Commit Graph

1176 Commits (4288c3fb46e61c6c2844c743ce55689e97c63fb4)

Author SHA1 Message Date
Michael Messner 10baf1ebb6 echo stager 2015-05-23 15:50:35 +02:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
m-1-k-3 c7e05448e7 various MIPS vs MIPSBE fixes 2015-05-04 12:55:21 +02:00
m-1-k-3 53043dcbbc make msftidy happy 2015-05-03 18:14:51 +02:00
m-1-k-3 6fbce56a52 realtek upnp command injection 2015-05-03 18:09:22 +02:00
jvazquez-r7 1bc6822811
Delete Airties module 2015-05-22 11:57:45 -05:00
jvazquez-r7 70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof 2015-05-22 11:57:19 -05:00
m-1-k-3 d8b8017e0b remove debugging 2015-04-27 06:36:34 +02:00
m-1-k-3 8db88994ac fingerprint, title 2015-04-27 06:34:46 +02:00
m-1-k-3 285d767e20 initial commit of UPnP exploit for Airties devices 2015-04-27 05:34:30 +02:00
m-1-k-3 f5b0a7e082 include rop gadget description 2015-04-23 00:11:02 +02:00
m-1-k-3 1ec0e09a43 msftidy 2015-04-22 10:32:47 +02:00
m-1-k-3 58099d0469 airties login bof module 2015-04-22 10:21:58 +02:00
jvazquez-r7 3f40342ac5
Fix sock_sendpage 2015-04-21 14:17:19 -05:00
jvazquez-r7 ab94f15a60
Take care of modules using the 'DEBUG' option 2015-04-21 12:13:40 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
Michael Messner b991dec0f9 Dlink UPnP SOAP-Header Injection 2015-04-17 22:54:32 +02:00
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
Christian Mehlmauer 153344a1dd
fix Unkown typo 2015-04-16 23:59:28 +02:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
Christian Mehlmauer a193ae42b0
moar fail_with's 2015-04-16 21:25:05 +02:00
Christian Mehlmauer 4dc402fd3c
moar fail_with's 2015-04-16 21:16:52 +02:00
Christian Mehlmauer 0e186fa617
first fail_with fixes 2015-04-16 21:08:33 +02:00
jvazquez-r7 ef6bf54e2f
Fix metadata 2015-04-15 09:22:59 -05:00
jvazquez-r7 1da6b32df7
Land #4924, @m-1-k-3's DLink CVE-2015-1187 exploit
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
jvazquez-r7 6019bbe0d2
Add ranking comment 2015-04-15 09:12:03 -05:00
jvazquez-r7 ad465c4d5b
Do code cleanup 2015-04-15 09:10:18 -05:00
Tod Beardsley 11057e5b3b
Fix up the last couple from Tenable, missed last
[See #5012]
2015-04-02 15:27:46 -05:00
Tod Beardsley 4bbec88882
Various other one-off nonhuman author credits
[See #5012]
2015-04-02 15:25:47 -05:00
Tod Beardsley b17727d244
Switching to privileged => false 2015-04-01 14:35:45 -05:00
Tod Beardsley 0825534d2c
Fix reference 2015-04-01 14:16:45 -05:00
Tod Beardsley 8ec71e9daf
Add a module for R7-2015-05 2015-04-01 14:05:41 -05:00
m-1-k-3 d81a246660 target_uri 2015-03-26 12:16:20 +01:00
m-1-k-3 b7f469b747 feedback 2015-03-26 07:39:36 +01:00
Tod Beardsley 49a6057f74
Grammaring harder 2015-03-24 11:10:36 -05:00
jvazquez-r7 2d1adf6ef4
Land #4923, @m-1-k-3's exploit for overflow on belkin routers 2015-03-22 02:05:35 -05:00
jvazquez-r7 ee74bb3c5b
The default concat operator should be ok 2015-03-22 02:05:02 -05:00
jvazquez-r7 5499b68e02
Do code cleanup 2015-03-22 01:58:32 -05:00
sinn3r 1b67a06d35 No banner var 2015-03-20 02:26:59 -05:00
sinn3r b55ffc9ff1 Change option to FORCE_EXPLOIT 2015-03-20 01:44:10 -05:00
sinn3r d8539ef91a Change datastore option's description 2015-03-19 12:22:42 -05:00
sinn3r a2ba81f84f This should be true (required) 2015-03-19 11:54:03 -05:00
sinn3r d8c8bd1669 Move the details to a wiki 2015-03-19 11:52:17 -05:00
sinn3r 968a8758ad Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
