Michael Messner
10baf1ebb6
echo stager
2015-05-23 15:50:35 +02:00
Tod Beardsley
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
m-1-k-3
c7e05448e7
various MIPS vs MIPSBE fixes
2015-05-04 12:55:21 +02:00
m-1-k-3
53043dcbbc
make msftidy happy
2015-05-03 18:14:51 +02:00
m-1-k-3
6fbce56a52
realtek upnp command injection
2015-05-03 18:09:22 +02:00
jvazquez-r7
1bc6822811
Delete Airties module
2015-05-22 11:57:45 -05:00
jvazquez-r7
70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof
2015-05-22 11:57:19 -05:00
m-1-k-3
d8b8017e0b
remove debugging
2015-04-27 06:36:34 +02:00
m-1-k-3
8db88994ac
fingerprint, title
2015-04-27 06:34:46 +02:00
m-1-k-3
285d767e20
initial commit of UPnP exploit for Airties devices
2015-04-27 05:34:30 +02:00
m-1-k-3
f5b0a7e082
include rop gadget description
2015-04-23 00:11:02 +02:00
m-1-k-3
1ec0e09a43
msftidy
2015-04-22 10:32:47 +02:00
m-1-k-3
58099d0469
airties login bof module
2015-04-22 10:21:58 +02:00
jvazquez-r7
3f40342ac5
Fix sock_sendpage
2015-04-21 14:17:19 -05:00
jvazquez-r7
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
jvazquez-r7
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
Michael Messner
b991dec0f9
Dlink UPnP SOAP-Header Injection
2015-04-17 22:54:32 +02:00
wchen-r7
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
Christian Mehlmauer
153344a1dd
fix Unkown typo
2015-04-16 23:59:28 +02:00
Christian Mehlmauer
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
Christian Mehlmauer
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
Christian Mehlmauer
a193ae42b0
moar fail_with's
2015-04-16 21:25:05 +02:00
Christian Mehlmauer
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
Christian Mehlmauer
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
jvazquez-r7
ef6bf54e2f
Fix metadata
2015-04-15 09:22:59 -05:00
jvazquez-r7
1da6b32df7
Land #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
...
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
jvazquez-r7
6019bbe0d2
Add ranking comment
2015-04-15 09:12:03 -05:00
jvazquez-r7
ad465c4d5b
Do code cleanup
2015-04-15 09:10:18 -05:00
Tod Beardsley
11057e5b3b
Fix up the last couple from Tenable, missed last
...
[See #5012 ]
2015-04-02 15:27:46 -05:00
Tod Beardsley
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
Tod Beardsley
b17727d244
Switching to privileged => false
2015-04-01 14:35:45 -05:00
Tod Beardsley
0825534d2c
Fix reference
2015-04-01 14:16:45 -05:00
Tod Beardsley
8ec71e9daf
Add a module for R7-2015-05
2015-04-01 14:05:41 -05:00
m-1-k-3
d81a246660
target_uri
2015-03-26 12:16:20 +01:00
m-1-k-3
b7f469b747
feedback
2015-03-26 07:39:36 +01:00
Tod Beardsley
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
jvazquez-r7
2d1adf6ef4
Land #4923 , @m-1-k-3's exploit for overflow on belkin routers
2015-03-22 02:05:35 -05:00
jvazquez-r7
ee74bb3c5b
The default concat operator should be ok
2015-03-22 02:05:02 -05:00
jvazquez-r7
5499b68e02
Do code cleanup
2015-03-22 01:58:32 -05:00
sinn3r
1b67a06d35
No banner var
2015-03-20 02:26:59 -05:00
sinn3r
b55ffc9ff1
Change option to FORCE_EXPLOIT
2015-03-20 01:44:10 -05:00
sinn3r
d8539ef91a
Change datastore option's description
2015-03-19 12:22:42 -05:00
sinn3r
a2ba81f84f
This should be true (required)
2015-03-19 11:54:03 -05:00
sinn3r
d8c8bd1669
Move the details to a wiki
2015-03-19 11:52:17 -05:00
sinn3r
968a8758ad
Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
...
