Commit Graph

1412 Commits (3fdd3d36516549eb498662c64ca31d38a46ee239)

Author SHA1 Message Date
Ewerson Guimaraes (Crash) 6250983fb4 Update
Update
2015-09-03 20:29:57 +02:00
James Lee b4547711f3
Add certutil support.
Tested while landing #5736
2015-09-03 13:27:10 -05:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Ewerson Guimaraes (Crash) 252e80e793 Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
2015-08-31 23:57:39 +02:00
Brent Cook d670a62000
Land #5822, migrate obsolete payload compatibility options 2015-08-31 15:20:20 -05:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
William Vu c94a185610
Land #5697, Werkzeug debug RCE 2015-08-13 13:32:27 -05:00
William Vu d54ee19ce9 Clean up module 2015-08-13 13:32:22 -05:00
jvazquez-r7 203c231b74
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00
h00die eab9b3bf5b interpolation fix on secret 2015-08-01 14:39:12 -04:00
h00die ceb49a51a6 thanks @espreto for help 2015-08-01 11:11:37 -04:00
h00die 4561241609 updates per @jvazquez-r7 comments 2015-07-24 20:34:40 -04:00
jvazquez-r7 2c9183fa56
Return check code 2015-07-24 16:14:43 -05:00
jvazquez-r7 a163606513
Delete unused SLEEP option 2015-07-24 15:29:56 -05:00
jvazquez-r7 1b1ac09d2a Merge to solve conflicts 2015-07-24 15:24:29 -05:00
Tod Beardsley cadb03bac0
Fix my own blasted typo, ty @wvu-r7 2015-07-20 17:14:34 -05:00
Tod Beardsley f7c11d0852
More cleanups
Edited modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
first landed in #5678, adobe_flash_hacking_team_uaf.rb

Edited
modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
first landed in #5698, Adobe Flash CVE-2015-5122 opaqueBackground

Edited modules/exploits/multi/http/sysaid_auth_file_upload.rb first
landed in #5471, @pedrib's module for SysAid CVE-2015-2994

Edited modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb first
landed in #5473 Correct spelling of sysaid module
2015-07-20 16:29:49 -05:00
Tod Beardsley ab6204ca2e
Correct spelling of sysaid module
First landed in #5473.
2015-07-20 16:21:50 -05:00
Pedro Ribeiro 3fe165a265 Remove whitespace at the end 2015-07-18 20:18:34 +01:00
Pedro Ribeiro 70a2247941 Pick target is not needed... 2015-07-18 20:12:49 +01:00
Pedro Ribeiro 7483e77bba Fix Linux target by trying again if exploit fails 2015-07-18 20:12:13 +01:00
jvazquez-r7 4e6b00fe31
Land #5473, @pedrib's exploit for Sysaid CVE-2015-2994
* sysaid rdslogs arbitrary file upload
2015-07-17 12:10:40 -05:00
jvazquez-r7 00adbd7f64 Fix quotes 2015-07-17 12:09:54 -05:00
jvazquez-r7 57c4a3387b
Fix paths for windows and cleanup 2015-07-17 12:09:18 -05:00
jvazquez-r7 46ffb97c1c
Land #5471, @pedrib's module for SysAid CVE-2015-2994
* sysaid arbitrary file upload
2015-07-17 11:27:22 -05:00
jvazquez-r7 309a86ec57
Do code cleanup 2015-07-17 11:26:54 -05:00
h00die 57f62ffa76 changed URI to TARGETURI as per comments 2015-07-13 20:18:45 -04:00
h00die 8819674522 updated per feedback from PR 2015-07-11 21:03:02 -04:00
h00die bff92f2304 Initial add 2015-07-10 21:13:12 -04:00
h00die 1d50bda609 initial add of blank file 2015-06-27 21:38:25 -04:00
jvazquez-r7 a10fa02b00
Land #5606, @wchen-r7's glassfish fixes 2015-06-26 14:12:50 -05:00
wchen-r7 3b5e2a0c6e Use TARGETURI 2015-06-26 14:02:17 -05:00
wchen-r7 b46e1be22f
Land #5371, Add file checking to the on_new_session cleanup 2015-06-26 13:33:57 -05:00
wchen-r7 c70e38a14e Do more reporting 2015-06-25 22:39:56 -05:00
wchen-r7 5ef4cc2bb4 Save creds 2015-06-25 17:10:20 -05:00
wchen-r7 1a371b11b0 Update description 2015-06-25 17:04:31 -05:00
wchen-r7 c330d10403 Make SSL as a basic option
Also:

Fix #5558
2015-06-25 02:06:51 -05:00
wchen-r7 5c98da05fb This works for Glassfish 4.0 & 9.1 2015-06-25 01:58:24 -05:00
wchen-r7 c826785ebb Fix auth bypass 2015-06-24 19:49:04 -05:00
wchen-r7 8e4fa80728 This looks good so far 2015-06-24 19:30:02 -05:00
wchen-r7 380af29482 Progress? 2015-06-24 14:17:45 -05:00
wchen-r7 6046994138 version does not return nil 2015-06-23 10:31:01 -05:00
Pedro Ribeiro ea49fd2fdc Update sysaid_rdslogs_fle_upload.rb 2015-06-20 16:59:28 +01:00
Pedro Ribeiro 3181d76e63 Update sysaid_auth_file_upload.rb 2015-06-20 16:53:33 +01:00
