b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
a8983c831d
Updated links and authors
2017-05-04 18:25:45 -04:00
afe801b9e8
Updated target to 'universal'
2017-05-04 16:25:41 +02:00
073cd59cd3
Added qmail_bash_env_exec exploit module, which exploit the ShellShock flaw via Qmail.
2017-05-04 15:44:18 +02:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory
2017-05-01 16:23:14 -05:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
bdeeb8ee1d
Add a check
2017-04-18 16:32:06 -05:00
06ca406d18
Fix weird whitespace
2017-04-09 22:23:58 -05:00
74dc7e478f
update piwik module
2017-04-05 20:19:07 +02:00
baa473a1c6
add piwik superuser plugin upload module
2017-02-11 00:20:50 +01:00
934b05e736
Land #7310 , at(1) persistence module
2016-12-22 03:33:58 -06:00
b65a62ba93
Clean up module
2016-12-22 03:33:08 -06:00
41355898fa
Remove extra def report_cred in vbulletin_vote_sqli_exec
2016-12-01 15:31:24 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
1da40b5deb
Change HAVE_POPEN to USE_POPEN
...
PS target doesn't support it, so the option should be renamed.
2016-10-14 11:58:39 -05:00
acec45c8b3
Land #7409 , CVE-2013-5093 Graphite Pickle Handling - Add Version Check
2016-10-14 08:54:57 -05:00
5b46e72aea
Update module logic
2016-10-13 17:40:16 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
e70ba8110d
Update references
2016-10-13 17:35:55 -05:00
88bb2e2295
Update description
2016-10-13 17:35:30 -05:00
7c20f20493
remove unneeded bash
2016-10-07 21:12:27 -04:00
fb0a438fdf
Perform a version check to determine exploitability for graphite pickle
2016-10-05 16:08:02 -07:00
f60d575d62
Add EOF newline back in
2016-10-04 11:14:15 -05:00
b1cb153c31
Make errors more meaningful
2016-10-03 15:29:40 -05:00
f838c9990f
Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
...
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
3bc566a50c
fix email
2016-09-18 20:09:38 -04:00
a7103f2155
Fix missing form inputs
...
Also improve check string.
2016-09-15 19:19:24 -05:00
01327f0265
Land #7245 , NetBSD mail.local privilege escalation module
2016-09-14 16:07:12 -05:00
27be29edb4
Fix typo
2016-09-14 13:21:37 -05:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
ed5bbb9885
Land #7284 , Add SugarCRM REST PHP Object Injection exploit
2016-09-13 15:46:46 -05:00
a0095ad809
Check res properly and update Ruby syntax
...
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
1ce9aedb97
parenthesis for condition expression
2016-09-13 03:37:47 -05:00
fd16c1c3b7
Fix issue-7295
2016-09-13 01:32:20 -05:00
df5fdbff41
Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
...
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
748c959cba
forgot to save before PR
2016-08-25 21:45:17 -04:00
5dff01625d
working code
2016-08-25 21:32:25 -04:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
f2e2cb6a5e
cant transfer file
2016-08-21 19:42:29 -04:00
6306fa5aa5
Per discussion in #7195 , trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe)
2016-08-21 19:16:04 -04:00
4228868c29
Clean up after yourself
...
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
1f63f8f45b
Don't override payload
...
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
b3402a45f7
Add generic payloads
...
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
2fed51bb18
Land #7115 , Drupal CODER exploit
2016-08-15 01:15:23 -05:00
62d28f10cb
Clean up Mehmet modules
2016-08-15 01:12:58 -05:00
b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd
2016-08-13 00:14:25 +03:00
d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log.
2016-08-12 23:35:29 +03:00
ba79579202
Extending Space limitation up to 250
2016-08-12 22:32:49 +03:00
abf435d6c2
Land #6960 , Auth bypass for Polycom HDX video endpoints
2016-08-01 14:02:50 -05:00
5309f2e4fb
endpoints, not end points
2016-08-01 14:02:17 -05:00
b34201e65c
restore session as an instance variable
2016-08-01 13:58:54 -05:00
dadafd1fdf
Use data:// instead of bogus web server and check() improvements.