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
Sven Vetsch
4d3a1a2f71
fix all duplicated keys in modules
2015-03-14 13:10:42 +01:00
m-1-k-3
819a49b28a
msftidy again
2015-03-12 19:09:52 +01:00
m-1-k-3
2eab258a76
msftidy
2015-03-12 19:07:56 +01:00
m-1-k-3
ccf7314c8f
msftidy
2015-03-12 19:05:21 +01:00
m-1-k-3
6fcab31997
ncc exploit CVE-2015-1187 - dir626l
2015-03-12 18:55:50 +01:00
m-1-k-3
64f769504b
encoding
2015-03-10 17:47:15 +01:00
m-1-k-3
6657c7d11d
Belkin - CVE-2014-1635
2015-03-10 16:49:51 +01:00
William Vu
ecd7ae9c3b
Land #4857 , symantec_web_gateway_restore module
2015-03-02 15:00:10 -06:00
sinn3r
ad28f9767f
Use include
2015-03-02 14:41:25 -06:00
sinn3r
cb140434f9
Update
2015-03-02 12:59:21 -06:00
OJ
905a539a00
Add exploit for Seagate Business NAS devices
...
This module is an exploit for a pre-authenticated remote code execution
vulnerability in Seagate Business NAS products.
2015-03-01 13:25:28 +10:00
sinn3r
4a1fbbdc3b
Use datastore to find payload name
2015-02-28 19:56:32 -06:00
sinn3r
ef9196ba6c
Correct comment
2015-02-27 13:27:49 -06:00
sinn3r
7b6c39058a
Correct target name
2015-02-27 13:24:57 -06:00
sinn3r
90aff51676
Add CVE-2014-7285, Symantec Web Gateway restore.php Command Injection
2015-02-27 12:31:29 -06:00
jvazquez-r7
0372b08d83
Fix mixin usage on modules
2015-02-13 17:17:59 -06:00
Tod Beardsley
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
jvazquez-r7
b61538e980
Land #4291 , @headlesszeke's module for ARRIS VAP2500 command execution
2015-01-21 20:52:31 -06:00
jvazquez-r7
33195caff2
Mark compatible payloads
2015-01-21 20:52:04 -06:00
jvazquez-r7
500d7159f1
Use PAYLOAD instead of CMD
2015-01-21 20:49:05 -06:00
jvazquez-r7
f37ac39b4c
Split exploit cmd vs exploit session
2015-01-21 20:46:37 -06:00
jvazquez-r7
e1d1ff17fd
Change failure code
2015-01-21 20:38:33 -06:00
jvazquez-r7
169052af5c
Use cookie option
2015-01-21 20:37:38 -06:00
sinn3r
d45cdd61aa
Resolve #4507 - respond_to? + send = evil
...
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve #4507
2015-01-02 13:29:17 -06:00
Tod Beardsley
264d3f9faa
Minor grammar fixes on modules
2014-12-31 11:45:14 -06:00
jvazquez-r7
121c0406e9
Beautify restart_command creation
2014-12-24 15:52:15 -06:00
jvazquez-r7
43ec8871bc
Do minor c code cleanup
2014-12-24 15:45:38 -06:00
jvazquez-r7
92113a61ce
Check payload
2014-12-24 15:43:49 -06:00
jvazquez-r7
36ac0e6279
Clean get_restart_commands
2014-12-24 14:55:18 -06:00
jvazquez-r7
92b3505119
Clean exploit method
2014-12-24 14:49:19 -06:00
jvazquez-r7
9c4d892f5e
Use single quotes when possible
2014-12-24 14:37:39 -06:00
jvazquez-r7
bbbb917728
Do style cleaning on metadata
2014-12-24 14:35:35 -06:00
jvazquez-r7
af24e03879
Update from upstream
2014-12-24 14:25:25 -06:00
Tod Beardsley
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart
65b316cd8c
Land #4372
2014-12-11 18:48:16 -08:00
Christian Mehlmauer
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
Christian Mehlmauer
de88908493
code style
2014-12-11 23:30:20 +01:00
headlesszeke
8d1ca872d8
Now with logging of command response output
2014-12-05 10:58:40 -06:00
Tod Beardsley
79f2708a6e
Slight fixes to grammar/desc/whitespace
...