William Vu b994801172 Revert auto tab replacement 2015-06-19 11:22:40 -05:00
g0tmi1k ce9481d2b7 Inconstancy - If datastore['VERBOSE'] vs vprint 2015-06-18 09:27:01 +01:00
Pedro Ribeiro d5b33a0074 Update sysaid_rdslogs_fle_upload.rb 2015-06-03 22:01:13 +01:00
Pedro Ribeiro 37827be10f Update sysaid_auth_file_upload.rb 2015-06-03 22:00:44 +01:00
Pedro Ribeiro 62993c35d3 Create sysaid_rdslogs_fle_upload.rb 2015-06-03 21:45:14 +01:00
Pedro Ribeiro 193b7bcd2e Create sysaid_auth_file_upload.rb 2015-06-03 21:44:02 +01:00
jvazquez-r7 0fb21af247
Verify deletion at on_new_session moment 2015-05-11 18:56:18 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
William Vu 2f2169af90 Use single quotes consistently 2015-05-07 22:39:36 -05:00
Brent Cook a066105a86 prefer reading directly with MetasploitPayloads where possible 2015-05-07 16:59:02 -05:00
William Vu b8c7161819 Fix up NameError'd payload_exe 2015-05-06 11:34:05 -05:00
Brent Cook a0c806c213 Update java meterpreter and payload references to use metasploit-payloads 2015-05-05 15:01:00 -05:00
jvazquez-r7 a531ad9ec2
Land #5096, @pedrib's exploit for Novell ZCM CVE-2015-0779 2015-05-01 14:35:28 -05:00
jvazquez-r7 0ff33572a7
Fix waiting loop 2015-05-01 14:34:43 -05:00
jvazquez-r7 645f239d94
Change module filename 2015-05-01 14:18:34 -05:00
jvazquez-r7 11a3f59b0b
Return false if there isn't a positive answer 2015-05-01 14:06:57 -05:00
jvazquez-r7 093c2e3ace
Do minor style cleanup 2015-05-01 13:56:48 -05:00
jvazquez-r7 d38adef5cc
Make TOMCAT_PATH optional 2015-05-01 13:54:39 -05:00
jvazquez-r7 d2a7d83f71
Avoid long sleep times 2015-05-01 13:51:52 -05:00
jvazquez-r7 8fcf0c558d
Use single quotes 2015-05-01 13:20:27 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer 8c5890d506
more fixes 2015-04-16 21:56:42 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
Christian Mehlmauer 4dc402fd3c
moar fail_with's 2015-04-16 21:16:52 +02:00
Jon Cave c6f062d49e Ensure that local variable `upload_path` is defined
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
Pedro Ribeiro 4808d61af3 Add OSVDB id and full disclosure URL 2015-04-09 16:32:22 +01:00
Pedro Ribeiro cf8b92b747 Create zcm_file_upload.rb 2015-04-07 16:05:51 +01:00
William Vu e1af495d21 Add extra release fixes 2015-04-06 13:08:40 -05:00
Tod Beardsley 1e6d895975
Description fixes on #4784, jboss exploit
Also, needed to run through msftidy.

[See #4784]
2015-04-06 12:34:49 -05:00
William Vu 56dc7afea6
Land #5068, @todb-r7's module author cleanup 2015-04-03 16:00:36 -05:00
scriptjunkie 0f7c644fff
Land #4784, JBoss Seam 2 upload exec exploit 2015-04-02 22:32:35 -05:00
Tod Beardsley 4bbec88882
Various other one-off nonhuman author credits
[See #5012]
2015-04-02 15:25:47 -05:00
Tod Beardsley 6532fad579
Remove credits to Alligator Security Team
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.

The one that didn't was credited to dflah_ specifically, so merely
changed the author name.

Longer description, if needed, wrapped at 72 characters.

[See #5012]
2015-04-02 15:12:22 -05:00
g0tmi1k 127d07342e Remove trailing space 2015-03-20 01:36:56 +00:00
g0tmi1k 7426e72317 Grammar - traq_plugin_exec 2015-03-20 01:31:01 +00:00
g0tmi1k 5709d49aae Clean up traq_plugin_exec 2015-03-20 01:19:46 +00:00
jvazquez-r7 b6146b1499 Use print_warning 2015-03-12 17:22:03 -05:00
Julian Vilas fe822f8d33 Modify automatic file cleanup 2015-03-10 00:45:20 +01:00
Julian Vilas 0ef303cb6c Fix Java payload 2015-03-10 00:01:27 +01:00
Julian Vilas 2eb0011a99 Autotrigger JSP shell at docBase 2015-03-07 20:41:08 +01:00
Julian Vilas 3be2bde5a2 Use bypass for bulletin S2-020 2015-03-07 19:14:20 +01:00
jvazquez-r7 9f3f8bb727
Merging #3323 work 2015-03-05 15:44:15 -06:00
jvazquez-r7 c388fd49c2 Fix print message 2015-03-05 15:43:54 -06:00
jvazquez-r7 e1a4b046a0 Add support for tomcat 7 to struts_code_exec_classloader 2015-03-05 15:40:24 -06:00
sinn3r 8978b1d7b5 Add a version 2015-03-05 11:29:44 -06:00
Ricardo Almeida 32188f09d6 Update phpmoadmin_exec.rb
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
Ricardo Almeida 95962aab0d Update phpmoadmin_exec.rb
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.

Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
Ricardo Almeida 9530e15c81 Update phpmoadmin_exec.rb
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
Ricardo Almeida c19895ac85 Update phpmoadmin_exec.rb
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
Ricardo Almeida 4d67e0e1bb Add PHPMoAdmin RCE 2015-03-04 18:17:31 +00:00
vulp1n3 69b37976c1 Fix disclosure date. 2015-02-17 17:29:52 -08:00
vulp1n3 a19a5328f1 Add JBoss Seam 2 upload execute module
Versions of the JBoss Seam 2 framework  < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions.  As a
result, attackers can gain remote code execution through the
application server.  This module leverages RCE to upload and execute
a meterpreter payload. CVE-2010-1871
2015-02-17 17:25:01 -08:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
William Vu a7156cf4a8
Fix zabbix_script_exec datastore 2015-02-05 02:53:22 -06:00
jvazquez-r7 fbf32669c6 Use single quote 2015-02-04 09:47:27 -06:00
julianvilas de09559cc8 Change HTTP requests to succeed when going through HTTP proxies 2015-02-04 15:32:14 +01:00
Julian Vilas f983c8171e Modify description to match both Struts 1.x and 2.x versions 2015-01-30 12:35:38 +01:00
Julian Vilas 1a11ae4021 Add new references about Struts 1 2015-01-29 23:27:52 +01:00
Julian Vilas 4cc5844baf Add Struts 1 support 2015-01-29 23:12:34 +01:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
jvazquez-r7 d8aa282482 Delete some double quotes 2015-01-22 18:21:25 -06:00
jvazquez-r7 4c72b096b6 Switch variable from file_name to operation 2015-01-22 18:20:11 -06:00
jvazquez-r7 b003d8f750 Do final cleanup 2015-01-22 18:17:14 -06:00
jvazquez-r7 911485f536 Use easier key name 2015-01-22 18:11:48 -06:00
jvazquez-r7 eff49b5fd3 Delete files with Rex::Java::Serialization 2015-01-22 17:59:43 -06:00
jvazquez-r7 37bf66b994 Install instaget with Rex::Java::Serialization 2015-01-22 16:54:49 -06:00
jvazquez-r7 20d7fe631e Auto detect platform without raw streams 2015-01-22 15:15:08 -06:00
jvazquez-r7 ad276f0d52 Retrieve version with Rex::Java::Serialization instead of binary streams 2015-01-22 14:52:19 -06:00
jvazquez-r7 f7aaad1cf1
Delete some extraneous commas 2015-01-19 17:25:45 -06:00
jvazquez-r7 dbc77a2857
Land #4517, @pedrib's exploit for ManageEngine Multiple Products Authenticated File Upload
* CVE-2014-5301
2015-01-19 17:23:39 -06:00
jvazquez-r7 6403098fbc Avoid sleep(), survey instead 2015-01-19 17:22:04 -06:00
jvazquez-r7 a6e351ef5d Delete unnecessary request 2015-01-19 17:14:23 -06:00
jvazquez-r7 ed26a2fd77 Avoid modify datastore options 2015-01-19 17:11:31 -06:00
jvazquez-r7 3c0efe4a7e Do minor style changes 2015-01-19 15:36:05 -06:00
jvazquez-r7 ddda0b2f4b Beautify metadata 2015-01-19 14:59:31 -06:00
Pedro Ribeiro 3768cf0a69 Change version to int and add proper timestamp 2015-01-14 22:59:11 +00:00
David Lanner c5cfc11d84 fix cookie regex by removing a space 2015-01-12 23:13:18 -05:00
Pedro Ribeiro c76aec60b0 Add OSVDB id and full disclosure URL 2015-01-08 23:29:38 +00:00
William Vu ea793802cc
Land #4528, mantisbt_php_exec improvements 2015-01-08 04:50:00 -06:00
sinn3r ef97d15158 Fix msftidy and make sure all print_*s in check() are vprint_*s 2015-01-07 12:12:25 -06:00
James Lee 3e80efb5a8
Land #4521, Pandora FMS upload 2015-01-07 11:13:57 -06:00
James Lee 1ccef7dc3c
Shorter timeout so we get shell sooner
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
James Lee efe83a4f31
Whitespace 2015-01-07 10:19:17 -06:00
Christian Mehlmauer 09bd0465cf
fix regex 2015-01-07 11:54:55 +01:00
rcnunez b3def856fd Applied changes recommended by jlee-r7
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
Christian Mehlmauer eaad4e0bea
fix check method 2015-01-07 11:01:08 +01:00
Christian Mehlmauer 862af074e9
fix bug 2015-01-07 09:10:50 +01:00
Christian Mehlmauer d007b72ab3
favor include? over =~ 2015-01-07 07:33:16 +01:00
Christian Mehlmauer 4277c20a83
use include? 2015-01-07 06:51:28 +01:00
Christian Mehlmauer 39e33739ea
support for anonymous login 2015-01-07 00:08:04 +01:00
Christian Mehlmauer bf0bdd00df
added some links, use the res variable 2015-01-06 23:25:11 +01:00
Christian Mehlmauer f9f2bc07ac
some improvements to the mantis module 2015-01-06 11:33:45 +01:00
rcnunez 547b7f2752 Syntax and File Upload BugFix
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
Pedro Ribeiro c9b76a806a Create manageengine_auth_upload.rb 2015-01-04 17:05:53 +00:00
Tod Beardsley c1718fa490
Land #4440, git client exploit from @jhart-r7
Also fixes #4435 and makes progress against #4445.
