MrXors
f345414832
Added correct spelling in info
2013-10-15 10:13:18 -07:00
jvazquez-r7
0b9cf24103
Convert vss_persistence to Local Exploit
2013-10-15 11:11:04 -05:00
William Vu
31dc7c0c08
Land #2522 , @todb-r7's pre-release module fixes
2013-10-14 15:37:23 -05:00
Tod Beardsley
63e40f9fba
Release time fixes to modules
...
* Period at the end of a description.
* Methods shouldn't be meth_name! unless the method is destructive.
* "Setup" is a noun, "set up" is a verb.
* Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
sinn3r
15e8c3bcd6
[FixRM #8470 ] - can't convert nil into String
...
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.
[FixRM #8470 ]
2013-10-14 14:10:08 -05:00
jvazquez-r7
75aaded842
Land #2471 , @pyoor's exploit for CVE-2013-5743
2013-10-14 14:03:28 -05:00
jvazquez-r7
a6f17c3ba0
Clean zabbix_sqli
2013-10-14 14:01:58 -05:00
William Vu
eab90e1a2e
Land #2491 , missing platform info update
2013-10-14 10:38:25 -05:00
root
de156dc8da
new exploit module for CVE-2008-2286, Altiris DS
2013-10-13 22:39:49 -04:00
sinn3r
74f37c58b2
Land #2514 - Update CVE reference for Joomla
2013-10-13 12:58:23 -05:00
joev
e2a9339592
Add CVE to joomla media upload module.
2013-10-12 21:20:11 -05:00
joev
ea9235c506
Better whitespace.
2013-10-12 20:53:16 -05:00
joev
78b29b5f20
Bring osx persistence module to the finish line.
2013-10-12 20:50:53 -05:00
jvazquez-r7
3dbdc9f848
Land #2510 , @wchen-r7's exploit for cve-2013-3897
2013-10-12 20:06:41 -05:00
sinn3r
9725918be8
Remove junk variables/params
2013-10-12 18:51:57 -05:00
sinn3r
2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow
2013-10-12 16:55:48 -05:00
joev
5a1b099570
Make osx persistence a local exploit.
2013-10-12 16:47:35 -05:00
sinn3r
bc317760dc
Make the GET params a little bit harder to read.
2013-10-12 16:37:49 -05:00
jvazquez-r7
172c6b9b8f
Escape dots on regexs
2013-10-12 16:15:10 -05:00
joev
4fe407d7ee
Move osx persistence to a local exploit.
2013-10-12 16:08:22 -05:00
sinn3r
b139757021
Correct a typo in description
2013-10-12 13:24:36 -05:00
sinn3r
79c612cd67
Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
...
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.
This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange". During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Joe Barrett
d929bdfaab
Re-fixing 8419, consistency is important.
2013-10-12 08:09:19 -04:00
James Lee
dfe74ce36c
Factorize sock_sendpage
2013-10-11 13:40:01 -05:00
jvazquez-r7
0b93996b05
Clean and add Automatic target
2013-10-11 13:19:10 -05:00
pyoor
171b70fa7c
Zabbix v2.0.8 SQLi and RCE Module
...
Conflicts:
modules/exploits/linux/http/zabbix_sqli.rb
Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
James Lee
b9b2c82023
Add some entropy
...
* Random filename
* Stop shipping debug strings to the exploit executable
Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Meatballs
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
bcoles
276ea22db3
Add VMware Hyperic HQ Groovy Script-Console Java Execution
2013-10-11 05:07:23 +10:30
Meatballs
a843722ae3
Concurrent printing of the output no longer makes sense...
2013-10-10 19:01:19 +01:00
Meatballs
536c3c7b92
Use multi railgun call for a large performance increase.
2013-10-10 19:01:14 +01:00
William Vu
9b96351ba2
Land #2494 , OSVDB ref for flashchat_upload_exec
2013-10-10 12:58:55 -05:00
jvazquez-r7
f10078088c
Add module for ZDI-13-130
2013-10-10 10:06:17 -05:00
James Lee
947925e3a3
Use a proper main signature with arguments
...
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
James Lee
c251596f0b
Fix some bugs in preparation for factorizing
...
* Stop removing \x0a characters with String#scan, which of course breaks
the shellcode
* Fork so the original session continues to work
2013-10-09 16:03:40 -05:00
jvazquez-r7
e3014a1e91
Fix ZDI Reference
2013-10-09 14:56:42 -05:00
jvazquez-r7
4fd599b7e0
Land #2483 , @wchen-r7's patch for [SeeRM #8458 ]
2013-10-09 14:32:26 -05:00
jvazquez-r7
52574b09cb
Add OSVDB reference
2013-10-09 14:13:45 -05:00
sinn3r
1e3b84d39b
Update ie_cgenericelement_uaf
2013-10-09 13:40:48 -05:00
Winterspite
0acb170ee8
Bug #8419 - Added platform info missing on exploits
2013-10-08 22:41:50 -04:00
sinn3r
199bd20b95
Update CVE-2013-3893's Microsoft reference
...
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
Tod Beardsley
8b9ac746db
Land #2481 , deprecate linksys cmd exec module
2013-10-07 20:44:04 -05:00
sinn3r
f7f6abc1dd
Land #2479 - Add Joev to the wolfpack
2013-10-07 15:30:23 -05:00
sinn3r
f4000d35ba
Use RopDb for ms13_069
...
Target tested
2013-10-07 15:24:01 -05:00
sinn3r
7222e3ca49
Use RopDb for ms13_055_canchor.
...
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r
67228bace8
Use RopDb for ie_cgenericelement_uaf.
...
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
Rob Fuller
aed2490536
add some output and fixing
2013-10-07 15:42:41 -04:00
Rob Fuller
75d2abc8c2
integrate some ask functionality into bypassuac
2013-10-07 15:14:54 -04:00
joev
4ba001d6dd
Put my short name to prevent conflicts.
2013-10-07 14:10:47 -05:00
joev
ec6516d87c
Deprecate misnamed module.
...
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
sinn3r
aea63130a4
Use RopDb for ie_cbutton_uaf.
...
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
Tod Beardsley
219bef41a7
Decaps Siemens (consistent with other modules)
2013-10-07 13:12:32 -05:00
Tod Beardsley
4266b88a20
Move author name to just 'joev'
...
[See #2476 ]
2013-10-07 12:50:04 -05:00
sinn3r
e016c9a62f
Use RopDb msvcrt ROP chain. Tested all targets.
2013-10-07 12:27:43 -05:00
trustedsec
0799766faa
Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
...
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:
Here is prior to the change on a fully patched Windows 8 machine:
msf exploit(bypassuac) > exploit
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) >
Here's the module when running with the most recent changes that are being proposed:
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400
meterpreter >
With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7
24efb55ba9
Clean flashchat_upload_exec
2013-10-05 14:50:51 -05:00
bcoles
08243b277a
Add FlashChat Arbitrary File Upload exploit module
2013-10-05 22:30:38 +09:30
sinn3r
a8de9d5c8b
Land #2459 - Add HP LoadRunner magentproc.exe Overflow
2013-10-04 19:45:44 -05:00
jvazquez-r7
113f89e40f
First set of fixes for gestioip_exec
2013-10-04 13:29:27 -05:00
jvazquez-r7
299dfe73f1
Land #2460 , @xistence's exploit for clipbucket
2013-10-04 12:26:30 -05:00
jvazquez-r7
8e0a4e08a2
Fix author order
2013-10-04 12:25:38 -05:00
James Lee
68ee692c19
Standardize prints, clean up whitespace/warnings
2013-10-04 11:58:21 -05:00
Tod Beardsley
9b79bb99e0
Add references, correct disclosure date
2013-10-04 09:59:26 -05:00
Tod Beardsley
ab786d1466
Imply authentication when a password is set
2013-10-04 09:54:04 -05:00
Brandon Perry
0112d6253c
add gestio ip module
2013-10-04 06:39:30 -07:00
xistence
81d4a8b8c1
added clipbucket_upload_exec RCE
2013-10-04 11:43:38 +07:00
jvazquez-r7
646429b4dd
Put ready to pull request
2013-10-03 22:15:17 -05:00
jvazquez-r7
5971fe87f5
Improve reliability
2013-10-03 17:19:53 -05:00
jvazquez-r7
39eb20e33a
Add module for ZDI-13-169
2013-10-03 16:52:20 -05:00
sinn3r
c87e7b3cc1
Land #2451 - Don't overwrite default timeout on get_once
2013-10-03 15:44:40 -05:00
Tod Beardsley
539a22a49e
Typo on Microsoft
2013-10-03 12:20:47 -05:00
Tod Beardsley
fcba424308
Kill off EOL spaces on astium_sqli_upload.