Sven Vetsch 4d3a1a2f71 fix all duplicated keys in modules 2015-03-14 13:10:42 +01:00
m-1-k-3 819a49b28a msftidy again 2015-03-12 19:09:52 +01:00
m-1-k-3 2eab258a76 msftidy 2015-03-12 19:07:56 +01:00
m-1-k-3 ccf7314c8f msftidy 2015-03-12 19:05:21 +01:00
m-1-k-3 6fcab31997 ncc exploit CVE-2015-1187 - dir626l 2015-03-12 18:55:50 +01:00
m-1-k-3 64f769504b encoding 2015-03-10 17:47:15 +01:00
m-1-k-3 6657c7d11d Belkin - CVE-2014-1635 2015-03-10 16:49:51 +01:00
William Vu ecd7ae9c3b
Land #4857, symantec_web_gateway_restore module 2015-03-02 15:00:10 -06:00
sinn3r ad28f9767f Use include 2015-03-02 14:41:25 -06:00
sinn3r cb140434f9 Update 2015-03-02 12:59:21 -06:00
OJ 905a539a00 Add exploit for Seagate Business NAS devices
This module is an exploit for a pre-authenticated remote code execution
vulnerability in Seagate Business NAS products.
2015-03-01 13:25:28 +10:00
sinn3r 4a1fbbdc3b Use datastore to find payload name 2015-02-28 19:56:32 -06:00
sinn3r ef9196ba6c Correct comment 2015-02-27 13:27:49 -06:00
sinn3r 7b6c39058a Correct target name 2015-02-27 13:24:57 -06:00
sinn3r 90aff51676 Add CVE-2014-7285, Symantec Web Gateway restore.php Command Injection 2015-02-27 12:31:29 -06:00
jvazquez-r7 0372b08d83 Fix mixin usage on modules 2015-02-13 17:17:59 -06:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
jvazquez-r7 b61538e980
Land #4291, @headlesszeke's module for ARRIS VAP2500 command execution 2015-01-21 20:52:31 -06:00
jvazquez-r7 33195caff2 Mark compatible payloads 2015-01-21 20:52:04 -06:00
jvazquez-r7 500d7159f1 Use PAYLOAD instead of CMD 2015-01-21 20:49:05 -06:00
jvazquez-r7 f37ac39b4c Split exploit cmd vs exploit session 2015-01-21 20:46:37 -06:00
jvazquez-r7 e1d1ff17fd Change failure code 2015-01-21 20:38:33 -06:00
jvazquez-r7 169052af5c Use cookie option 2015-01-21 20:37:38 -06:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
Tod Beardsley 264d3f9faa
Minor grammar fixes on modules 2014-12-31 11:45:14 -06:00
jvazquez-r7 121c0406e9 Beautify restart_command creation 2014-12-24 15:52:15 -06:00
jvazquez-r7 43ec8871bc Do minor c code cleanup 2014-12-24 15:45:38 -06:00
jvazquez-r7 92113a61ce Check payload 2014-12-24 15:43:49 -06:00
jvazquez-r7 36ac0e6279 Clean get_restart_commands 2014-12-24 14:55:18 -06:00
jvazquez-r7 92b3505119 Clean exploit method 2014-12-24 14:49:19 -06:00
jvazquez-r7 9c4d892f5e Use single quotes when possible 2014-12-24 14:37:39 -06:00
jvazquez-r7 bbbb917728 Do style cleaning on metadata 2014-12-24 14:35:35 -06:00
jvazquez-r7 af24e03879 Update from upstream 2014-12-24 14:25:25 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart 65b316cd8c
Land #4372 2014-12-11 18:48:16 -08:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
Christian Mehlmauer de88908493
code style 2014-12-11 23:30:20 +01:00
headlesszeke 8d1ca872d8 Now with logging of command response output 2014-12-05 10:58:40 -06:00
Tod Beardsley 79f2708a6e
Slight fixes to grammar/desc/whitespace
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
headlesszeke 564488acb4 Changed and to && 2014-12-02 00:02:53 -06:00
headlesszeke 280e10db55 Add module for Arris VAP2500 Remote Command Execution 2014-12-01 23:07:56 -06:00
Rasta Mouse 985838e999 Suggestions from OJ 2014-11-27 21:38:50 +00:00
Rasta Mouse 25ecf73d7d Add configurable directory, rather than relying on the session working
directory.