2015-01-01 13:18:43 -06:00
Tod Beardsley d7564f47cc
Move Mercurial option to advanced, update ref url
See #4440
2015-01-01 13:08:36 -06:00
Tod Beardsley 914c724abe
Rename module
See rapid7#4440
2015-01-01 13:03:17 -06:00
Jon Hart 65977c9762
Add some more useful URLs 2014-12-31 10:54:04 -08:00
Christian Mehlmauer 96fe693c54
update drupal regex 2014-12-30 09:12:39 +01:00
Jon Hart 51049152b6
Use Rex::Text.rand_mail_address for more realistic fake commit 2014-12-26 10:39:52 -08:00
Jon Hart a692656ab7
Update comments to reflect reality, minor cleanup 2014-12-23 19:09:45 -08:00
Jon Hart 59f75709ea
Print out malicious URLs that will be used by default 2014-12-23 10:10:31 -08:00
Jon Hart 905f483915
Remove unused and commented URIPATH 2014-12-23 09:40:27 -08:00
Jon Hart 8e57688f04
Use random URIs by default, different method for enabling/disabling Git/Mercurial 2014-12-23 09:39:39 -08:00
Jon Hart bd3dc8a5e7
Use fail_with rather than fail 2014-12-23 08:20:03 -08:00
Jon Hart 015b96a24a
Add back perl and bash related payloads since Windows git will have these and OS X should 2014-12-23 08:13:00 -08:00
Meatballs 16302f752e
Enable generic command 2014-12-23 14:22:26 +00:00
Meatballs a3b0b9de62
Configure module to target bash by default 2014-12-23 14:19:51 +00:00
Meatballs 313d6cc2f8
Add super call 2014-12-23 14:12:47 +00:00
Meatballs 43221d4cb0
Remove redundant debugging stuff 2014-12-23 14:09:12 +00:00
Meatballs 42a10d6d50
Add Powershell target 2014-12-23 14:07:57 +00:00
Jon Hart abec7c206b
Update description to describe current limitations 2014-12-22 20:32:45 -08:00
Jon Hart 1505588bf6
Rename the file to reflect what it really is 2014-12-22 20:27:40 -08:00
Jon Hart ff440ed5a4
Describe vulns in more detail, add more URLs 2014-12-22 20:20:48 -08:00
Jon Hart b4f6d984dc
Minor style cleanup 2014-12-22 17:51:35 -08:00
Jon Hart 421fc20964
Partial mercurial support. Still need to implement bundle format 2014-12-22 17:44:14 -08:00
Jon Hart fdd1d085ff
Don't encode the payload because this only complicates OS X 2014-12-22 13:36:38 -08:00
Jon Hart ea9f5ed6ca
Minor cleanup 2014-12-22 12:16:53 -08:00
Jon Hart dd73424bd1
Don't link to unused repositories 2014-12-22 12:04:55 -08:00
Jon Hart 6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off 2014-12-22 11:36:50 -08:00
Jon Hart 574d3624a7
Clean up setup_git verbose printing 2014-12-22 11:09:08 -08:00
Jon Hart 16543012d7
Correct planted clone commands 2014-12-22 10:56:33 -08:00
Jon Hart 01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested 2014-12-22 10:43:54 -08:00
Jon Hart 3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos 2014-12-22 10:03:30 -08:00
Jon Hart 308eea0c2c
Make malicious hook file name be customizable 2014-12-22 08:28:55 -08:00
Jon Hart 7f3cfd2207
Add a ranking 2014-12-22 07:51:47 -08:00
Jon Hart 74783b1c78
Remove ruby and telnet requirement 2014-12-21 10:06:06 -08:00
Jon Hart 31f320c901
Add mercurial debugging 2014-12-20 20:00:12 -08:00
Jon Hart 3da1152743
Add better logging. Split out git support in prep for mercurial 2014-12-20 19:34:55 -08:00
Jon Hart 58d5b15141
Add another useful URL. Use a more git-like URIPATH 2014-12-20 19:11:56 -08:00
Jon Hart f41d0fe3ac
Randomize most everything about the malicious commit 2014-12-19 19:31:00 -08:00
Jon Hart 805241064a
Create a partially capitalized .git directory 2014-12-19 19:07:45 -08:00
Jon Hart f7630c05f8
Use payload.encoded 2014-12-19 18:52:34 -08:00
Jon Hart 7f2247f86d
Add description and URL 2014-12-19 15:50:16 -08:00
Jon Hart 9b815ea0df
Some style cleanup 2014-12-19 15:35:09 -08:00
Jon Hart 4d0b5d1a50
Add some vprints and use a sane URIPATH 2014-12-19 15:33:26 -08:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart 48444a27af
Remove debugging pp 2014-12-19 15:27:06 -08:00
Jon Hart 1c7fb7cc7d
Mostly working exploit for CVE-2014-9390 2014-12-19 15:24:27 -08:00
Jon Hart 4888ebe68d
Initial commit of POC module for CVE-2013-9390 (#4435) 2014-12-19 12:58:02 -08:00
rcnunez 223d6b7923 Merged with Fr330wn4g3's changes 2014-12-14 13:08:19 +08:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
jvazquez-r7 21742b6469 Test #3729 2014-12-06 21:20:52 -06:00
Christian Mehlmauer 28135bcb09
Land #4159, MantisBT PHP code execution by @itseco 2014-11-15 07:49:54 +01:00