2016-07-26 13:31:46 +03:00
780e83dabb
Fix for Opt params and Space limits
2016-07-22 20:48:15 +03:00
7e9c5f9011
Fix for double space and indentation
2016-07-21 20:27:52 +03:00
634ee93de4
Add Drupal CODER remote command execution
2016-07-21 20:23:54 +03:00
32f1c83c9e
Switch to single quotes
...
Might as well, since we're avoiding escaping.
2016-07-21 00:10:17 -05:00
2e631cab5b
Prefer quoting over escaping
...
Having to escape backslashes in a single-quoted string sucks.
2016-07-21 00:02:08 -05:00
c6b309d5c9
Fix drupal_restws_exec check method false positive
2016-07-20 23:28:49 -05:00
8bd6db8bd7
Land #7108 , Drupal RESTWS exploit
2016-07-20 13:49:37 -05:00
b49a847c98
Fix additional things
2016-07-20 13:49:23 -05:00
51bb950201
Avoid return where not required
2016-07-20 21:27:51 +03:00
b0a0544627
Remove random string from URI
2016-07-20 20:50:10 +03:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
089816236d
Remove double spaces and fix checkcode
2016-07-20 00:01:25 +03:00
9c8e351ba8
Use vars_get un send_request_cgi
2016-07-19 20:12:14 +03:00
ec2f8fcc71
Change check method and use meterpreter instead of unix cmd
2016-07-19 11:13:06 +03:00
650034b600
Use normalize_uri params instead of string concatenation
2016-07-19 01:01:05 +03:00
c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec
2016-07-18 21:32:10 +03:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
b2c3267a2a
Land #7042 , fetch_ninja_form_nonce/wponce fix
2016-07-13 11:38:11 -05:00
f164afaef8
Land #6932 , joomla_contenthistory_sqli_rce fixes
2016-07-12 14:26:49 -05:00
310332b521
Clean up module
2016-07-12 11:17:10 -05:00
b869b890c7
Land #7090 , Add module for Tikiwiki Upload Exec
2016-07-12 11:16:50 -05:00
2471e8bc8c
Add FileDropper to cleanup properly
2016-07-12 11:16:18 -05:00
43833c8756
Fixing double normalize function call
2016-07-12 07:30:18 +03:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
fc56ab6722
Fixing some coding style because of rubocop
2016-07-11 23:10:18 +03:00
e79c3ba7c0
Tiki Wiki unauth rce
2016-07-11 22:44:07 +03:00
1ecef265a1
Do a fail_with in case nonce is not found at all
2016-06-30 11:21:45 -05:00
e2b9225907
Fix #7022 , Failing to find wpnonce in fetch_ninja_form_nonce
...
This patch fixes a problem when the module is used against an older
version of ninja forms (such as 2.9.27), the nonce is found in a
hidden input instead of the JavaScript code, which actually causes
an undefined method 'gsub' bug in the module.
Fix #7022
2016-06-30 11:15:38 -05:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
baa603b637
wvu-r7 rex sleep suggestions
2016-06-15 20:41:25 -04:00
16b4829d57
fixed socket.get issue
2016-06-09 21:36:21 -04:00
63db330a02
rubocop fixes, msftidy fixes
2016-06-09 21:03:57 -04:00
027f538300
original from EDB
2016-06-09 20:35:00 -04:00
4354b5d5d6
Changed class from Metasploit3 to MetasploitModule
2016-06-03 17:43:41 -07:00
99790e343d
Removed debug statement
2016-06-03 17:36:00 -07:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
William Vu
Bryan Chu
Jeffrey Martin
Gabriel Follon
HD Moore
James Lee
Christian Mehlmauer
wchen-r7
Brent Cook
OJ
dmohanty-r7
h00die
funkypickle
David Maloney
William Webb
nixawk
EgiX
h00die
Pearce Barry
Mehmet Ince
amarionette