10 12:03:17 +01:00
0e772cc338
Land #4161 , "stop" NilClass fix
2014-11-09 19:37:32 -06:00
cd0dbc0e24
Missed another
2014-11-09 14:06:39 -06:00
9cce7643ab
update description and fix typos
2014-11-09 09:10:01 -05:00
5d17637038
Add CVE-2014-7146 PHP Code Execution for MantisBT
2014-11-09 08:00:44 -05:00
2b7d25950b
Land #4148 , @wchen-r7 fixed #4133
2014-11-07 08:26:29 -08:00
0dbfecba36
Better method name
...
Should be srvhost, not lhost
2014-11-07 02:23:34 -06:00
7b25e3be75
Land #4139 , Visual Mining NetCharts
...
landed after some touch up
2014-11-06 22:52:41 -06:00
7510fb40aa
touch up visual_mining_netcharts_upload
2014-11-06 22:50:20 -06:00
579481e5f8
Explain why I did this
...
Also tagging Fix #4133
2014-11-06 14:25:11 -06:00
f210ade253
Use SRVHOST for msvidctl_mpeg2
2014-11-06 14:23:21 -06:00
f7e308cae8
Land #4110 - Citrix Netscaler BoF
2014-11-06 00:04:17 -06:00
54c1e13a98
Land #4140 , @wchen-r7's default template for adobe_pdf_embedded_exe
...
* Fixes #4134
* Adds a default PDF template
2014-11-05 20:21:14 -06:00
adefb2326e
Land #4124 , @wchen-r7 fixes #4115 adding HTTP auth support to iis_webdav_upload_asp
2014-11-05 18:14:33 -06:00
1b2554bc0d
Add a default template for CVE-2010-1240 PDF exploit
2014-11-05 17:08:38 -06:00
79cabc6d68
Fix clean up
2014-11-05 15:46:33 -06:00
c08993a9c0
Add module for ZDI-14-372
2014-11-05 15:31:20 -06:00
400ef51897
Land #4076 , exploit for x7chat PHP application
2014-11-03 18:22:04 -06:00
3bf7473ac2
Add github pull request as reference
2014-11-03 18:18:42 -06:00
44a2f366cf
Switch ranking
2014-11-03 18:06:09 -06:00
039d3cf9ae
Do minor cleanup
2014-11-03 18:04:30 -06:00
7e4248b601
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04
2014-11-03 16:42:50 -05:00
9a27984ac1
switch from error to switch
2014-11-03 13:56:41 -06:00
a823ca6b2f
Add support for HTTP authentication. And more informative.
2014-11-03 13:46:53 -06:00
51b96cb85b
Cosmetic title/desc updates
2014-11-03 13:37:45 -06:00
40bf44bd05
Don't allow 127.0.0.1 as SRVHOST
2014-10-31 08:19:15 -05:00
7d2fa9ee94
Delete unnecessary to_s
2014-10-30 22:59:22 -05:00
64f4777407
Land #4091 - Xerox DLM injection
2014-10-30 22:15:16 -05:00
b7a1722b46
Pass msftidy, more descriptive name and description
2014-10-30 22:14:18 -05:00
jvazquez-r7
HD Moore
Tod Beardsley
Jon Hart
Christian Mehlmauer
Meatballs
Marc Wickenden
EgiX
Brendan Coles
William Vu
sinn3r
Rasta Mouse
OJ
Joe Vennix
spdfire
Mark Schloesser
floyd
Rich Lundeen
Juan Escobar
Joshua Smith