Christian Mehlmauer 3faa48d810 small bugfix 2014-11-13 22:51:41 +01:00
Christian Mehlmauer 7d6b6cba43 some changes 2014-11-13 22:46:53 +01:00
Tod Beardsley dd1920edd6
Minor typos and grammar fixes 2014-11-13 14:48:23 -06:00
Juan Escobar 17032b1eed Fix issue reported by FireFart 2014-11-13 04:48:45 -05:00
Juan Escobar ac17780f6d Fix by @FireFart to recover communication with the application after a meterpreter session 2014-11-11 05:49:18 -05:00
Juan Escobar 6bf1f613b6 Fix issues reported by FireFart 2014-11-11 00:41:58 -05:00
Juan Escobar d4bbf0fe39 Fix issues reported by wchen-r7 and mmetince 2014-11-10 15:27:10 -05:00
sinn3r cd0dbc0e24 Missed another 2014-11-09 14:06:39 -06:00
Juan Escobar 9cce7643ab update description and fix typos 2014-11-09 09:10:01 -05:00
Juan Escobar 5d17637038 Add CVE-2014-7146 PHP Code Execution for MantisBT 2014-11-09 08:00:44 -05:00
Joshua Smith 7510fb40aa touch up visual_mining_netcharts_upload 2014-11-06 22:50:20 -06:00
jvazquez-r7 79cabc6d68 Fix clean up 2014-11-05 15:46:33 -06:00
jvazquez-r7 c08993a9c0 Add module for ZDI-14-372 2014-11-05 15:31:20 -06:00
jvazquez-r7 400ef51897
Land #4076, exploit for x7chat PHP application 2014-11-03 18:22:04 -06:00
jvazquez-r7 3bf7473ac2 Add github pull request as reference 2014-11-03 18:18:42 -06:00
jvazquez-r7 44a2f366cf Switch ranking 2014-11-03 18:06:09 -06:00
jvazquez-r7 039d3cf9ae Do minor cleanup 2014-11-03 18:04:30 -06:00
Juan Escobar 7e4248b601 Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00
Tod Beardsley 51b96cb85b
Cosmetic title/desc updates 2014-11-03 13:37:45 -06:00
Jon Hart 1a37a6638c Fix splunk_upload_app_exec to work on new installs. Style 2014-10-30 18:28:56 -07:00
Jon Hart 55f245f20f
Merge #3507 into local, recently updated branch of master for landing 2014-10-30 17:28:20 -07:00
Juan Escobar 2e53027bb6 Fix value of X7C2P cookie and typo 2014-10-29 08:32:36 -05:00
Juan Escobar 9f21ac8ba2 Fix issues reported by wchen-r7 2014-10-28 21:31:33 -05:00
William Vu 71a6ec8b12
Land #4093, cups_bash_env_exec CVE-2014-6278 2014-10-28 12:47:51 -05:00
Brendan Coles 57baf0f393 Add support for CVE-2014-6278 2014-10-28 17:10:19 +00:00
William Vu 3de5c43cf4
Land #4050, CUPS Shellshock
Bashbleeded!!!!!!!!!!!
2014-10-28 11:59:31 -05:00
Brendan Coles 78b199fe72 Remove CVE-2014-6278 2014-10-28 16:18:24 +00:00
Brendan Coles a060fec760 Detect version in check() 2014-10-28 12:28:18 +00:00
Juan Escobar 2ba2388889 Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
Juan Escobar 848f24a68c update module description 2014-10-27 02:07:16 -05:00
root d66dc88924 Add PHP Code Execution for X7 Chat 2.0.5 2014-10-27 01:01:31 -05:00
Brendan Coles 554935e60b Add check() and support CVE-2014-6278 2014-10-26 18:11:36 +00:00
Spencer McIntyre f886ab6f97
Land #4020, Jenkins-CI CSRF token support 2014-10-20 19:03:24 -04:00
Spencer McIntyre 005baa7f7e Retry the script page request to get the token
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
2014-10-19 14:04:16 -04:00
Brendan Coles 0ede70e7f6 Add exploit module for CUPS shellshock 2014-10-19 17:58:49 +00:00
William Vu 10f3969079
Land #4043, s/http/http:/ splat
What is a splat?
2014-10-17 13:41:07 -05:00
William Vu a514e3ea16
Fix bad indent (should be spaces)
msftidy is happy now.
2014-10-17 12:39:25 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Brandon Perry 353d2f79cc tweak pw generation 2014-10-16 12:06:19 -07:00
Brandon Perry 5f8c0cb4f3 Merge branch 'drupal' of https://github.com/FireFart/metasploit-framework into drupageddon 2014-10-16 11:53:54 -07:00
Christian Mehlmauer c8dd08f605 password hashing 2014-10-17 15:52:47 +02:00
Brandon Perry 23b7b8e400 fix for version 7.0-7.31 2014-10-16 11:53:48 -07:00
Brandon Perry 9bab77ece6 add urls 2014-10-16 10:36:37 -07:00
Brandon Perry b031ce4df3 Create drupal_drupageddon.rb 2014-10-16 16:42:47 -05:00
Brandon Perry 5c4ac48db7 update the drupal module a bit with error checking 2014-10-16 10:32:39 -07:00
Fernando Munoz 4c2ae1a753 Fix jenkins when CSRF is enabled 2014-10-14 19:33:23 -05:00
Vincent Herbulot 63426793ef Use vars_get instead of direct URI concatenation 2014-10-02 11:03:12 +02:00
HD Moore 0380c5e887 Add CVE-2014-6278 support, lands #3932 2014-10-01 18:25:41 -05:00
William Vu c1b0acf460
Add CVE-2014-6278 support to the exploit module
Same thing.