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
headlesszeke
564488acb4
Changed and to &&
2014-12-02 00:02:53 -06:00
headlesszeke
280e10db55
Add module for Arris VAP2500 Remote Command Execution
2014-12-01 23:07:56 -06:00
Rasta Mouse
985838e999
Suggestions from OJ
2014-11-27 21:38:50 +00:00
Rasta Mouse
25ecf73d7d
Add configurable directory, rather than relying on the session working
...
directory.
2014-11-27 17:12:37 +00:00
OJ
75e5553cd4
Change to in exploit
2014-11-26 16:53:30 +10:00
jvazquez-r7
9524efa383
Fix banner
2014-11-25 23:14:20 -06:00
jvazquez-r7
16ed90db88
Delete return keyword
2014-11-25 23:11:53 -06:00
jvazquez-r7
85926e1a07
Improve check
2014-11-25 23:11:32 -06:00
jvazquez-r7
5a2d2914a9
Fail on upload errors
2014-11-25 22:48:57 -06:00
jvazquez-r7
b24e641e97
Modify exploit logic
2014-11-25 22:11:43 -06:00
jvazquez-r7
4bbadc44d6
Use Msf::Exploit::FileDropper
2014-11-25 22:00:42 -06:00
jvazquez-r7
7fbd5b63b1
Delete the Rex::MIME::Message gsub
2014-11-25 21:54:50 -06:00
jvazquez-r7
eaa41e9a94
Added reference
2014-11-25 21:37:04 -06:00
jvazquez-r7
2c207597dc
Use single quotes
2014-11-25 18:30:25 -06:00
jvazquez-r7
674ceeed40
Do minor cleanup
2014-11-25 18:26:41 -06:00
jvazquez-r7
6ceb47619a
Change module filename
2014-11-25 18:09:15 -06:00
jvazquez-r7
1305d56901
Update from upstream master
2014-11-25 18:07:13 -06:00
Mark Schloesser
9e9954e831
fix placeholder to show the firmware version I used
2014-11-19 21:23:39 +01:00
Mark Schloesser
a718e6f83e
add exploit for r7-2014-18 / CVE-2014-4880
2014-11-19 21:07:02 +01:00
HD Moore
6b4eb9a8e2
Differentiate failed binds from connects, closes #4169
...
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Joe Vennix
c6bbc5bccf
Merge branch 'landing-4055' into upstream-master
2014-10-28 11:18:20 -05:00
Luke Imhoff
216360d664
Add missing require
...
MSP-11145
2014-10-27 15:19:59 -05:00
sinn3r
7cb4320a76
Land #3561 - unix cmd generic_sh encoder
2014-10-23 15:48:00 -05:00
sinn3r
13fd6a3374
Land #4046 - Centreon SQL and Command Injection
2014-10-23 13:17:00 -05:00
sinn3r
ce841e57e2
Rephrase about centreon.session
2014-10-23 13:15:55 -05:00
sinn3r
889045d1b6
Change failure message
2014-10-23 12:55:27 -05:00
William Vu
d5b698bf2d
Land #3944 , pkexec exploit
2014-10-17 16:30:55 -05:00
jvazquez-r7
7652b580cd
Beautify description
2014-10-17 15:31:37 -05:00
jvazquez-r7
d831a20629
Add references and fix typos
2014-10-17 15:29:28 -05:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
0a2940
e689a0626d
Use Rex.sleep :-)
...
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"
user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
sinn3r
c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution
2014-10-08 00:30:07 -05:00
jvazquez-r7
299d9afa6f
Add module for centreon vulnerabilities
2014-10-07 14:40:51 -05:00
jvazquez-r7
3daa1ed4c5
Avoid changing modules indentation in this pull request
2014-10-07 10:41:25 -05:00
jvazquez-r7
341d8b01cc
Favor echo encoder for back compatibility
2014-10-07 10:24:32 -05:00
jvazquez-r7
0089810026
Merge to update
2014-10-06 19:09:31 -05:00
jvazquez-r7
212762e1d6
Delete RequiredCmd for unix cmd encoders, favor EncoderType
2014-10-06 18:42:21 -05:00
0a2940
f2b9aeed74
typo
2014-10-03 11:02:56 +01:00
0a2940
f60f6d9c92
add exploit for CVE-2011-1485
2014-10-03 10:54:43 +01:00
Brandon Perry
2c9446e6a8
Update f5_icontrol_exec.rb
2014-10-02 17:56:24 -05:00
Tod Beardsley
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
William Vu
039e544ffa
Land #3925 , rm indeces_enum
...