2013-10-03 11:01:27 -05:00
jvazquez-r7
77d0236b4e
Don't overwrite defaul timeout
2013-10-02 16:15:14 -05:00
Meatballs
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r
23b0c3b723
Add Metasploit blog references
...
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r
932ed0a939
Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln
2013-10-01 20:35:17 -05:00
jvazquez-r7
ed82be6fd8
Use RopDB
2013-10-01 13:23:09 -05:00
jvazquez-r7
6483c5526a
Add module for OSVDB 93696
2013-10-01 11:42:36 -05:00
sinn3r
9abf727fa6
Land #2439 - Update description
2013-09-30 16:03:15 -05:00
sinn3r
7118f7dc4c
Land #2422 - rm methods peer & rport
...
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Brandon Turner
3cfee5a7c0
Land #2440 , remaining tabassassin changes
2013-09-30 14:30:50 -05:00
jvazquez-r7
6c8f86883d
Land #2437 , @wchen-r7's exploit for CVE-2013-3893
2013-09-30 14:02:29 -05:00
Tab Assassin
2e8d19edcf
Retab all the things (except external/)
2013-09-30 13:47:53 -05:00
Tod Beardsley
4dc88cf60f
Expand descriptions for ease of use.
2013-09-30 13:30:31 -05:00
sinn3r
c82ed33a95
Forgot Math.cos()
2013-09-30 13:29:16 -05:00
sinn3r
d6cd0e5c67
Tweak for office 2007 setup
2013-09-30 13:27:59 -05:00
sinn3r
ecf4e923e8
Change the target address for spray 1
2013-09-30 11:57:59 -05:00
sinn3r
b9aae1c93c
Higher address seems better
2013-09-29 18:45:30 -05:00
sinn3r
a5ade93ab2
Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
...
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.
The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).
To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs
b306415ecf
Tidy and updates to info
2013-09-29 17:32:39 +01:00
Meatballs
29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
...
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs
8b800cf5de
Merge and resolve conflicts
2013-09-27 18:19:23 +01:00
jvazquez-r7
58600b6475
Land #2423 , @TecR0c's exploit for OSVDB 96517
2013-09-27 09:48:52 -05:00
jvazquez-r7
6381bbfd39
Clean up freeftpd_pass
2013-09-27 09:47:39 -05:00
TecR0c
b02a2b9ce0
Added crash info and basic tidy up
2013-09-27 17:05:42 +10:00
TecR0c
7dbc3f4f87
changed seh address to work on freeFTPd 1.0.10 and below
2013-09-27 12:37:52 +10:00
TecR0c
5fc98481a7
changed seh address to work on freeFTPd 1.0.10 and below
2013-09-27 12:35:03 +10:00
TecR0c
a6e1bc61ec
updated version in exploit freeFTPd 1.0.10
2013-09-27 11:27:51 +10:00
TecR0c
3a3f1c0d05
updated requested comments for freeFTPd 1.0.10
2013-09-27 11:13:28 +10:00
Meatballs
3d812742f1
Merge upstream master
2013-09-26 21:27:44 +01:00
Meatballs
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
jvazquez-r7
813bd2c9a5
Land #2379 , @xistence's exploit for OSVDB 88860
2013-09-26 13:52:15 -05:00
Meatballs
a25833e4d7
Fix %TEMP% path
2013-09-26 19:22:36 +01:00
William Vu
acb2a3490c
Land #2419 , nodejs_js_yaml_load_code_exec info
2013-09-26 12:55:48 -05:00
jvazquez-r7
b618c40ceb
Fix English
2013-09-26 09:00:41 -05:00
TecR0c
0339c3ef48
added freeFTPd 1.0.10 (PASS Command)
2013-09-26 20:37:23 +10:00
xistence
c2ff5accee
stability fixes to astium_sqli_upload
2013-09-26 10:23:33 +07:00
FireFart
84ec2cbf11
remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient
2013-09-25 23:42:44 +02:00
jvazquez-r7
58d4096e0f
Resolv conflicts on #2267
2013-09-25 13:06:14 -05:00
jvazquez-r7
ff610dc752
Add vulnerability discoverer as author
2013-09-25 12:45:54 -05:00
jvazquez-r7
5c88ad41a8
Beautify nodejs_js_yaml_load_code_exec metadata
2013-09-25 12:44:34 -05:00
joev
99e46d2cdb
Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
...
Conflicts:
modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
Tod Beardsley
d91cb85a31
Not actually a typo
...
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley
ac1388368f
Typo in module name
2013-09-24 15:50:58 -05:00
jvazquez-r7
a50ab1ddd3
Land #2409 , @xistence exploit for ZeroShell
2013-09-24 15:32:55 -05:00
jvazquez-r7
6c2063c9c0
Do not get a session on every execute_command call
2013-09-24 15:31:40 -05:00
jvazquez-r7
79ca123051
Use snake_case
2013-09-24 15:16:51 -05:00
jvazquez-r7
34b84395c1
Fix References field
2013-09-24 15:16:02 -05:00
Tod Beardsley
93486a627d
Whoops on trailing commas
2013-09-24 15:14:11 -05:00
jvazquez-r7
adfacfbed1
Do not fail_with on method used from check
2013-09-24 15:08:48 -05:00
jvazquez-r7
4b6a646899
Fix typo
2013-09-24 15:06:35 -05:00
jvazquez-r7
f5cac304f4
Use default send_request_cgi timeout
2013-09-24 15:05:24 -05:00
William Vu
52a92a55ce
Land #2394 , ms13_005_hwnd_broadcast require fix
2013-09-24 13:43:21 -05:00
jvazquez-r7
ce4cf55d22
Land #2417 , @todb-r7's change to Platform field to make ruby style compliant
2013-09-24 13:30:48 -05:00
William Vu
89222f4b16
Land #2416 , OSVDB refs for arkeia_upload_exec
2013-09-24 13:22:24 -05:00
Tod Beardsley
3906d4a2ca
Fix caps that throw msftidy warnings
2013-09-24 13:03:16 -05:00
Tod Beardsley
c547e84fa7
Prefer Ruby style for single word collections
...
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley
081c279b61
Remove misleading comment
2013-09-24 11:42:31 -05:00
jvazquez-r7
d15f442e56
Add OSVDB references to arkeia_upload_exec
2013-09-24 08:48:28 -05:00
xistence
8b9adf6886
changes made to zeroshell_exec according to suggestions
2013-09-24 08:35:07 +07:00
Tod Beardsley
8db1a389eb
Land #2304 fix post module require order
...
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley
2656c63459
Knock out a Unicode character
2013-09-23 14:22:11 -05:00
Tod Beardsley
99f145cbff
Don't split the post requires
2013-09-23 14:02:43 -05:00
Tod Beardsley
4bff8f2cdc
Update descriptions for clarity.