2014-10-01 17:58:25 -05:00
Tod Beardsley 4fbab43f27
Release fixes, all titles and descs 2014-10-01 14:26:09 -05:00
William Vu de65ab0519
Fix broken check in exploit module
See 71d6b37088.
2014-09-29 23:03:09 -05:00
William Vu df44dfb01a
Add OSVDB and EDB references to Shellshock modules 2014-09-29 21:39:07 -05:00
sinn3r 8f3e03d4f2
Land #3903 - ManageEngine OpManager / Social IT Arbitrary File Upload 2014-09-29 17:53:43 -05:00
Pedro Ribeiro 533b807bdc Add OSVDB id 2014-09-29 21:52:44 +01:00
us3r777 7125a9f047 Added YARD doc to the mixin
Also make a slight correction on jboss_deployementfilerepository.rb to
handle nil responses.
2014-09-28 19:44:37 +02:00
Spencer McIntyre fe12ed02de Support a user defined header in the exploit too 2014-09-27 18:58:53 -04:00
Pedro Ribeiro f20610a657 Added full disclosure URL 2014-09-27 21:34:57 +01:00
Pedro Ribeiro 030aaa4723 Add exploit for CVE-2014-6034 2014-09-27 19:33:49 +01:00
jvazquez-r7 0a3735fab4 Make it better 2014-09-26 16:01:10 -05:00
jvazquez-r7 3538b84693 Try to make a better check 2014-09-26 15:55:26 -05:00
jvazquez-r7 ad864cc94b Delete unnecessary code 2014-09-25 16:18:01 -05:00
jvazquez-r7 9245bedf58 Make it more generic, add X86_64 target 2014-09-25 15:54:20 -05:00
jvazquez-r7 d8c03d612e Avoid failures due to bad payload selection 2014-09-25 13:49:04 -05:00
jvazquez-r7 91e5dc38bd Use datastore timeout 2014-09-25 13:36:05 -05:00
jvazquez-r7 8a43d635c3 Add exploit module for CVE-2014-6271 2014-09-25 13:26:57 -05:00
us3r777 919eec250d Refactor auto_target from Jboss mixin
Removed fail_with and targets from the mixin.
2014-09-24 22:15:32 +02:00
sinn3r 3e09283ce5
Land #3777 - Fix struts_code_exec_classloader on windows 2014-09-16 13:09:58 -05:00
sinn3r 158d4972d9 More references and pass msftidy 2014-09-16 12:54:27 -05:00
Vincent Herbulot 7a7b6cb443 Some refactoring
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
2014-09-16 17:49:45 +02:00
us3r777 4c615ecf94 Module for CVE-2014-5519, phpwiki/ploticus RCE 2014-09-16 00:09:41 +02:00
jvazquez-r7 373eb3dda0 Make struts_code_exec_classloader to work on windows 2014-09-10 18:00:16 -05:00
sinn3r 0a6ce1f305
Land #3727 - SolarWinds Storage Manager exploit AND Msf::Payload::JSP 2014-09-09 17:21:03 -05:00
sinn3r 75269fd0fa Make sure we're not doing a 'negative' timeout 2014-09-09 11:26:49 -05:00
us3r777 b8ba2dd703 Fix timeout with HEAD request in delete_file 2014-09-08 18:34:50 +02:00
us3r777 cc5b852517 Fixed spec for lib/msf/http/jboss
Revert commit abdd72e8c6.
Added some spec for lib/msf/http/jboss/deployment_file_repository_scripts
2014-09-08 17:42:04 +02:00
Vincent Herbulot 283e83028f Fix problem with HEAD requests
Split lib/msf/http/jboss/script into
lib/msf/http/jboss/deployment_file_repository_scripts.rb and
lib/msf/http/jboss/bean_shell_scripts.rb as
2014-09-08 14:02:15 +02:00
Pedro Ribeiro ded085f5cc Add CVE ID 2014-09-03 07:22:10 +01:00
Pedro Ribeiro c672fad9ef Add OSVDB ID, remove comma from Author field 2014-09-02 23:17:10 +01:00
Pedro Ribeiro d480a5e744 Credit h0ng10 properly 2014-09-01 07:58:26 +01:00
Pedro Ribeiro 59847eb15b Remove newline at the top 2014-09-01 07:56:53 +01:00
Pedro Ribeiro 6a370a5f69 Add exploit for eventlog analyzer file upload 2014-09-01 07:56:01 +01:00
jvazquez-r7 c05edd4b63 Delete debug print_status 2014-08-31 01:34:47 -05:00
jvazquez-r7 559ec4adfe Add module for ZDI-14-299 2014-08-31 01:11:46 -05:00
us3r777 403eae3579 Jboss file deployment repository refactorization
Moved lib/msf/http/jboss/bean_shell_script.rb to
lib/msf/http/jboss/script.rb. Moved head_stager_jsp to script.rb.
Removed stager_jsp to use the function from the mixin.
2014-08-30 13:15:37 +02:00
us3r777 33f90de7f6 Refactoring jboss module to work with the Mixin
Moved upload and delete methods of deploymentfilerepository to the
mixin. Removed call_uri_mtimes method as the module now uses deploy
from the mixin.