2014-11-27 17:12:37 +00:00
OJ 75e5553cd4 Change to in exploit 2014-11-26 16:53:30 +10:00
jvazquez-r7 9524efa383 Fix banner 2014-11-25 23:14:20 -06:00
jvazquez-r7 16ed90db88 Delete return keyword 2014-11-25 23:11:53 -06:00
jvazquez-r7 85926e1a07 Improve check 2014-11-25 23:11:32 -06:00
jvazquez-r7 5a2d2914a9 Fail on upload errors 2014-11-25 22:48:57 -06:00
jvazquez-r7 b24e641e97 Modify exploit logic 2014-11-25 22:11:43 -06:00
jvazquez-r7 4bbadc44d6 Use Msf::Exploit::FileDropper 2014-11-25 22:00:42 -06:00
jvazquez-r7 7fbd5b63b1 Delete the Rex::MIME::Message gsub 2014-11-25 21:54:50 -06:00
jvazquez-r7 eaa41e9a94 Added reference 2014-11-25 21:37:04 -06:00
jvazquez-r7 2c207597dc Use single quotes 2014-11-25 18:30:25 -06:00
jvazquez-r7 674ceeed40 Do minor cleanup 2014-11-25 18:26:41 -06:00
jvazquez-r7 6ceb47619a Change module filename 2014-11-25 18:09:15 -06:00
jvazquez-r7 1305d56901 Update from upstream master 2014-11-25 18:07:13 -06:00
Mark Schloesser 9e9954e831 fix placeholder to show the firmware version I used 2014-11-19 21:23:39 +01:00
Mark Schloesser a718e6f83e add exploit for r7-2014-18 / CVE-2014-4880 2014-11-19 21:07:02 +01:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Joe Vennix c6bbc5bccf
Merge branch 'landing-4055' into upstream-master 2014-10-28 11:18:20 -05:00
Luke Imhoff 216360d664
Add missing require
MSP-11145
2014-10-27 15:19:59 -05:00
sinn3r 7cb4320a76
Land #3561 - unix cmd generic_sh encoder 2014-10-23 15:48:00 -05:00
sinn3r 13fd6a3374
Land #4046 - Centreon SQL and Command Injection 2014-10-23 13:17:00 -05:00
sinn3r ce841e57e2 Rephrase about centreon.session 2014-10-23 13:15:55 -05:00
sinn3r 889045d1b6 Change failure message 2014-10-23 12:55:27 -05:00
William Vu d5b698bf2d
Land #3944, pkexec exploit 2014-10-17 16:30:55 -05:00
jvazquez-r7 7652b580cd Beautify description 2014-10-17 15:31:37 -05:00
jvazquez-r7 d831a20629 Add references and fix typos 2014-10-17 15:29:28 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
0a2940 e689a0626d Use Rex.sleep :-)
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"

user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
sinn3r c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution 2014-10-08 00:30:07 -05:00
jvazquez-r7 299d9afa6f Add module for centreon vulnerabilities 2014-10-07 14:40:51 -05:00
jvazquez-r7 3daa1ed4c5 Avoid changing modules indentation in this pull request 2014-10-07 10:41:25 -05:00
jvazquez-r7 341d8b01cc Favor echo encoder for back compatibility 2014-10-07 10:24:32 -05:00
jvazquez-r7 0089810026 Merge to update 2014-10-06 19:09:31 -05:00
jvazquez-r7 212762e1d6 Delete RequiredCmd for unix cmd encoders, favor EncoderType 2014-10-06 18:42:21 -05:00
0a2940 f2b9aeed74 typo 2014-10-03 11:02:56 +01:00
0a2940 f60f6d9c92 add exploit for CVE-2011-1485 2014-10-03 10:54:43 +01:00
Brandon Perry 2c9446e6a8 Update f5_icontrol_exec.rb 2014-10-02 17:56:24 -05:00
Tod Beardsley 4fbab43f27
Release fixes, all titles and descs 2014-10-01 14:26:09 -05:00
William Vu 039e544ffa
Land #3925, rm indeces_enum
Deprecated.