2013-09-23 13:48:23 -05:00
William Vu
a46ac7533d
Land #2407 , require fix for current_user_psexec
2013-09-23 11:57:19 -05:00
jvazquez-r7
1fc849bdd5
Land #2188 , @m-1-k-3's module for OSVDB 90221
2013-09-23 11:44:43 -05:00
jvazquez-r7
71d74655f9
Modify description
2013-09-23 11:44:04 -05:00
xistence
6429219a1d
added ZeroShell RC2 RCE
2013-09-22 15:13:55 +07:00
jvazquez-r7
8417b916c7
Complete MS13-071 Information
2013-09-21 21:22:34 -05:00
darknight007
6b06ed0df1
Update current_user_psexec.rb
2013-09-22 03:07:17 +05:00
Joe Vennix
a08d195308
Add Node.js as a platform.
...
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
Joe Vennix
49f15fbea4
Removes PayloadType from exploit module.
2013-09-20 18:01:55 -05:00
sinn3r
8381bf8646
Land #2404 - Add powershell support for current_user_psexec
2013-09-20 17:14:55 -05:00
sinn3r
96364c78f8
Need to catch RequestError too
...
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
jvazquez-r7
59a201a8d3
Land #2334 , @tkrpata and @jvennix-r7's patch for sudo_password_bypass
2013-09-20 17:01:19 -05:00
jvazquez-r7
fb8d0dc887
Write the return
2013-09-20 17:00:07 -05:00
Meatballs
6e69fe48bf
Undo psexec changes
2013-09-20 22:30:00 +01:00
Meatballs
2591be503b
Psh support
2013-09-20 22:07:42 +01:00
Meatballs
15885e4ef6
Change static x value
2013-09-20 20:31:14 +01:00
Meatballs
ee365a6b64
Some liberal sleeping
2013-09-20 19:33:27 +01:00
jvazquez-r7
29649b9a04
Land #2388 , @dummys's exploit for CVE-2013-5696
2013-09-20 13:03:01 -05:00
jvazquez-r7
8922d0fc7f
Fix small bugs on glpi_install_rce
2013-09-20 13:01:41 -05:00
jvazquez-r7
b24ae6e80c
Clean glpi_install_rce
2013-09-20 12:58:23 -05:00
Meatballs
7d1c5c732a
Correct powershell
2013-09-20 18:36:24 +01:00
sinn3r
bb7b57cad9
Land #2370 - PCMAN FTP Server post-auth stack buffer overflow
2013-09-20 12:29:10 -05:00
sinn3r
feb76ea767
Modify check
...
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
sinn3r
2d6c76d0ad
Rename pcman module
...
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
sinn3r
6690e35761
Account for username length
...
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
sinn3r
9d67cbb4db
Retabbed
2013-09-20 11:58:53 -05:00
Meatballs
9819566d94
Nearly
2013-09-20 17:18:14 +01:00
sinn3r
85152c4281
Land #2400 - Add OSVDB reference for openemr_sqli_privesc_upload
2013-09-20 10:39:06 -05:00
jvazquez-r7
6f5e528699
Remove author, all the credits go to corelanc0der and sinn3r
2013-09-20 10:27:37 -05:00
sinn3r
83f54d71ea
Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
...
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.
The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure. The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one. Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
jvazquez-r7
bad6f2279d
Add OSVDB reference for openemr_sqli_privesc_upload
2013-09-20 09:41:23 -05:00
Meatballs
a00f3d8b8e
initial
2013-09-20 13:40:28 +01:00
dummys
032b9115a0
removed the old exploit
2013-09-20 10:53:52 +02:00
dummys
187ab16467
many change in the code and replace at the correct place the module
2013-09-20 10:45:10 +02:00
Rick Flores (nanotechz9l)
7d17eef7a7
Updated several msftidy [WARNING] Spaces at EOL issues.
2013-09-19 20:35:08 -07:00
sinn3r
955365d605
Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability
2013-09-19 22:21:09 -05:00
sinn3r
0eb838156b
Land #2390 - Use payload.encoded because BadChars are defined
2013-09-19 22:10:55 -05:00
sinn3r
9598853fee
Land #2389 - Fix use of Rex sockets from dlink modules
2013-09-19 22:09:53 -05:00
sinn3r
8d70a9d893
Add more refs
2013-09-19 22:05:23 -05:00
Joe Vennix
137b3bc6ea
Fix whitespace issues.
2013-09-19 17:29:11 -05:00
Joe Vennix
bd96c6c093
Adds module for CVE-2013-3568.
2013-09-19 17:26:30 -05:00
jvazquez-r7
46a241b168
Fix my own cleanup
2013-09-19 14:51:22 -05:00
dummys
08c7b49be0
corrected too much if
2013-09-19 21:47:01 +02:00
jvazquez-r7
31903be393
Land #2380 , @xistence exploit for EDB 28329
2013-09-19 14:42:27 -05:00
jvazquez-r7
cb737525b1
Final cleanup for openemr_sqli_privesc_upload
2013-09-19 14:40:57 -05:00
jvazquez-r7
76e170513d
Do first clean on openemr_sqli_privesc_upload
2013-09-19 14:36:25 -05:00
jvazquez-r7
cf0375f7e6
Fix check return value
2013-09-19 14:17:45 -05:00
dummys
862a8fb8aa
corrected indentation bug again
2013-09-19 20:27:23 +02:00
jvazquez-r7
9b486e1dbb
Add comment about the smb_* methods
2013-09-19 13:23:46 -05:00
dummys
ce8e94b5fe
corrected indentation bug
2013-09-19 20:14:07 +02:00
jvazquez-r7
bf0f4a523f
Land #2381 , @xistence exploit for EDB 28330
2013-09-19 13:06:41 -05:00
jvazquez-r7
c63423ad69
Update code comment
2013-09-19 13:03:55 -05:00
jvazquez-r7
6073e6f2dc
Fix use of normalize_uri
2013-09-19 12:59:37 -05:00
jvazquez-r7
b4fa535f2b
Fix usage of fail_with
2013-09-19 12:45:29 -05:00
jvazquez-r7
1aba7550f9
Fix check indentation
2013-09-19 12:44:11 -05:00
jvazquez-r7
1f7c3d82c1
Refactor easy methods
2013-09-19 12:42:38 -05:00
jvazquez-r7
891a54aad7
Fix metadata
2013-09-19 12:41:13 -05:00
jvazquez-r7
1a00cce8a9
Clean up
2013-09-19 11:51:07 -05:00
William Vu
628cfe8e67
Land #2393 , tape_engine_8A filename disambiguation
2013-09-19 10:31:40 -05:00
Tod Beardsley
ef72b30074
Include the post requires until #2354 lands
...
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
Tod Beardsley
fb72e7f02a
Disambiguate tape_engine_8A as tape_engine_0x8a
...
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
2013-09-19 09:35:31 -05:00
Rick Flores (nanotechz9l)
058e0fdd80
Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll
2013-09-19 07:21:51 -07:00
dummys
f9617e351d
corrected Integer()
2013-09-19 16:04:20 +02:00
jvazquez-r7
926ddf35bc
Fix possible collisions on binding port and handle rex socket
2013-09-19 08:23:25 -05:00
James Lee
8fe9132159
Land #2358 , deprecate funny names
2013-09-18 14:55:33 -05:00
Rick Flores (nanotechz9l)
766e96510d
Added minor indentation updates
2013-09-18 12:12:35 -07:00
jvazquez-r7
60d448f600
Add minor cleanup
2013-09-18 14:10:13 -05:00
Rick Flores (nanotechz9l)
db8881966e
Merge remote-tracking branch 'upstream/master'
2013-09-18 12:02:01 -07:00
jvazquez-r7
68647c7363
Add module for MS13-071
2013-09-18 13:40:35 -05:00
jvazquez-r7
accad24f31
Use payload.encoded because BadChars are defined
2013-09-18 13:03:35 -05:00
jvazquez-r7
61ab0e245c
Add Context to rex sockets plus track them with add_socket
2013-09-18 12:39:08 -05:00
jvazquez-r7
1988085a94
Fix possible port conflict
2013-09-18 12:24:36 -05:00
Tod Beardsley
8728a9a3b7
Bumping out deprecation date
...
Pray I don't alter the deprecation date further.