2014-08-29 20:08:35 +02:00
us3r777 af9f3b83a7 Refactoring jboss module to work with the Mixin
Removed datastore USERNAME and PASSWORD which are provided by
Msf::Exploit::Remote::HttpClient. Removed datastore PATH and VERB which
are provided by the mixin (lib/msf/http/jboss). Moved target detection
to the mixin.
2014-08-27 22:54:40 +02:00
Pedro Ribeiro a8d03aeb59 Fix bug with PMP db paths 2014-08-26 12:54:31 +01:00
Pedro Ribeiro 473341610c Update name to mention DC; correct servlet name 2014-08-26 12:39:48 +01:00
jvazquez-r7 0031913b34 Fix nil accesses 2014-08-22 16:19:11 -05:00
jvazquez-r7 38e6576990 Update 2014-08-22 13:22:57 -05:00
jvazquez-r7 cf147254ad Use snake_case in the filename 2014-08-22 11:44:35 -05:00
jvazquez-r7 823649dfa9 Clean exploit, just a little 2014-08-22 11:43:58 -05:00
jvazquez-r7 9815b1638d Refactor pick_target 2014-08-22 11:31:06 -05:00
jvazquez-r7 ecace8beec Refactor check method 2014-08-22 11:05:36 -05:00
jvazquez-r7 ced65734e9 Make some datastore options advanced 2014-08-22 10:26:04 -05:00
jvazquez-r7 b4e3e84f92 Use CamelCase for target keys 2014-08-22 10:23:36 -05:00
jvazquez-r7 b58550fe00 Indent description and fix title 2014-08-22 10:21:08 -05:00
Pedro Ribeiro da752b0134 Add exploit for CVE-2014-3996 2014-08-21 15:30:28 +01:00
Tod Beardsley cad281494f
Minor caps, grammar, desc fixes 2014-08-18 13:35:34 -05:00
Tod Beardsley 904c1b20b1
Land #3654, update to 4.10-dev (electro) 2014-08-15 12:51:28 -05:00
Samuel Huckins 149c3ecc63
Various merge resolutions from master <- staging
* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
2014-08-15 11:33:31 -05:00
jvazquez-r7 4e0f6dfcc7 Do minor cleanup 2014-08-15 09:10:08 -05:00
kaospunk 5ed3e6005a Implement suggestions
This commit addresses feedback such as adding a check
function and changing the login fail case by being
more specific on what is checked for. The failing
ARCH_CMD payloads were addressed by adding BadChars.
Last, an ARCH_PYTHON target was added based on
@zerosteiner's feedback.
2014-08-13 20:26:48 -04:00
kaospunk 4e6a04d3ad Modifications for login and key addition
This commit adds additional support for logging in
on multiple versions of Gitlab as well as adding a
key to exploit the vulnerability.
2014-08-11 19:54:10 -04:00
kaospunk a995bcf2ef Fix URI building and failure cases
This update uses the normalize_uri method for building
URIs. Additionally, failure cases have been modified
for a less generic version.
2014-08-10 19:53:33 -04:00
kaospunk 48359faaaf Add gitlab-shell command injection module
This request adds a module for gitlab-shell command
injection for versions prior to 1.7.4. This has been
tested by installing version 7.1.1 on Ubuntu and then
using information at http://intelligentexploit.com/view-details.html?id=17746
to modify the version of gitlab-shell to a vulnerable one. This
was done as I could not find a better method for downloading
and deploying an older, vulnerable version of Gitlab.
2014-08-05 23:21:57 -04:00
jvazquez-r7 73ca8c0f6d Work on jboss refactoring 2014-08-01 14:28:26 -05:00
us3r777 9e9244830a Added spec for lib/msf/http/jboss
Also renamed get_undeploy_bsh and get_undeploy_stager to
gen_undeploy_bsh and gen_undeploy_stager to be consistent
with the other functions
2014-07-29 01:57:04 +02:00
us3r777 cd2ec0a863 Refactored jboss mixin and modules
Moved fail_with() from mixin to modules. Added PACKAGE datastore to
lib/msf/http/jboss/bsh.rb.
2014-07-24 22:58:58 +02:00
us3r777 b526fc50f8 Refactored jboss mixin and modules
Moved VERB option to the mixin. Replaced "if datastore['VERBOSE']"
by vprint_status().
2014-07-22 23:08:42 +02:00
us3r777 ae2cd63391 Refactored Jboss mixin
Moved TARGETURI option to the JBoss mixin. The mixin now includes
Msf::Exploit::Remote::HttpClient which provides USERNAME and PASSWORD
2014-07-21 23:41:58 +02:00
us3r777 088f208c7c Added auxiliary module jboss_bshdeployer
The module allows to deploy a WAR (a webshell for instance) using the
BSHDeployer.
Also refactored modules/exploits/multi/http/jboss_bshdeployer.rb to
use the new Mixin (lib/msf/http/jboss).
2014-07-18 11:51:46 +02:00
us3r777 58adc350b5 Refactor: Creation of a JBoss mixin
The jboss_bsheployer as is does not allow to deploy a custom WAR file.
It is convenient when ports are blocked to be able to deploy a webshell
instead of just launching a payload. This will require a auxiliary
module which will use the JBoss mixin methods.