2014-09-30 17:45:38 -05:00
Brandon Perry 161a145ec2 Create f5_icontrol_exec.rb 2014-09-27 10:40:13 -05:00
jvazquez-r7 f2cfbebbfb Add module for ZDI-14-305 2014-09-24 00:22:16 -05:00
Jon Hart 495e1c14a1
Land #3721, @brandonprry's module for Railo CVE-2014-5468 2014-09-09 19:10:46 -07:00
Jon Hart 26d8432a22
Minor style and usability changes to @brandonprry's #3721 2014-09-09 19:09:45 -07:00
Brandon Perry db6052ec6a Update check method 2014-09-09 18:51:42 -05:00
Jakob Lell 3e57ac838c Converted LD_PRELOAD library from precompiled binary to metasm code. 2014-09-04 21:49:55 +02:00
Brandon Perry ee3e5c9159 Add check method 2014-09-02 21:35:47 -05:00
Brandon Perry 438f0e6365 typos 2014-08-30 09:22:58 -05:00
Brandon Perry f72cce9ff2 Update railo_cfml_rfi.rb 2014-08-29 17:33:15 -05:00
Brandon Perry f4965ec5cf Create railo_cfml_rfi.rb 2014-08-28 08:42:07 -05:00
Jakob Lell 052327b9c6 Removed redundant string "linux_" from exploit name 2014-08-27 23:33:15 +02:00
Jakob Lell b967336b3b Small bugfix (incorrect filename in data directory) 2014-08-25 00:39:00 +02:00
Jakob Lell fc6f50058b Add desktop_linux_privilege_escalation module 2014-08-25 00:05:20 +02:00
jvazquez-r7 f6f8d7b993 Delete debug print_status 2014-07-22 15:00:03 -05:00
jvazquez-r7 b086462ed6 More cleanups of modules which REALLY need the 'old' generic encoder 2014-07-22 14:57:53 -05:00
jvazquez-r7 3d7ed10ea0 Second review of modules which shouldn't be affected by changes 2014-07-22 14:33:57 -05:00
jvazquez-r7 5e8da09b2d Allow some modules to use the old encoder 2014-07-22 14:28:11 -05:00
jvazquez-r7 b0f8d8eaf1 Delete debug print_status 2014-07-22 13:29:00 -05:00
jvazquez-r7 f546eae464 Modify encoders to allow back compatibility 2014-07-22 13:27:12 -05:00
William Vu ff6c8bd5de
Land #3479, broken sock.get fix 2014-07-16 14:57:32 -05:00
Tod Beardsley 6c595f28d7
Set up a proper peer method 2014-07-14 13:29:07 -05:00
Michael Messner 1b7008dafa typo in name 2014-07-13 13:24:54 +02:00
jvazquez-r7 8937fbb2f5 Fix email format 2014-07-11 12:45:23 -05:00
jvazquez-r7 eb9d2f130c Change title 2014-07-11 12:03:09 -05:00
jvazquez-r7 a356a0e818 Code cleanup 2014-07-11 12:00:31 -05:00
jvazquez-r7 6fd1ff6870 Merge master 2014-07-11 11:40:39 -05:00
jvazquez-r7 d637171ac0 Change module filename 2014-07-11 11:39:32 -05:00
jvazquez-r7 c55117d455 Some cleanup 2014-07-11 11:39:01 -05:00
jvazquez-r7 a7a700c70d
Land #3502, @m-1-k-3's DLink devices HNAP Buffer Overflow CVE-2014-3936 2014-07-11 11:25:03 -05:00
jvazquez-r7 b9cda5110c Add target info to message 2014-07-11 11:24:33 -05:00
jvazquez-r7 dea68c66f4 Update title and description 2014-07-11 10:38:53 -05:00
jvazquez-r7 f238c2a93f change module filename 2014-07-11 10:30:50 -05:00
jvazquez-r7 f7d60bebdc Do clean up 2014-07-11 10:28:31 -05:00
jvazquez-r7 8f3197c192
Land #3496, @m-1-k-3's switch to CmdStager on dlink_upnp_exec_noauth 2014-07-11 09:50:57 -05:00
jvazquez-r7 4ea2daa96a Minor cleanup 2014-07-11 09:50:22 -05:00
jvazquez-r7 51cfa168b1 Fix deprecation information 2014-07-11 09:47:30 -05:00
jvazquez-r7 611b8a1b6d Modify title and ranking 2014-07-11 09:35:21 -05:00