2013-09-18 11:00:35 -05:00
dummys
bc57c9c6ec
corrected some codes requested by Meatballs
2013-09-18 17:55:36 +02:00
dummys
3366c3aa77
CVE-2013-5696 RCE for GLPI
2013-09-18 16:11:32 +02:00
xistence
adc1bd9c65
changes made to astium_sqli_upload based on suggestions
2013-09-18 16:52:31 +07:00
xistence
65ee8c7d5c
changed openemr_sqli_privesc_upload according to suggestions
2013-09-18 12:38:20 +07:00
Rick Flores (nanotechz9l)
6cbe371381
minor change
2013-09-17 20:33:46 -07:00
xistence
d6a1182bd4
changes to arkeia_upload_exec to comply with r7 suggestions #2
2013-09-18 08:24:40 +07:00
xistence
24a671b530
changes to arkeia_upload_exec to comply with r7 suggestions
2013-09-18 08:10:58 +07:00
Rick Flores (nanotechz9l)
0052f9712b
Updated hard tabs per new requirement
2013-09-17 17:42:01 -07:00
James Lee
9a555d8701
Fix the modules added since the branch
2013-09-17 18:25:12 -05:00
James Lee
150f0f644e
Merge branch 'rapid7' into bug/osx-mods-load-order
...
Conflicts:
modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
xistence
82aa3f97b0
added Astium confweb 25399 RCE
2013-09-17 12:32:10 +07:00
Joe Vennix
5fc724bced
Kill explanatory comment.
2013-09-16 21:34:38 -05:00
Joe Vennix
2c47e56d90
Adds module for yaml code exec.
2013-09-16 21:33:57 -05:00
Rick Flores (nanotechz9l)
52a1b5fa57
updated pcman_stor_msf.rb module with community feedback.
2013-09-16 17:43:10 -07:00
Rick Flores (nanotechz9l)
226a75b5da
updated pcman_stor_msf.rb module with community feedback.
2013-09-16 17:37:29 -07:00
Tod Beardsley
b4b7cecaf4
Various minor desc fixes, also killed some tabs.
2013-09-16 15:50:00 -05:00
Tod Beardsley
f89af79223
Correct OSVDB for sophos sblistpack exploit
2013-09-16 15:41:50 -05:00
Rick Flores (nanotechz9l)
d4f2e72b9c
updated module to include msftidy.rb
2013-09-16 12:46:13 -07:00
Rick Flores (nanotechz9l)
82e3910959
added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
2013-09-16 12:40:36 -07:00
Rick Flores (nanotechz9l)
92cf886e49
updated module to include msftidy.rb
2013-09-16 12:38:00 -07:00
Rick Flores
4c83336944
Delete pcman_stor_msf.rb
...
delete because of commit issues.
2013-09-16 12:25:39 -07:00
Joe Vennix
e1e1cab797
Module gets me a shell, yay
2013-09-16 13:37:16 -05:00
Rick Flores (nanotechz9l)
f657f4d145
added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
2013-09-16 09:57:27 -07:00
jvazquez-r7
c18c41d8ea
Don't hidde exceptions
2013-09-16 09:26:13 -05:00
jvazquez-r7
86e5163cad
Fix Indentation and cleanup
2013-09-16 09:19:26 -05:00
jvazquez-r7
62cf9cb07c
Retab changes for PR #2188
2013-09-16 09:09:16 -05:00
jvazquez-r7
842dba20b9
Merge for retab
2013-09-16 09:08:36 -05:00
xistence
af873b7349
added OpenEMR 4.1.1 Patch 14 SQLi Privesc Upload RCE
2013-09-16 16:19:35 +07:00
xistence
b2b629f932
added WD Arkeia Appliance RCE
2013-09-16 14:38:50 +07:00
sinn3r
67cd62f306
Land #2366 - HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
2013-09-16 01:44:23 -05:00
jvazquez-r7
54e9cd81f3
Add module for ZDI-13-226
2013-09-13 17:31:51 -05:00
jvazquez-r7
10303a8c2a
Delete debug print_status
2013-09-13 17:05:23 -05:00
jvazquez-r7
dca4351303
Add check function
2013-09-13 16:51:14 -05:00
jvazquez-r7
f7c4e081bb
Add module for ZDI-13-225
2013-09-13 16:40:28 -05:00
Tod Beardsley
b2ba4b445f
Land #2362 , update description
2013-09-13 12:56:04 -05:00
sinn3r
4847976995
Update information about original discovery
...
Update info about original discovoery. See #2337 too.
2013-09-13 10:42:11 -05:00
jvazquez-r7
c665f41cd6
Fix description
2013-09-13 09:09:14 -05:00
Tod Beardsley
76f27ecde8
Require the deprecation mixin in all modules
...
Because rememberin to require it, and hoping against a race is not how we
roll any more.
2013-09-12 15:49:33 -05:00
Tod Beardsley
761042f14b
require the deprecated mixin
2013-09-12 15:42:01 -05:00
Tod Beardsley
968f299772
Deprecate A-PDF exploit for filename change
...
See PT 56796034
See PT 56795804
2013-09-12 15:30:26 -05:00
sinn3r
ac90cd1263
Land #2248 - Fix dlink upnp exec noauth
2013-09-12 15:10:20 -05:00
James Lee
58b634dd27
Remove unnecessary requires from post mods
2013-09-12 14:36:01 -05:00
sinn3r
34383661cb
Land #2351 - Agnitum Outpost Internet Security Local Privilege Escalation
2013-09-12 14:21:05 -05:00
sinn3r
5aa6a0dd6b
Land #2346 - Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
2013-09-12 14:19:02 -05:00
sinn3r
f42e6e8bca
Land #2345 - Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation
2013-09-12 14:17:24 -05:00
sinn3r
8db66aeb98
Yes, clearly it is.
2013-09-12 14:16:34 -05:00
sinn3r
d781f447db
Merge branch 'pr2345' into upstream-master
2013-09-12 14:15:18 -05:00
Tod Beardsley
d47de46d94
Deprecate brightstor/tape_engine_8A
...
This module is getting renamed to 8a, instead of 8A.
2013-09-12 13:59:44 -05:00
jvazquez-r7
9ad1be7318
Make junk easier
2013-09-11 09:33:01 -05:00
jvazquez-r7
825eb9d1ca
Add module for OSVDB 96208
2013-09-11 00:11:00 -05:00
jvazquez-r7
4f1db80c24
Fix requires in new post modules
2013-09-10 11:13:07 -05:00
jvazquez-r7
bf40dc02ce
Add module for CVE-2013-4984
2013-09-09 23:27:24 -05:00
jvazquez-r7
c3ff9a03d8
Add module for CVE-2013-4983
2013-09-09 23:26:10 -05:00
Tod Beardsley
aff35a615b
Grammar fixes in descriptions
2013-09-09 15:09:53 -05:00
jvazquez-r7
791b6f69c2
Land #2337 , @wchen-r7's exploit for MS13-055
2013-09-09 11:12:03 -05:00
sinn3r
0ee0168556
Retabbed
...
One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
2013-09-09 10:01:01 -05:00
sinn3r
6ab905e9e0
Less alignment
2013-09-09 09:39:02 -05:00
sinn3r
992bdcf530
Not from the future
2013-09-09 00:36:28 -05:00
sinn3r
c3db41334b
Add MS13-055 Internet Explorer Use-After-Free Vulnerability
...
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.
This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
2013-09-08 20:02:23 -05:00
Joe Vennix
3da9c4a685
Cleans up timeouts, wait before dropping payload, actually call #cleanup#super to kill the dropped file
2013-09-06 13:05:17 -05:00
Tyler Krpata
2aed293d9a
Handle locked date and time preference pane
...