Deprecated.
2014-09-30 17:45:38 -05:00
Brandon Perry
161a145ec2
Create f5_icontrol_exec.rb
2014-09-27 10:40:13 -05:00
jvazquez-r7
f2cfbebbfb
Add module for ZDI-14-305
2014-09-24 00:22:16 -05:00
Jon Hart
495e1c14a1
Land #3721 , @brandonprry's module for Railo CVE-2014-5468
2014-09-09 19:10:46 -07:00
Jon Hart
26d8432a22
Minor style and usability changes to @brandonprry's #3721
2014-09-09 19:09:45 -07:00
Brandon Perry
db6052ec6a
Update check method
2014-09-09 18:51:42 -05:00
Jakob Lell
3e57ac838c
Converted LD_PRELOAD library from precompiled binary to metasm code.
2014-09-04 21:49:55 +02:00
Brandon Perry
ee3e5c9159
Add check method
2014-09-02 21:35:47 -05:00
Brandon Perry
438f0e6365
typos
2014-08-30 09:22:58 -05:00
Brandon Perry
f72cce9ff2
Update railo_cfml_rfi.rb
2014-08-29 17:33:15 -05:00
Brandon Perry
f4965ec5cf
Create railo_cfml_rfi.rb
2014-08-28 08:42:07 -05:00
Jakob Lell
052327b9c6
Removed redundant string "linux_" from exploit name
2014-08-27 23:33:15 +02:00
Jakob Lell
b967336b3b
Small bugfix (incorrect filename in data directory)
2014-08-25 00:39:00 +02:00
Jakob Lell
fc6f50058b
Add desktop_linux_privilege_escalation module
2014-08-25 00:05:20 +02:00
jvazquez-r7
f6f8d7b993
Delete debug print_status
2014-07-22 15:00:03 -05:00
jvazquez-r7
b086462ed6
More cleanups of modules which REALLY need the 'old' generic encoder
2014-07-22 14:57:53 -05:00
jvazquez-r7
3d7ed10ea0
Second review of modules which shouldn't be affected by changes
2014-07-22 14:33:57 -05:00
jvazquez-r7
5e8da09b2d
Allow some modules to use the old encoder
2014-07-22 14:28:11 -05:00
jvazquez-r7
b0f8d8eaf1
Delete debug print_status
2014-07-22 13:29:00 -05:00
jvazquez-r7
f546eae464
Modify encoders to allow back compatibility
2014-07-22 13:27:12 -05:00
William Vu
ff6c8bd5de
Land #3479 , broken sock.get fix
2014-07-16 14:57:32 -05:00
Tod Beardsley
6c595f28d7
Set up a proper peer method
2014-07-14 13:29:07 -05:00
Michael Messner
1b7008dafa
typo in name
2014-07-13 13:24:54 +02:00
jvazquez-r7
8937fbb2f5
Fix email format
2014-07-11 12:45:23 -05:00
jvazquez-r7
eb9d2f130c
Change title
2014-07-11 12:03:09 -05:00
jvazquez-r7
a356a0e818
Code cleanup
2014-07-11 12:00:31 -05:00
jvazquez-r7
6fd1ff6870
Merge master
2014-07-11 11:40:39 -05:00
jvazquez-r7
d637171ac0
Change module filename
2014-07-11 11:39:32 -05:00
jvazquez-r7
c55117d455
Some cleanup
2014-07-11 11:39:01 -05:00
jvazquez-r7
a7a700c70d
Land #3502 , @m-1-k-3's DLink devices HNAP Buffer Overflow CVE-2014-3936
2014-07-11 11:25:03 -05:00
jvazquez-r7
b9cda5110c
Add target info to message
2014-07-11 11:24:33 -05:00
jvazquez-r7
dea68c66f4
Update title and description
2014-07-11 10:38:53 -05:00
jvazquez-r7
f238c2a93f
change module filename
2014-07-11 10:30:50 -05:00
jvazquez-r7
f7d60bebdc
Do clean up
2014-07-11 10:28:31 -05:00
jvazquez-r7
8f3197c192
Land #3496 , @m-1-k-3's switch to CmdStager on dlink_upnp_exec_noauth