jvazquez-r7 a9b92ee581 Change module filename 2014-07-11 09:17:56 -05:00
jvazquez-r7 36c6e74221 Do minor fixes 2014-07-11 09:17:34 -05:00
Michael Messner 109201a5da little auto detect fix 2014-07-10 20:45:49 +02:00
Michael Messner 781149f13f little auto detect fix 2014-07-10 20:40:39 +02:00
Michael Messner f068006f05 auto target 2014-07-09 21:53:11 +02:00
Michael Messner 6a765ae3b0 small cleanup 2014-07-09 21:16:29 +02:00
Michael Messner 0674314c74 auto target included 2014-07-09 20:56:04 +02:00
Michael Messner b4812c1b7d auto target included 2014-07-09 20:53:24 +02:00
Michael Messner f89f47c4d0 dlink_dspw215_info_cgi_rop 2014-07-08 22:29:57 +02:00
Michael Messner 6fbd6bb4a0 stager 2014-07-08 22:17:02 +02:00
Michael Messner ac727dae89 dlink_dsp_w215_hnap_exploit 2014-07-08 22:13:13 +02:00
Michael Messner 579ce0a858 cleanup 2014-07-08 21:58:15 +02:00
Michael Messner 51001f9cb3 Merge branch 'master' of git://github.com/rapid7/metasploit-framework into dlink_upnp_msearch_command_injection 2014-07-08 21:39:53 +02:00
Michael Messner 84d6d56e15 cleanup, deprecated 2014-07-08 21:36:07 +02:00
Michael Messner 10bcef0c33 cleanup, deprecated 2014-07-08 21:34:28 +02:00
Michael Messner e7ade9f84d migrate from wget to echo mechanism 2014-07-06 21:45:53 +02:00
jvazquez-r7 98a82bd145
Land #3486, @brandonprry's exploit for CVE-2014-4511 gitlist RCE 2014-07-04 16:41:04 -05:00
jvazquez-r7 59881323b9 Clean code 2014-07-04 16:40:16 -05:00
Brandon Perry a33a6dc79d add bash to requiredcmd 2014-07-03 16:52:52 -05:00
Brandon Perry 806f26424c && not and 2014-07-03 16:50:21 -05:00
Brandon Perry 6fb2fc85a0 address @jvasquez-r7 review points 2014-07-03 16:43:01 -05:00
Brandon Perry 86a31b1896 Update gitlist_exec.rb 2014-07-03 12:40:37 -05:00
Michael Messner 8f55af5f9d UPnP check included 2014-07-02 21:28:39 +02:00
Michael Messner ac2e84bfd6 check included 2014-07-02 21:24:50 +02:00
Brandon Perry db6524106e one more typo, last one I swear 2014-06-30 22:33:19 -05:00
Brandon Perry d7dfa67e94 typo 2014-06-30 20:15:25 -05:00
Brandon Perry acedf5e847 Update gitlist_exec.rb
Fix EDB ref and no twitter handles.
2014-06-30 20:12:08 -05:00
Brandon Perry ecc1b08994 Create gitlist_exec.rb
This adds a metasploit module for CVE-2014-4511
2014-06-30 20:10:24 -05:00
HD Moore 6e8415143c Fix msftidy and tweak a few modules missing timeouts 2014-06-30 00:46:28 -05:00
Spencer McIntyre 748589f56a Make cmdstager flavor explicit or from info
Every module that uses cmdstager either passes the flavor
as an option to the execute_cmdstager function or relies
on the module / target info now.
2014-06-28 17:40:49 -04:00
HD Moore 5e900a9f49 Correct sock.get() to sock.get_once() to prevent indefinite hangs/misuse 2014-06-28 16:06:46 -05:00
HD Moore 3868348045 Fix incorrect use of sock.get that leads to indefinite hang 2014-06-28 15:48:58 -05:00
Spencer McIntyre bd49d3b17b Explicitly use the echo stager and deregister options
Certain modules will only work with the echo cmd stager so
specify that one as a parameter to execute_cmdstager and
remove the datastore options to change it.