If the date and time preference pane is locked, effects are:
1. systemsetup takes 30 seconds to return
added a 30-second timeout to cmd_exec
2. Unable to change system date and time settings
added additional check to see if date change was successful
2013-09-06 10:17:09 -04:00
jvazquez-r7
7d4bf0c739
Retab changes for PR #2327
2013-09-05 23:25:41 -05:00
jvazquez-r7
34b499588b
Merge for retab
2013-09-05 23:24:22 -05:00
Meatballs
473f08bbb6
Register cleanup and update check
2013-09-05 22:43:26 +01:00
Meatballs
400b433267
Sort out exception handling
2013-09-05 22:21:44 +01:00
Tyler Krpata
07060e4e69
Add return in check
2013-09-05 16:57:47 -04:00
Meatballs
d4043a6646
Spaces and change to filedropper
2013-09-05 20:41:37 +01:00
Meatballs
c5daf939d1
Stabs tabassassin
2013-09-05 20:36:52 +01:00
Tab Assassin
f780a41f87
Retab changes for PR #2248
2013-09-05 14:12:24 -05:00
Tab Assassin
554d1868ce
Merge for retab
2013-09-05 14:12:18 -05:00
Tab Assassin
f5a4c05dbc
Retab changes for PR #2267
2013-09-05 14:11:03 -05:00
Tab Assassin
4703a10b64
Merge for retab
2013-09-05 14:10:58 -05:00
Tab Assassin
d0360733d7
Retab changes for PR #2282
2013-09-05 14:05:34 -05:00
Tab Assassin
49dface180
Merge for retab
2013-09-05 14:05:28 -05:00
Meatballs
9787bb80e7
Address @jlee-r7's feedback
2013-09-05 19:57:05 +01:00
jvazquez-r7
206b52ea30
Land #2325 , @jlee-r7's Linux PrependFork addition
2013-09-05 13:50:59 -05:00
Tab Assassin
845bf7146b
Retab changes for PR #2304
2013-09-05 13:41:25 -05:00
Tab Assassin
adf9ff356c
Merge for retab
2013-09-05 13:41:23 -05:00
jvazquez-r7
86ceadc53d
Fix target description
2013-09-05 13:37:01 -05:00
jvazquez-r7
d43326d0f4
Check 302 while checking too
2013-09-05 13:36:35 -05:00
jvazquez-r7
ab83a12354
Check 302 on anonymous access too
2013-09-05 13:35:52 -05:00
Tab Assassin
896bb129cd
Retab changes for PR #2325
2013-09-05 13:24:09 -05:00
Tab Assassin
5ff25d8b96
Merge for retab
2013-09-05 13:23:25 -05:00
Tab Assassin
c9c6f84668
Retab changes for PR #2328
2013-09-05 13:16:15 -05:00
Tab Assassin
9bdc274904
Merge for retab
2013-09-05 13:15:07 -05:00
James Lee
50c6f26329
Don't deregister PrependFork
2013-09-05 10:50:36 -05:00
jvazquez-r7
5c06a471f9
Get the call result
2013-09-05 08:33:35 -05:00
jvazquez-r7
3681955f68
Use Msf::Config.data_directory
2013-09-05 08:28:50 -05:00
jvazquez-r7
6b1d7545d6
Refactor, avoid duplicate code
2013-09-05 08:26:49 -05:00
jgor
84e4b42f6b
allow 302 redirects
2013-09-04 16:59:42 -05:00
jgor
66d5af5a11
remove dependency on tmpl=component
2013-09-04 16:58:49 -05:00
jvazquez-r7
b6245eea72
Update target info
2013-09-04 16:43:26 -05:00
jvazquez-r7
34b3ee5e17
Update ranking and description
2013-09-04 16:10:15 -05:00
jvazquez-r7
94125a434b
Add module for ZDI-13-205
2013-09-04 15:57:22 -05:00
James Lee
b913fcf1a7
Add a proper PrependFork for linux
...
Also fixes a typo bug for AppendExit
2013-09-04 00:15:07 -05:00
Meatballs
3066e7e19d
ReverseConnectRetries ftw
2013-09-04 00:16:19 +01:00
Meatballs
a8e77c56bd
Updates
2013-09-03 22:46:20 +01:00
Meatballs
ac0c493cf9
Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring
2013-09-03 21:33:11 +01:00
Tab Assassin
84aaf2334a
Retab new material
2013-09-03 11:47:26 -05:00
Tab Assassin
0c1e6546af
Update from master
2013-09-03 11:45:39 -05:00
Tod Beardsley
ca8dacb93b
Minor module description updates for grammar.
2013-09-03 10:31:45 -05:00
sinn3r
ac0b14e793
Add the missing CVE reference
...
Was looking at all the 2013 exploit modules for missing CVE references
2013-08-31 18:54:16 -05:00
sinn3r
0736677a01
Land #2299 - Add powershell support & removes ADODB.Stream requirement
2013-08-31 00:32:23 -05:00
sinn3r
c4aa557364
Land #2292 - Fix the way to get a session over a telnet connection
2013-08-31 00:29:25 -05:00
Tab Assassin
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
jvazquez-r7
5b32c63a42
Land #2308 , @wchen-r7's exploit for MS13-059
2013-08-30 10:59:36 -05:00
jvazquez-r7
ea8cd2dc46
Update authors list
2013-08-30 10:52:39 -05:00
sinn3r
a283f1d4fa
Correct module title
2013-08-30 10:50:35 -05:00
sinn3r
f4e09100bd
Correct file name
2013-08-30 10:50:05 -05:00
sinn3r
38dbab9dd0
Fix typos
2013-08-30 10:43:26 -05:00
sinn3r
7401f83d8e
Land #2305 - HP LoadRunner lrFileIOService ActiveX WriteFileString Bug
2013-08-30 03:23:47 -05:00
sinn3r
0a1b078bd8
Add CVE-2013-3184 (MS13-058) CFlatMarkupPointer Use After Free
...
Please see module description for more info.
2013-08-30 03:16:28 -05:00
jvazquez-r7
657be3a3d9
Fix typo
2013-08-29 14:42:59 -05:00
jvazquez-r7
4a6bf1da7f
Add module for ZDI-13-207
2013-08-29 14:09:45 -05:00
James Lee
63adde2429
Fix load order in posts, hopefully forever
2013-08-29 13:37:50 -05:00
Tod Beardsley
7b9314763c
Add the require boilerplate
...
Fixes a bug that sometimes comes up with load order on this module. I
know @jlee-r7 is working on a better overall solution but this should
solve for the short term.
Note, since the problem is practically machine-specific. @jlee-r7
suggested rm'ing all modules but the one under test. Doing that exposes
the bug, and I've verified this fix in that way.
2013-08-29 13:03:11 -05:00
Meatballs
a12f5092dd
Encode the powershell cmd
2013-08-28 22:37:11 +01:00
Meatballs
aa0563244b
Update unsafe scripting module
2013-08-28 22:30:46 +01:00
James Lee
feae4a41e7
I don't like end-of-line comments
2013-08-28 12:42:26 -05:00
sinn3r
57c7d0679a
Land #2295 - Add platform info
2013-08-28 10:38:50 -05:00
jvazquez-r7
26531dbaa7
Land #2100 , @ddouhine's exploit for OSVDB 83543
2013-08-28 08:55:59 -05:00
jvazquez-r7
ab572d7d72
Fix Authors metadata section
2013-08-28 08:53:48 -05:00
Vlatko Kosturjak
b702a0d353
Fix "A payload has not been selected."
...
Since platform definition is missing, exploitation fails.