2014-07-11 09:50:57 -05:00
jvazquez-r7
4ea2daa96a
Minor cleanup
2014-07-11 09:50:22 -05:00
jvazquez-r7
51cfa168b1
Fix deprecation information
2014-07-11 09:47:30 -05:00
jvazquez-r7
611b8a1b6d
Modify title and ranking
2014-07-11 09:35:21 -05:00
jvazquez-r7
a9b92ee581
Change module filename
2014-07-11 09:17:56 -05:00
jvazquez-r7
36c6e74221
Do minor fixes
2014-07-11 09:17:34 -05:00
Michael Messner
109201a5da
little auto detect fix
2014-07-10 20:45:49 +02:00
Michael Messner
781149f13f
little auto detect fix
2014-07-10 20:40:39 +02:00
Michael Messner
f068006f05
auto target
2014-07-09 21:53:11 +02:00
Michael Messner
6a765ae3b0
small cleanup
2014-07-09 21:16:29 +02:00
Michael Messner
0674314c74
auto target included
2014-07-09 20:56:04 +02:00
Michael Messner
b4812c1b7d
auto target included
2014-07-09 20:53:24 +02:00
Michael Messner
f89f47c4d0
dlink_dspw215_info_cgi_rop
2014-07-08 22:29:57 +02:00
Michael Messner
6fbd6bb4a0
stager
2014-07-08 22:17:02 +02:00
Michael Messner
ac727dae89
dlink_dsp_w215_hnap_exploit
2014-07-08 22:13:13 +02:00
Michael Messner
579ce0a858
cleanup
2014-07-08 21:58:15 +02:00
Michael Messner
51001f9cb3
Merge branch 'master' of git://github.com/rapid7/metasploit-framework into dlink_upnp_msearch_command_injection
2014-07-08 21:39:53 +02:00
Michael Messner
84d6d56e15
cleanup, deprecated
2014-07-08 21:36:07 +02:00
Michael Messner
10bcef0c33
cleanup, deprecated
2014-07-08 21:34:28 +02:00
Michael Messner
e7ade9f84d
migrate from wget to echo mechanism
2014-07-06 21:45:53 +02:00
jvazquez-r7
98a82bd145
Land #3486 , @brandonprry's exploit for CVE-2014-4511 gitlist RCE
2014-07-04 16:41:04 -05:00
jvazquez-r7
59881323b9
Clean code
2014-07-04 16:40:16 -05:00
Brandon Perry
a33a6dc79d
add bash to requiredcmd
2014-07-03 16:52:52 -05:00
Brandon Perry
806f26424c
&& not and
2014-07-03 16:50:21 -05:00
Brandon Perry
6fb2fc85a0
address @jvasquez-r7 review points
2014-07-03 16:43:01 -05:00
Brandon Perry
86a31b1896
Update gitlist_exec.rb
2014-07-03 12:40:37 -05:00
Michael Messner
8f55af5f9d
UPnP check included
2014-07-02 21:28:39 +02:00
Michael Messner
ac2e84bfd6
check included
2014-07-02 21:24:50 +02:00
Brandon Perry
db6524106e
one more typo, last one I swear
2014-06-30 22:33:19 -05:00
Brandon Perry
d7dfa67e94
typo
2014-06-30 20:15:25 -05:00
Brandon Perry
acedf5e847
Update gitlist_exec.rb
...
Fix EDB ref and no twitter handles.
2014-06-30 20:12:08 -05:00
Brandon Perry
ecc1b08994
Create gitlist_exec.rb
...
This adds a metasploit module for CVE-2014-4511
2014-06-30 20:10:24 -05:00
HD Moore
6e8415143c
Fix msftidy and tweak a few modules missing timeouts
2014-06-30 00:46:28 -05:00
Spencer McIntyre
748589f56a
Make cmdstager flavor explicit or from info
...
Every module that uses cmdstager either passes the flavor
as an option to the execute_cmdstager function or relies
on the module / target info now.