2014-06-28 16:21:08 -04:00
Spencer McIntyre 42ac3a32fe Multi-fy two new linux/http/dlink exploits 2014-06-27 08:40:27 -04:00
Spencer McIntyre 41d721a861 Update two modules to use the new unified cmdstager 2014-06-27 08:34:57 -04:00
jvazquez-r7 870fa96bd4 Allow quotes in CmdStagerFlavor metadata 2014-06-27 08:34:56 -04:00
jvazquez-r7 91e2e63f42 Add CmdStagerFlavor to metadata 2014-06-27 08:34:55 -04:00
jvazquez-r7 d47994e009 Update modules to use the new generic CMDstager mixin 2014-06-27 08:34:55 -04:00
jvazquez-r7 7ced5927d8 Use One CMDStagermixin 2014-06-27 08:34:55 -04:00
Spencer McIntyre ae25c300e5 Initial attempt to unify the command stagers. 2014-06-27 08:34:55 -04:00
Tod Beardsley 0219c4974a
Release fixups, word choice, refs, etc. 2014-06-23 11:17:00 -05:00
jvazquez-r7 e8b914a62f Download rankings for reliable exploit, but depending on a specific version without autodetection 2014-06-20 14:33:02 -05:00
jvazquez-r7 f0d04fe77e Do some randomizations 2014-06-20 11:38:10 -05:00
jvazquez-r7 f26f8ae5db Change module filename 2014-06-20 11:27:49 -05:00
jvazquez-r7 33eaf643aa Fix usage of :concat_operator operator 2014-06-20 11:27:23 -05:00
jvazquez-r7 5542f846d6 Merge to solve conflicts 2014-06-20 11:24:08 -05:00
jvazquez-r7 4203e75777
Land #3408, @m-1-k-3's exploit for D-Link hedwig.cgi OSVDB 95950 2014-06-20 10:27:32 -05:00
jvazquez-r7 f74594c324 Order metadata 2014-06-20 10:26:50 -05:00
Joshua Smith 45dc197827
Lands 3454, exploits/linux/ids/alienvault_centerd_soap_exec 2014-06-19 15:58:33 -05:00
jvazquez-r7 d28ced5b7b change module filename 2014-06-19 15:56:55 -05:00
jvazquez-r7 a0386f0797 Fix cmd_concat_operator 2014-06-19 15:52:55 -05:00
Michael Messner 86f523f00c concator handling 2014-06-18 18:15:58 +02:00
jvazquez-r7 45ea59050c Fix the if cleanup 2014-06-17 23:40:00 -05:00
Joshua Smith 288430d813 wraps some long lines 2014-06-17 22:30:28 -05:00
Christian Mehlmauer 8e1949f3c8
Added newline at EOF 2014-06-17 21:03:18 +02:00
Michael Messner 508998263b removed wrong module file 2014-06-17 08:57:46 +02:00
Michael Messner 6f45eb13c7 moved module file 2014-06-17 08:56:07 +02:00
Michael Messner a5eed71d50 renamed and other module removed 2014-06-17 08:50:09 +02:00
Michael Messner e908b7bc25 renamed and other module removed 2014-06-17 08:49:46 +02:00
Michael Messner f464c5ee97 dlink msearch commmand injection 2014-06-16 22:12:15 +02:00
jvazquez-r7 f7b892e55b Add module for AlienVault's ZDI-14-202 2014-06-16 12:10:30 -05:00
Michael Messner 12ec785bdb clean up, echo stager, concator handling 2014-06-14 17:37:09 +02:00
Michael Messner 8eb21ded97 clean up 2014-06-14 17:02:55 +02:00
Michael Messner a3ae177347 echo stager, arch_cmd, echo module 2014-06-13 11:42:47 +02:00
Michael Messner 894af92b22 echo stager, arch_cmd 2014-06-13 11:40:50 +02:00