2013-08-28 12:53:08 +02:00
jvazquez-r7
0bfc12ada1
Fix the way to get a session over a telnet connection
2013-08-27 11:38:49 -05:00
sinn3r
b0226cab79
Land #2290 - HP LoadRunner lrFileIOService ActiveX Vulnerability
2013-08-27 11:19:43 -05:00
sinn3r
2e4e3fdbe6
Land #2237 - Fix check function
2013-08-27 11:11:54 -05:00
jvazquez-r7
997c5e5516
Land #2291 , @todb-r7's patch for oracle_endeca_exec's requires
2013-08-27 11:01:21 -05:00
Tod Beardsley
15b741bb5f
Require the powershell mixin explicitly
2013-08-27 10:36:51 -05:00
jvazquez-r7
f59f57e148
Randomize object id
2013-08-27 10:35:06 -05:00
jvazquez-r7
66fa1b41aa
Fix logic to spray correctly IE9
2013-08-27 09:57:55 -05:00
g0tmi1k
7efe85dbd6
php_include - added @wchen-r7's code improvements
2013-08-27 14:00:13 +01:00
jvazquez-r7
93c46c4be5
Complete the Author metadata
2013-08-26 23:29:16 -05:00
jvazquez-r7
8efe2d9206
Land #2289 , @jlee-r7's exploit for CVE-2013-1662
2013-08-26 23:27:19 -05:00
jvazquez-r7
e1e889131b
Add references and comments
2013-08-26 23:26:13 -05:00
James Lee
63786f9e86
Add local exploit for taviso's vmware privesc
2013-08-26 21:06:40 -05:00
sinn3r
7a4d781538
Land #2274 - Firefox XMLSerializer Use After Free
2013-08-26 20:53:42 -05:00
violet
4cbdf38377
updated contact info
...
MASTER OF DISASTER
ULTRA LASER
:::::::-. :::::::.. :::::::-. ... ... . :
;;, `';,;;;;``;;;; ;;, `';, .;;;;;;;. .;;;;;;;. ;;,. ;;;
`[[ [[ [[[,/[[[' `[[ [[,[[ \[[,,[[ \[[,[[[[, ,[[[[,
$$, $$ $$$$$$c $$, $$$$$, $$$$$$, $$$$$$$$$$$"$$$
888_,o8P' 888b "88bo,d8b 888_,o8P'"888,_ _,88P"888,_ _,88P888 Y88" 888o
MMMMP"` MMMM "W" YMP MMMMP"` "YMMMMMP" "YMMMMMP" MMM M' "MMM
2013-08-26 16:14:49 -07:00
Tod Beardsley
6b15a079ea
Update for grammar in descriptions on new modules.
2013-08-26 14:52:51 -05:00
jvazquez-r7
252f48aeee
Land #2272 , @jvennix-r7's exploit for CVE-2013-1775
2013-08-26 13:21:58 -05:00
jvazquez-r7
0baaf989fb
Delete on_new_session cleanup, as discusses with @jlee-r7
2013-08-26 13:20:43 -05:00
Meatballs
05f1622fcb
Fix require
2013-08-26 16:21:18 +01:00
Meatballs
3b9ded5a8e
BypassUAC now checks if the process is LowIntegrityLevel
...
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
jvazquez-r7
f8d1d29648
Add module for ZDI-13-182
2013-08-25 23:07:08 -05:00
Christian Mehlmauer
45ad043102
moderated comments are now also working (even for unauthenticated users)
2013-08-25 11:02:15 +02:00
Christian Mehlmauer
035258389f
use feed first before trying to bruteforce
2013-08-25 10:16:43 +02:00
Joe Vennix
757886bece
Remove some extra wip files.
2013-08-24 14:52:52 -05:00
Joe Vennix
29320f5b7f
Fix vn refs. Add juan as an @author.
2013-08-24 13:07:35 -05:00
jvazquez-r7
5b812b0c22
Add references
2013-08-24 12:12:21 -05:00
jvazquez-r7
b4ad8c8867
Beautify module
2013-08-24 12:08:38 -05:00
Joe Vennix
0e116730a1
Polishing module. Tested on 10.8, 10.8.2, and 10.8.4.
2013-08-24 12:01:38 -05:00
Christian Mehlmauer
9af1341179
consistent naming
2013-08-24 18:51:07 +02:00
jvazquez-r7
b13d357000
Add ranking
2013-08-24 11:35:35 -05:00
jvazquez-r7
3ce23ffb49
Make a test before running the payload
2013-08-24 11:20:47 -05:00
jvazquez-r7
ab293d2ad9
Make msftidy happy
2013-08-24 10:51:19 -05:00
jvazquez-r7
82cf812311
Switch to PrependMigrate
2013-08-24 10:46:04 -05:00
jvazquez-r7
480794a9ab
Make small fixes
2013-08-24 10:40:08 -05:00
Christian Mehlmauer
9e4a760576
Update payload
2013-08-24 17:30:16 +02:00
jvazquez-r7
832fa8838b
Change the command to launch after background the payload job
2013-08-24 09:57:33 -05:00
jvazquez-r7
4532474309
Allow cleanup from the new session
2013-08-24 09:47:40 -05:00
Joe Vennix
3cdc6abec6
Clean up some code, get CMD working.
2013-08-23 20:19:21 -05:00
Joe Vennix
140d8ae42f
Need to set timezone first.
2013-08-23 20:09:18 -05:00
Joe Vennix
a4c2ba04f3
Pass cmd through /bin/sh to set default /Users/joe/.rvm/gems/ruby-1.9.3-p392@pro-dev/bin /Users/joe/.rvm/gems/ruby-1.9.3-p392@global/bin /Users/joe/.rvm/rubies/ruby-1.9.3-p392/bin /Users/joe/.rvm/bin /usr/local/sbin /usr/local/bin /usr/bin /bin /usr/sbin /sbin /usr/X11/bin /opt/bin /opt/X11/bin. CMD and native payloads now working.
2013-08-23 19:39:21 -05:00
jvazquez-r7
fc91380ebc
Add work code
2013-08-23 17:54:21 -05:00
Christian Mehlmauer
c40252e0b3
bugfixing
2013-08-24 00:04:16 +02:00
sinn3r
7b5e98d57e
Land #2269 - Oracle Endeca Server Remote Command Execution
2013-08-23 15:40:31 -05:00
Christian Mehlmauer
e9eb6b2427
simplification
2013-08-23 22:29:31 +02:00
Christian Mehlmauer
576ae50b73
more feedback implemented
2013-08-23 22:22:56 +02:00
jvazquez-r7
a5c9f8d670
Beautify targets metadata
2013-08-23 15:15:04 -05:00
jvazquez-r7
f3415f4147
Make msftidy compliant
2013-08-23 15:14:13 -05:00
jvazquez-r7
413474f417
Move module to the correct path
2013-08-23 15:08:25 -05:00
Christian Mehlmauer
de3fc1fa6c
first feedback implemented
2013-08-23 21:59:36 +02:00
jvazquez-r7
ad214da3de
Switch to powershell to exec payload
2013-08-23 14:39:29 -05:00
jvazquez-r7
a45f49e3b7
Use a new Ranking
2013-08-23 08:49:58 -05:00
jvazquez-r7
ff6ad30be0
Add module for ZDI-13-006
2013-08-22 18:15:35 -05:00
Christian Mehlmauer
556f17c47e
Move modules
2013-08-22 17:33:35 +02:00
Christian Mehlmauer
8456d2c0ec
remove target_uri
2013-08-22 00:48:42 +02:00
Christian Mehlmauer
959553583f
-) revert last commit
...
-) split into seperate modules
2013-08-22 00:45:22 +02:00
Christian Mehlmauer
009d8796f6
wordpress is now a module, not a mixin
2013-08-22 00:05:58 +02:00
jvazquez-r7
965e2d88fe
Use normalize_uri
2013-08-21 16:49:24 -05:00
Christian Mehlmauer
2e9a579a08
implement @limhoff-r7 feedback
2013-08-21 21:05:52 +02:00
jvazquez-r7
b72566b8aa
Add module for ZDI-13-190
2013-08-21 12:47:47 -05:00
Christian Mehlmauer
ffdd057f10
-) Documentation
...
-) Added Wordpress checks
2013-08-21 14:27:11 +02:00
Christian Mehlmauer
49ec0d464a
msftidy
2013-08-21 13:15:21 +02:00
Christian Mehlmauer
11ef8d077c
-) added wordpress mixin
...