2014-06-28 17:40:49 -04:00
HD Moore
5e900a9f49
Correct sock.get() to sock.get_once() to prevent indefinite hangs/misuse
2014-06-28 16:06:46 -05:00
HD Moore
3868348045
Fix incorrect use of sock.get that leads to indefinite hang
2014-06-28 15:48:58 -05:00
Spencer McIntyre
bd49d3b17b
Explicitly use the echo stager and deregister options
...
Certain modules will only work with the echo cmd stager so
specify that one as a parameter to execute_cmdstager and
remove the datastore options to change it.
2014-06-28 16:21:08 -04:00
Spencer McIntyre
42ac3a32fe
Multi-fy two new linux/http/dlink exploits
2014-06-27 08:40:27 -04:00
Spencer McIntyre
41d721a861
Update two modules to use the new unified cmdstager
2014-06-27 08:34:57 -04:00
jvazquez-r7
870fa96bd4
Allow quotes in CmdStagerFlavor metadata
2014-06-27 08:34:56 -04:00
jvazquez-r7
91e2e63f42
Add CmdStagerFlavor to metadata
2014-06-27 08:34:55 -04:00
jvazquez-r7
d47994e009
Update modules to use the new generic CMDstager mixin
2014-06-27 08:34:55 -04:00
jvazquez-r7
7ced5927d8
Use One CMDStagermixin
2014-06-27 08:34:55 -04:00
Spencer McIntyre
ae25c300e5
Initial attempt to unify the command stagers.
2014-06-27 08:34:55 -04:00
Tod Beardsley
0219c4974a
Release fixups, word choice, refs, etc.
2014-06-23 11:17:00 -05:00
jvazquez-r7
e8b914a62f
Download rankings for reliable exploit, but depending on a specific version without autodetection
2014-06-20 14:33:02 -05:00
jvazquez-r7
f0d04fe77e
Do some randomizations
2014-06-20 11:38:10 -05:00
jvazquez-r7
f26f8ae5db
Change module filename
2014-06-20 11:27:49 -05:00
jvazquez-r7
33eaf643aa
Fix usage of :concat_operator operator
2014-06-20 11:27:23 -05:00
jvazquez-r7
5542f846d6
Merge to solve conflicts
2014-06-20 11:24:08 -05:00
jvazquez-r7
4203e75777
Land #3408 , @m-1-k-3's exploit for D-Link hedwig.cgi OSVDB 95950
2014-06-20 10:27:32 -05:00
jvazquez-r7
f74594c324
Order metadata
2014-06-20 10:26:50 -05:00
Joshua Smith
45dc197827
Lands 3454, exploits/linux/ids/alienvault_centerd_soap_exec
2014-06-19 15:58:33 -05:00
jvazquez-r7
d28ced5b7b
change module filename
2014-06-19 15:56:55 -05:00
jvazquez-r7
a0386f0797
Fix cmd_concat_operator
2014-06-19 15:52:55 -05:00
Michael Messner
86f523f00c
concator handling
2014-06-18 18:15:58 +02:00
jvazquez-r7
45ea59050c
Fix the if cleanup
2014-06-17 23:40:00 -05:00
Joshua Smith
288430d813
wraps some long lines
2014-06-17 22:30:28 -05:00
Christian Mehlmauer
8e1949f3c8
Added newline at EOF
2014-06-17 21:03:18 +02:00
Michael Messner
508998263b
removed wrong module file
2014-06-17 08:57:46 +02:00
Michael Messner
6f45eb13c7
moved module file
2014-06-17 08:56:07 +02:00
Michael Messner
a5eed71d50
renamed and other module removed
2014-06-17 08:50:09 +02:00
Michael Messner
e908b7bc25
renamed and other module removed
2014-06-17 08:49:46 +02:00
Michael Messner
f464c5ee97
dlink msearch commmand injection
2014-06-16 22:12:15 +02:00
jvazquez-r7
f7b892e55b
Add module for AlienVault's ZDI-14-202
2014-06-16 12:10:30 -05:00
Michael Messner
12ec785bdb
clean up, echo stager, concator handling
2014-06-14 17:37:09 +02:00
Michael Messner
8eb21ded97
clean up
2014-06-14 17:02:55 +02:00
Michael Messner
a3ae177347
echo stager, arch_cmd, echo module
2014-06-13 11:42:47 +02:00
Michael Messner
894af92b22
echo stager, arch_cmd
2014-06-13 11:40:50 +02:00
Michael Messner
76ed9bcf86
hedwig.cgi - cookie bof - return to system
2014-05-30 17:49:37 +02:00
Michael Messner
1ddc2d4e87
hedwig.cgi - cookie bof - return to system