2014-07-18 00:56:32 +02:00
Vincent Herbulot bea660ad4d Added possibility to upload a custom WAR file
Added 2 options, one for uploading a custom WAR file. The other
to specify if you want or not to undeploy the war at the end of
the exploit.
The module as is does not allow to deploy a custom WAR file. It is
convenient when ports are blocked to be able to deploy a webshell
instead of just launching a payload.
2014-07-17 17:13:19 +02:00
Rob Fuller 755dec1629 msftidy up splunk_upload_app_exec 2014-07-10 00:24:48 -04:00
Gary Blosser c14b96f02e Add #3463 commits from @ghost 2014-07-09 17:56:06 -04:00
Spencer McIntyre 748589f56a Make cmdstager flavor explicit or from info
Every module that uses cmdstager either passes the flavor
as an option to the execute_cmdstager function or relies
on the module / target info now.
2014-06-28 17:40:49 -04:00
Spencer McIntyre 219153c887 Raise NotImplementedError and let :flavor be guessed 2014-06-27 08:34:56 -04:00
jvazquez-r7 870fa96bd4 Allow quotes in CmdStagerFlavor metadata 2014-06-27 08:34:56 -04:00
jvazquez-r7 91e2e63f42 Add CmdStagerFlavor to metadata 2014-06-27 08:34:55 -04:00
jvazquez-r7 9e413670e5 Include the CMDStager 2014-06-27 08:34:55 -04:00
jvazquez-r7 d47994e009 Update modules to use the new generic CMDstager mixin 2014-06-27 08:34:55 -04:00
jvazquez-r7 8bf36e5915 AutoDetection should work 2014-06-27 08:34:55 -04:00
jvazquez-r7 7ced5927d8 Use One CMDStagermixin 2014-06-27 08:34:55 -04:00
Spencer McIntyre 2a442aac1f No long needs to extend bourne, and specify a flavor. 2014-06-27 08:34:55 -04:00
Spencer McIntyre 1a392e2292 Multi-fy the hyperic_hq_script_console exploit. 2014-06-27 08:34:55 -04:00
Spencer McIntyre ae25c300e5 Initial attempt to unify the command stagers. 2014-06-27 08:34:55 -04:00
jvazquez-r7 191c871e9b [SeeRM #8815] Dont try to exploit when generate_payload_exe fails 2014-06-20 14:07:49 -05:00
Christian Mehlmauer 8e1949f3c8
Added newline at EOF 2014-06-17 21:03:18 +02:00
OJ b710014ece
Land #3435 -- Rocket Servergraph ZDI-14-161/162 2014-06-17 18:06:03 +10:00
HD Moore 0bac24778e Fix the case statements to match platform 2014-06-11 15:22:55 -05:00
HD Moore d5b32e31f8 Fix a typo where platform was 'windows' not 'win'
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
jvazquez-r7 e4d14194bb Add module for Rocket Servergraph ZDI-14-161 and ZDI-14-162 2014-06-08 11:07:10 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
Christian Mehlmauer df97c66ff5
Fixed check 2014-05-24 00:37:52 +02:00
Christian Mehlmauer 8d4d40b8ba
Resolved some Set-Cookie warnings 2014-05-24 00:34:46 +02:00
Tod Beardsley efffbf751a
PHP module shouldnt zap CMD option (@wchen-r7)
As far as I can tell, there is no purpose for this cleanup. No other CMD
exec module takes pains to clear out CMD after run, and it looks like a
bad idea -- what happens when you rexploit?
2014-05-23 15:09:18 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
Jeff Jarmoc 638ae477d9 Fix up spec. Rex::Proto::Http::ClientRequest handles & and = outside of Rex::Text::uri_encode, so mode doesn't affect them.
Fix erroneous typo char.
2014-05-12 12:10:30 -05:00
Jeff Jarmoc 5f523e8a04 Rex::Text::uri_encode - make 'hex-all' really mean all.
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes'  It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
Christian Mehlmauer dee6b53175 fix java payload struts module 2014-05-10 00:19:40 +02:00
jvazquez-r7 38f3a19673 Try to beautify description 2014-05-09 14:35:06 -05:00
Christian Mehlmauer 43a85fc645 additional GET parameters 2014-05-09 21:21:04 +02:00
Christian Mehlmauer ad83921a85 additional GET parameters 2014-05-09 21:15:28 +02:00
Christian Mehlmauer 53fde675e7 randomize meh parameter 2014-05-09 10:38:19 +02:00
Christian Mehlmauer a3fff5401f more code cleanup 2014-05-08 23:05:41 +02:00
Christian Mehlmauer e7b7af2f75 fixed apache struts module 2014-05-08 22:15:52 +02:00
Tod Beardsley 3536ec9a74
Description update 2014-05-05 13:43:44 -05:00
Christian Mehlmauer 073adc759d
Land #3334, fix author by @julianvilas 2014-05-04 21:30:53 +02:00
Julian Vilas dd7705055b Fix author 2014-05-04 19:31:53 +02:00
julianvilas 36f9f342c1 Fix typo 2014-05-02 16:26:08 +02:00
jvazquez-r7 3dd3ceb3a9 Refactor code 2014-05-01 18:04:37 -05:00
jvazquez-r7 b7ecf829d3 Do first refactor 2014-05-01 16:39:53 -05:00
jvazquez-r7 195005dd83 Do minor style changes 2014-05-01 15:25:55 -05:00
jvazquez-r7 140c8587e7 Fix metadata 2014-05-01 15:24:16 -05:00