-) fixed typo in web mixin
2013-08-21 12:45:15 +02:00
jvazquez-r7
42f774a064
Fix check method
2013-08-20 12:02:09 -05:00
Charlie Eriksen
533d98bd1b
Adding module for CVE 2013-5093, Graphite Web Exploit
2013-08-20 12:56:30 -04:00
jvazquez-r7
7b555679e6
Really delete the telnet target
2013-08-19 15:06:47 -05:00
jvazquez-r7
d64c8748e8
Fix descriptions and names
2013-08-19 15:05:27 -05:00
jvazquez-r7
232289d500
Add new module to exploit to through telnet dlink_upnp_exec_noauth
2013-08-19 15:01:29 -05:00
jvazquez-r7
846925e3ba
Delete telnet target from dlink_upnp_exec_noauth
2013-08-19 14:56:12 -05:00
Tod Beardsley
ca313806ae
Trivial grammar and word choice fixes for modules
2013-08-19 13:24:42 -05:00
m-1-k-3
c902b0ea4b
removed user and pass option
2013-08-19 18:07:11 +02:00
m-1-k-3
5fc806e3e0
little fixes
2013-08-18 16:18:27 +02:00
m-1-k-3
9ae977ec80
Merge branch 'raidsonic_telnet' of https://github.com/jvazquez-r7/metasploit-framework into raidsonic-ib5220-exec
...
Conflicts:
modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
2013-08-18 15:56:39 +02:00
Steve Tornio
abd4fb778f
add osvdb ref for chasys overflow
2013-08-18 06:35:28 -05:00
Steve Tornio
0037ccceed
add osvdb ref for openx backdoor
2013-08-18 06:34:50 -05:00
g0tmi1k
02e394e1c3
php_include - fix check
2013-08-17 17:36:43 +01:00
g0tmi1k
98b4c653c0
php_include - uses verbose
2013-08-17 17:35:09 +01:00
sinn3r
a75a4906f2
Description update
2013-08-16 23:28:24 -05:00
jvazquez-r7
a8cc15db20
Add module for ZDI-13-178
2013-08-16 18:13:18 -05:00
jvazquez-r7
85b050112a
Land #2231 , @wchen-r7's patch for [SeeRM #8114 ]
2013-08-16 12:52:10 -05:00
sinn3r
d4dbea5594
Check 200
2013-08-16 11:34:32 -05:00
jvazquez-r7
1a3b4eebdb
Fix directory name on ruby
2013-08-15 22:54:31 -05:00
jvazquez-r7
795ad70eab
Change directory names
2013-08-15 22:52:42 -05:00
jvazquez-r7
c5c2aebf15
Update references
2013-08-15 22:04:15 -05:00
jvazquez-r7
cc5804f5f3
Add Port for OSVDB 96277
2013-08-15 18:34:51 -05:00
sinn3r
462ccc3d36
Missed these little devils
2013-08-15 16:50:13 -05:00
sinn3r
cd734acf3e
[See RM 8114] - Reduce false positive if traffic is redirected
...
Fix complaint for hitting this false positive when the user has
all the traffic redirected.
2013-08-15 16:33:10 -05:00
HD Moore
6c1ba9c9c9
Switch to Failure vs Exploit::Failure
2013-08-15 14:14:46 -05:00
jvazquez-r7
7a8bafd82c
Beautify
2013-08-14 13:50:08 -05:00
jvazquez-r7
90aec6cff5
Fix telnet negotiation for the raidsonic case
2013-08-14 13:38:51 -05:00
sinn3r
23c5f02e9a
Land #2225 - Fix dlink_dir300_exec_telnet
2013-08-14 13:11:42 -05:00
sinn3r
98e0053dc6
Fix indent level
2013-08-14 13:07:01 -05:00
jvazquez-r7
178a7b0dbb
Fix author's email format
2013-08-14 11:56:47 -05:00
jvazquez-r7
2a4b8e4a64
Add useful comment
2013-08-14 11:49:32 -05:00
jvazquez-r7
e6c36864c4
Fix telnet related stuff
2013-08-14 11:47:57 -05:00
bcoles
7145a85fb4
Add MiniWeb (Build 300) Arbitrary File Upload
2013-08-15 01:01:46 +09:30
m-1-k-3
6b87240323
thx to juan ... session stuff looks better
2013-08-14 16:51:09 +02:00
jvazquez-r7
1d82ed176f
Update joomla_media_upload_exec references
2013-08-13 23:27:01 -05:00
sinn3r
54cffdb27d
Land #2219 - OSVDB-95933: Joomla Media Manager File Upload Vulnerability
2013-08-13 19:04:57 -05:00
sinn3r
e912a64ccc
Description change
2013-08-13 19:04:25 -05:00
jvazquez-r7
312ff1a20e
Delete period from regular expressions
2013-08-13 17:50:26 -05:00
jvazquez-r7
04eed49310
Add support for FileDropper
2013-08-13 16:47:24 -05:00
jvazquez-r7
e4a570d36b
Update metadata according to OSVDB
2013-08-13 16:42:53 -05:00
jvazquez-r7
2086c51b67
Add module for Joomla Upload Exploit in the wild
2013-08-13 16:27:27 -05:00
jvazquez-r7
31cbc270fd
Favor unless over if for negative condition
2013-08-13 08:46:12 -05:00
jvazquez-r7
bc9a26d4ee
Fix condition
2013-08-12 23:05:26 -05:00
jvazquez-r7
568181de84
Add sthetic spaces
2013-08-12 22:33:34 -05:00
jvazquez-r7
6d70d4924e
Land #2206 , @PsychoSpy module for OSVDB 94097
2013-08-12 22:27:03 -05:00
jvazquez-r7
7981601eb8
Do final cleanup on intrasrv_bof
2013-08-12 22:24:53 -05:00
sinn3r
2d3c2c1c87
Set default target to 0 because there's only one
2013-08-12 20:01:23 -05:00
sinn3r
c0335cee26
Land #2214 - CVE-2013-3928: Chasys Draw IES Buffer Overflow
2013-08-12 19:16:02 -05:00
sinn3r
7562324d96
Land #2210 - CVE-2013-5019: Ultra Mini HTTPD Stack Buffer Overflow
2013-08-12 19:13:58 -05:00
sinn3r
51d9c59dcd
Extra tabs, bye
2013-08-12 19:13:20 -05:00
Nathan Einwechter
db78ffcc46
...
2013-08-12 18:21:10 -04:00
Nathan Einwechter
49bcec5c92
Additional cleanup
2013-08-12 18:20:03 -04:00
jvazquez-r7
b3f229ff59
Add module for CVE-2013-3928
2013-08-12 17:18:30 -05:00
Nathan Einwechter
7014322dfd
Code cleanup
2013-08-12 18:16:00 -04:00
Nathan Einwechter
264fe32705
Added new badchars
2013-08-12 18:08:49 -04:00
Nathan Einwechter
bbc93b2a58
msftidy
2013-08-12 15:14:01 -04:00
Nathan Einwechter
28f030494e
Use tcp mixin/clean corrupt bytes
2013-08-12 15:12:15 -04:00
jvazquez-r7
b1fc8308c1
Land #2211 , @bcoles exploit for CVE-201-2620
2013-08-12 11:23:20 -05:00
jvazquez-r7
8ac01d3b8e
Fix description and make it aggressive
2013-08-12 11:19:25 -05:00
Nathan Einwechter
7854c452d2
Added more payload padding
2013-08-12 11:10:10 -04:00
Nathan Einwechter
9f33a59dc2
Fix target ret
2013-08-12 11:04:55 -04:00
Nathan Einwechter
6f96445b42
Change target ret/cleanup
2013-08-12 10:13:48 -04:00
Nathan Einwechter
a35d548979
Use HttpClient
2013-08-12 10:01:01 -04:00
bcoles
d63d7bc7da
Add Open-FTPD 1.2 Writable Directory Traversal Execution
2013-08-12 08:49:49 +09:30
Nathan Einwechter
896320ed42
fix typo
2013-08-11 16:48:43 -04:00
Nathan Einwechter
4b14fa53e0
tidy debugs
2013-08-11 16:39:41 -04:00
Nathan Einwechter
90ef224c46
Implement CVE-2012-5019
2013-08-11 16:33:40 -04:00
jvazquez-r7
f2e5092fd5
Add module for ZDI-13-179
2013-08-10 18:44:33 -05:00
Nathan Einwechter
185ef2ecae
msftidy
2013-08-10 16:01:44 -04:00
Nathan Einwechter
6fe4e3dd0e
Added Intrasrv 1.0 BOF
2013-08-10 15:56:07 -04:00
sinn3r
5436ec7dd3
Title change for dlink_dir300_exec_telnet
...