2014-05-30 17:32:49 +02:00
Christian Mehlmauer
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
Michael Messner
b85c0b7543
rop to system with telnetd
2014-05-23 20:51:25 +02:00
Christian Mehlmauer
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
jvazquez-r7
1483f02f83
Land #3306 , @xistence's alienvault's exploit
2014-05-01 09:25:07 -05:00
jvazquez-r7
1b39712b73
Redo response check
2014-05-01 09:10:16 -05:00
jvazquez-r7
78cefae607
Use WfsDelay
2014-05-01 09:07:26 -05:00
xistence
5db24b8351
Fixes/Stability AlienVault module
2014-05-01 14:53:55 +07:00
xistence
c12d72b58c
Changes to alienvault module
2014-05-01 10:39:11 +07:00
xistence
9bcf5eadb7
Changes to alienvault module
2014-05-01 10:10:15 +07:00
jvazquez-r7
9a1b216fdb
Move module to new location
2014-04-28 11:55:26 -05:00
William Vu
7d801e3acc
Land #3200 , goodbye LORCON modules :(
2014-04-18 12:32:22 -05:00
sinn3r
b69662fa42
Land #3233 - eScan Password Command Injection
2014-04-11 11:05:48 -05:00
jvazquez-r7
0c8f5e9b7d
Add @Firefart's feedback
2014-04-11 10:21:33 -05:00
jvazquez-r7
fe066ae944
Land #3207 , @7a69 MIPS BE support for Fritz Box's exploit
2014-04-09 23:20:45 -05:00
jvazquez-r7
fdda69d434
Align things
2014-04-09 23:19:41 -05:00
jvazquez-r7
386e2e3d29
Do final / minor cleanup
2014-04-09 23:19:12 -05:00
jvazquez-r7
b0b979ce62
Meterpreter sessions won't get root in this way
2014-04-09 16:59:12 -05:00
jvazquez-r7
a2ce2bfa56
Fix disclosure date
2014-04-09 16:41:49 -05:00
jvazquez-r7
ff232167a6
Add module for eScan command injection
2014-04-09 16:39:06 -05:00
sinn3r
eb9d3520be
Land #3208 - Sophos Web Protection Appliance Interface Authenticated Exec
2014-04-09 11:30:59 -05:00
Brandon Perry
8428b37e59
move file to .rb ext
2014-04-09 05:17:14 -07:00
Brandon Perry
82c9b539ac
Fix disclosure date, earlier than I thought
2014-04-08 21:43:49 -05:00
Brandon Perry
3013704c75
Create sophos_wpa_iface_exec
...
This module exploits both bugs in http://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-08 21:21:43 -05:00
Fabian Bräunlein
8dce80fd30
Added Big Endianess, improved check()-Function
...
Some Fritz!Box devices also run in Big Endianess mode. However, since
"uname -a" always returns "mips" and the "file"-command is not
available, autodetection is not an easy task.
The check()-function now checks, whether the device is really
vulnerable.
Furthemore, it's possible to send 92 bytes.
2014-04-08 21:32:36 +02:00
Jeff Jarmoc
21b220321f
Fix typo.
...
This isn't a Linksys exploit. Left over wording from a previous exploit?
2014-04-07 18:06:59 -05:00
Tod Beardsley
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
jvazquez-r7
fb1318b91c
Land #3193 , @m-1-k-3's exploit for the Fritzbox RCE vuln
2014-04-07 16:13:31 -05:00
jvazquez-r7
ceaa99e64e
Minor final cleanup
2014-04-07 16:12:54 -05:00
Michael Messner
b1a6b28af9
fixed disclosure date
2014-04-07 19:29:37 +02:00
Michael Messner
003310f18a
feedback included
2014-04-07 19:25:26 +02:00
Tod Beardsley
7572d6612e
Spelling and grammar on new release modules
2014-04-07 12:18:13 -05:00
Michael Messner
85de6ed0c9
feedback included
2014-04-07 18:20:15 +02:00
Michael Messner
11bbb7f429
fritzbox echo exploit
2014-04-07 09:12:22 +02:00
jvazquez-r7
6d72860d58
Land #3004 , @m-1-k-3's linksys moon exploit
2014-04-04 14:04:48 -05:00
jvazquez-r7
0ae75860ea
Code clean up
2014-04-04 14:02:12 -05:00
Tod Beardsley
ffdca3bf42
Fixup on some modules for release
...