Michael Messner 76ed9bcf86 hedwig.cgi - cookie bof - return to system 2014-05-30 17:49:37 +02:00
Michael Messner 1ddc2d4e87 hedwig.cgi - cookie bof - return to system 2014-05-30 17:32:49 +02:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
Michael Messner b85c0b7543 rop to system with telnetd 2014-05-23 20:51:25 +02:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
jvazquez-r7 1483f02f83
Land #3306, @xistence's alienvault's exploit 2014-05-01 09:25:07 -05:00
jvazquez-r7 1b39712b73 Redo response check 2014-05-01 09:10:16 -05:00
jvazquez-r7 78cefae607 Use WfsDelay 2014-05-01 09:07:26 -05:00
xistence 5db24b8351 Fixes/Stability AlienVault module 2014-05-01 14:53:55 +07:00
xistence c12d72b58c Changes to alienvault module 2014-05-01 10:39:11 +07:00
xistence 9bcf5eadb7 Changes to alienvault module 2014-05-01 10:10:15 +07:00
jvazquez-r7 9a1b216fdb Move module to new location 2014-04-28 11:55:26 -05:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
sinn3r b69662fa42
Land #3233 - eScan Password Command Injection 2014-04-11 11:05:48 -05:00
jvazquez-r7 0c8f5e9b7d Add @Firefart's feedback 2014-04-11 10:21:33 -05:00
jvazquez-r7 fe066ae944
Land #3207, @7a69 MIPS BE support for Fritz Box's exploit 2014-04-09 23:20:45 -05:00
jvazquez-r7 fdda69d434 Align things 2014-04-09 23:19:41 -05:00
jvazquez-r7 386e2e3d29 Do final / minor cleanup 2014-04-09 23:19:12 -05:00
jvazquez-r7 b0b979ce62 Meterpreter sessions won't get root in this way 2014-04-09 16:59:12 -05:00
jvazquez-r7 a2ce2bfa56 Fix disclosure date 2014-04-09 16:41:49 -05:00
jvazquez-r7 ff232167a6 Add module for eScan command injection 2014-04-09 16:39:06 -05:00
sinn3r eb9d3520be
Land #3208 - Sophos Web Protection Appliance Interface Authenticated Exec 2014-04-09 11:30:59 -05:00
Brandon Perry 8428b37e59 move file to .rb ext 2014-04-09 05:17:14 -07:00
Brandon Perry 82c9b539ac Fix disclosure date, earlier than I thought 2014-04-08 21:43:49 -05:00
Brandon Perry 3013704c75 Create sophos_wpa_iface_exec
This module exploits both bugs in http://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-08 21:21:43 -05:00
Fabian Bräunlein 8dce80fd30 Added Big Endianess, improved check()-Function
Some Fritz!Box devices also run in Big Endianess mode. However, since
"uname -a" always returns "mips" and the "file"-command is not
available, autodetection is not an easy task.

The check()-function now checks, whether the device is really
vulnerable.

Furthemore, it's possible to send 92 bytes.
2014-04-08 21:32:36 +02:00
Jeff Jarmoc 21b220321f Fix typo.
This isn't a Linksys exploit.  Left over wording from a previous exploit?
2014-04-07 18:06:59 -05:00
Tod Beardsley 17ddbccc34
Remove the broken lorcon module set
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.

I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.

Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.

````
msf auxiliary(wifun) > show options

Module options (auxiliary/dos/wifi/wifun):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHANNEL    11               yes       The initial channel
   DRIVER     autodetect       yes       The name of the wireless driver
for lorcon
   INTERFACE  wlan0            yes       The name of the wireless
interface

msf auxiliary(wifun) > run

[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
jvazquez-r7 fb1318b91c
Land #3193, @m-1-k-3's exploit for the Fritzbox RCE vuln 2014-04-07 16:13:31 -05:00
jvazquez-r7 ceaa99e64e Minor final cleanup 2014-04-07 16:12:54 -05:00
Michael Messner b1a6b28af9 fixed disclosure date 2014-04-07 19:29:37 +02:00
Michael Messner 003310f18a feedback included 2014-04-07 19:25:26 +02:00
Tod Beardsley 7572d6612e
Spelling and grammar on new release modules 2014-04-07 12:18:13 -05:00
Michael Messner 85de6ed0c9 feedback included 2014-04-07 18:20:15 +02:00
Michael Messner 11bbb7f429 fritzbox echo exploit 2014-04-07 09:12:22 +02:00
jvazquez-r7 6d72860d58
Land #3004, @m-1-k-3's linksys moon exploit 2014-04-04 14:04:48 -05:00
jvazquez-r7 0ae75860ea Code clean up 2014-04-04 14:02:12 -05:00
Tod Beardsley ffdca3bf42
Fixup on some modules for release
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
Michael Messner 4319885420 we do not need pieces ... 2014-03-26 20:45:30 +01:00
sinn3r 0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping 2014-03-24 21:16:10 -05:00
sinn3r 53b25c8c93 Fix header & author e-mail format 2014-03-24 21:15:27 -05:00
Brandon Perry d2a9a26bc8 real fix for sinn3r bug 2014-03-24 18:40:48 -05:00
Brandon Perry ec35f4b13f some bugs for sinn3r 2014-03-24 18:17:50 -05:00
Tod Beardsley cfdd64d5b1
Title, description grammar and spelling 2014-03-24 12:16:59 -05:00
Brandon Perry d6f397ab6d whoops that isn't how you EDB 2014-03-22 11:48:41 -05:00
Brandon Perry 291692d6e0 Update lifesize_uvc_ping_rce.rb 2014-03-22 11:30:00 -05:00
Brandon Perry 67a3a7227b Create lifesize_uvc_ping_rce.rb 2014-03-21 21:33:12 -05:00
jvazquez-r7 144b86fee3 Add reference 2014-03-19 12:17:53 -05:00
jvazquez-r7 27d142b387 Solve conflict by keeping file 2014-03-19 12:15:05 -05:00
jvazquez-r7 fb645b6692 Clean code 2014-03-19 12:06:20 -05:00
jvazquez-r7 38176ad67d
Land #3109, @xistence's Loadbalancer.org Enterprise VA applicance exploit 2014-03-18 06:53:26 -05:00
jvazquez-r7 ddd923793a Do minor clean up 2014-03-18 06:52:50 -05:00
jvazquez-r7 ad49df4301 Register RHOST 2014-03-18 06:17:41 -05:00
jvazquez-r7 600338bd29
Land #3108, @xistence's exploit for Quantum vmPRO shell-escape 2014-03-18 06:12:18 -05:00
jvazquez-r7 f656e5fedb Do minor clean up 2014-03-18 06:11:02 -05:00
xistence 9bb4e5cfc3 Loadbalancer.org Enterprise VA SSH privkey exposure 2014-03-17 14:22:51 +07:00
xistence c116697c70 Quantum vmPRO backdoor command 2014-03-17 14:19:27 +07:00
xistence ef4a019b20 Quantum DXi V1000 SSH private key exposure 2014-03-17 14:15:00 +07:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
James Lee d1ea74c5fa
Make the password hash stand out as more important 2014-03-04 15:08:47 -06:00
James Lee 9a403bf630 Also extract admin hash if password auth failed 2014-03-04 14:55:47 -06:00
James Lee 423477bc52 auth_succeeded? is a better name for this method 2014-03-04 14:55:47 -06:00
James Lee 917b09086b Pull the copy-pasted verification into a method 2014-03-04 14:55:47 -06:00
James Lee 4cfda88bad Pull the copy-pasted sqli into a method 2014-03-04 14:55:47 -06:00
James Lee 68205fa43c
Actually use the argument 2014-03-04 11:30:42 -06:00
Michael Messner 15345da9d8 remove the wget module, remove the cmd stuff, testing bind stuff ahead 2014-02-28 22:44:26 +01:00
Michael Messner 2935f4f562 CMD target 2014-02-24 18:12:23 +01:00
Michael Messner 0126e3fcc8 cleanup 2014-02-23 21:17:32 +01:00
Michael Messner dbbd080fc1 a first try of the cmd stager, wget in a seperated module included 2014-02-23 20:59:17 +01:00
Michael Messner 3a8de6e124 replaced rhost by peer 2014-02-18 21:01:50 +01:00
Michael Messner 66e2148197 linksys themoon command execution exploit 2014-02-18 19:43:47 +01:00
Michael Messner 4dda7e6bad linksys themoon command execution exploit 2014-02-18 19:42:50 +01:00