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
Michael Messner
4319885420
we do not need pieces ...
2014-03-26 20:45:30 +01:00
sinn3r
0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping
2014-03-24 21:16:10 -05:00
sinn3r
53b25c8c93
Fix header & author e-mail format
2014-03-24 21:15:27 -05:00
Brandon Perry
d2a9a26bc8
real fix for sinn3r bug
2014-03-24 18:40:48 -05:00
Brandon Perry
ec35f4b13f
some bugs for sinn3r
2014-03-24 18:17:50 -05:00
Tod Beardsley
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
Brandon Perry
d6f397ab6d
whoops that isn't how you EDB
2014-03-22 11:48:41 -05:00
Brandon Perry
291692d6e0
Update lifesize_uvc_ping_rce.rb
2014-03-22 11:30:00 -05:00
Brandon Perry
67a3a7227b
Create lifesize_uvc_ping_rce.rb
2014-03-21 21:33:12 -05:00
jvazquez-r7
144b86fee3
Add reference
2014-03-19 12:17:53 -05:00
jvazquez-r7
27d142b387
Solve conflict by keeping file
2014-03-19 12:15:05 -05:00
jvazquez-r7
fb645b6692
Clean code
2014-03-19 12:06:20 -05:00
jvazquez-r7
38176ad67d
Land #3109 , @xistence's Loadbalancer.org Enterprise VA applicance exploit
2014-03-18 06:53:26 -05:00
jvazquez-r7
ddd923793a
Do minor clean up
2014-03-18 06:52:50 -05:00
jvazquez-r7
ad49df4301
Register RHOST
2014-03-18 06:17:41 -05:00
jvazquez-r7
600338bd29
Land #3108 , @xistence's exploit for Quantum vmPRO shell-escape
2014-03-18 06:12:18 -05:00
jvazquez-r7
f656e5fedb
Do minor clean up
2014-03-18 06:11:02 -05:00
xistence
9bb4e5cfc3
Loadbalancer.org Enterprise VA SSH privkey exposure
2014-03-17 14:22:51 +07:00
xistence
c116697c70
Quantum vmPRO backdoor command
2014-03-17 14:19:27 +07:00
xistence
ef4a019b20
Quantum DXi V1000 SSH private key exposure
2014-03-17 14:15:00 +07:00
William Vu
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
James Lee
d1ea74c5fa
Make the password hash stand out as more important
2014-03-04 15:08:47 -06:00
James Lee
9a403bf630
Also extract admin hash if password auth failed
2014-03-04 14:55:47 -06:00
James Lee
423477bc52
auth_succeeded? is a better name for this method
2014-03-04 14:55:47 -06:00
James Lee
917b09086b
Pull the copy-pasted verification into a method
2014-03-04 14:55:47 -06:00
James Lee
4cfda88bad
Pull the copy-pasted sqli into a method
2014-03-04 14:55:47 -06:00
James Lee
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
Michael Messner
15345da9d8
remove the wget module, remove the cmd stuff, testing bind stuff ahead
2014-02-28 22:44:26 +01:00
Michael Messner
2935f4f562
CMD target
2014-02-24 18:12:23 +01:00
Michael Messner
0126e3fcc8
cleanup
2014-02-23 21:17:32 +01:00
Michael Messner
dbbd080fc1
a first try of the cmd stager, wget in a seperated module included
2014-02-23 20:59:17 +01:00
Michael Messner
3a8de6e124
replaced rhost by peer
2014-02-18 21:01:50 +01:00
Michael Messner
66e2148197
linksys themoon command execution exploit
2014-02-18 19:43:47 +01:00
Michael Messner
4dda7e6bad
linksys themoon command execution exploit
2014-02-18 19:42:50 +01:00