Title change for dlink_dir300_exec_telnet. Also correct the email
format.
2013-08-09 15:41:50 -05:00
sinn3r
5128458c90
Land #2201 - Better check for ppr_flatten_rec
2013-08-09 14:44:23 -05:00
sinn3r
021c358159
Land #2203 - Fix regex for x64 detection
2013-08-09 13:23:38 -05:00
Tod Beardsley
6c0b067d7c
Land #2163 , known secret session cookie for RoR
...
From @joernchen, leverages an infoleak to gain a shell on rails
applications. There is no patch, since you are expected to keep your
secrets, well, secret.
2013-08-09 12:30:37 -05:00
Tod Beardsley
969b380d71
More explicit title, grammar check on description
2013-08-09 12:27:45 -05:00
Tod Beardsley
13ea8aaaad
VALIDATE_COOKIE better grammar on fail message
2013-08-09 12:26:12 -05:00
Tod Beardsley
94e7164b01
Allow user to choose to validate the cookie or not
2013-08-09 12:22:28 -05:00
joernchen of Phenoelit
376c37d4cc
Two more fixes, Arch and unneeded include.
2013-08-09 09:23:50 +02:00
Sagi Shahar
7178633140
Fixed architecture detection in bypassuac modules
2013-08-09 03:42:02 +02:00
Tod Beardsley
155c121cbb
More spacing between ends
2013-08-08 16:35:38 -05:00
Tod Beardsley
f4fc0ef3fb
Moved classes into the Metasploit3 space
...
I'm just worried about all those naked classes just hanging around in
the top namespace. This shouldn't impact functionality at all.
While most modules don't define their own classes (this is usually the
job of Msf::Exploit and Rex), I can't think of a reason why you
shouldn't (well, aside from reusability). And yet, very rarely do
modules do it. It's not unknown, though -- the drda.rb capture module
defines a bunch of Constants, and the
post/windows/gather/credentials/bulletproof_ftp.rb module defines some
more interesting things.
So, this should be okay, as long as things are defined in the context of
the Metasploit module proper.
2013-08-08 16:22:34 -05:00
Tod Beardsley
4e166f3da4
Adding more blank lines between methods
...
For readability
2013-08-08 16:20:38 -05:00
jvazquez-r7
567873f3cc
Use normalize_uri a little better
2013-08-08 15:12:51 -05:00
jvazquez-r7
4a609504e3
Land #2199 , @jlee-r7's exploit for CVE-2013-4211
2013-08-08 14:57:28 -05:00
jvazquez-r7
06ebc686c4
Land #2194 , @CharlieEriksen exploit for CVE-2013-5036
2013-08-08 14:50:28 -05:00
jvazquez-r7
40a61ec654
Do minor cleanup
2013-08-08 14:47:46 -05:00
Meatballs
318280fea7
Add 7/2k8 RTM versions
2013-08-08 20:02:14 +01:00
Meatballs
d64352652f
Adds unsupported Vista versions
2013-08-08 19:58:40 +01:00
Meatballs
08c32c250f
File versions
2013-08-08 19:42:14 +01:00
sinn3r
a03d71d60e
Land #2181 - More targets for hp_sys_mgmt_exec
...
Thanks mwulftange!
2013-08-08 13:35:33 -05:00
sinn3r
a73f87eaa5
No autodetect. Allow the user to manually select.
2013-08-08 13:34:25 -05:00
Charlie Eriksen
28b36ea29b
Removing a space at EOL I missed.
2013-08-08 14:30:53 -04:00
Charlie Eriksen
1c6e994fe8
Adding improvements based on Juan's feedback
2013-08-08 14:29:35 -04:00
James Lee
080ca0b1b1
Use fail_with when failing instead of print_error
2013-08-08 13:12:39 -05:00
jvazquez-r7
5d0e868701
Land #2192 after cleanup
2013-08-08 08:44:17 -05:00
jvazquez-r7
74eeacf9f2
Fix regex
2013-08-08 08:40:45 -05:00
James Lee
ca7c0defe1
No need to rescue if we're just re-raising
2013-08-07 17:36:07 -05:00
James Lee
c808930f15
Add module for CVE-2013-4211, openx backdoor
2013-08-07 17:24:47 -05:00
root
3a24765585
Adding CVE ID
2013-08-07 18:11:43 -04:00
jvazquez-r7
0f975da5f4
Update target info and something else...
2013-08-07 16:00:06 -05:00
jvazquez-r7
d1beb313f6
Add module for 2013-1690
2013-08-07 15:36:54 -05:00
jvazquez-r7
821673c4d2
Try to fix a little description
2013-08-07 10:26:39 -05:00
jvazquez-r7
33ac0c5c3f
Make exploit more print friendly
2013-08-07 10:21:14 -05:00
jvazquez-r7
32436973e4
Land #2192 , @m-1-k-3's exploit for OSVDB-89861
2013-08-07 10:16:49 -05:00
jvazquez-r7
ae685ac41d
Beautify description
2013-08-07 09:52:29 -05:00
jvazquez-r7
afb8a95f0a
Land #2179 , @m-1-k-3's exploit for OSVDB-92698
2013-08-07 09:00:41 -05:00
root
7412981138
Adding an OSVDB reference
2013-08-07 07:15:00 -04:00
root
36bab2fdfa
Adding a space between init and check
2013-08-06 16:14:21 -04:00
root
be683d5dc6
Fixing the TARGETURI variable, adding check
2013-08-06 16:13:44 -04:00
root
a745ec8fa6
Adding reference
2013-08-06 14:43:25 -04:00
root
cfd5f29220
Fixing the use of APIKEY, which is not needed
2013-08-06 14:10:48 -04:00
root
69a86b60e2
Added initial squash RCE exploit
2013-08-06 14:00:17 -04:00
m-1-k-3
885417c9d9
removing config file from target
2013-08-06 15:11:54 +02:00
HD Moore
c73e417531
Merge pull request #2171 from frederic/master
...
add new target in libupnp_ssdp_overflow exploit : Axis Camera M1011
2013-08-05 18:31:41 -07:00
m-1-k-3
dd35495fb8
dir 300 and 600 auxiliary module replacement
2013-08-05 22:28:59 +02:00
m-1-k-3
786f16fc91
feedback included
2013-08-05 21:55:30 +02:00
m-1-k-3
2efc2a79bf
fail with
2013-08-05 21:41:28 +02:00
jvazquez-r7
9790181dd2
Land #2176 , @wchen-r7's fix for [TestRM #8272 ]
2013-08-05 13:10:25 -05:00
Tod Beardsley
40f015f596
Avoid require race with powershell
2013-08-05 09:56:32 -05:00
Tod Beardsley
a885ff9bcc
Use consistent caps for 'PowerShell'
2013-08-05 09:33:49 -05:00
Tod Beardsley
5ea67586c8
Rewrite description for MS13-005
...
The first part of the description was copy-pasted from
http://packetstormsecurity.com/files/122588/ms13_005_hwnd_broadcast.rb.txt
which contained some grammatical errors. Please try to avoid cribbing
other researchers' descriptions directly for Metasploit modules.
2013-08-05 09:29:29 -05:00
Tod Beardsley
e7206af5b5
OSVDB and comment doc fixes
2013-08-05 09:08:17 -05:00
m-1-k-3
34134b2e11
feedback included
2013-08-04 14:45:55 +02:00
Markus Wulftange
9955899d9a
Minor formal fixes
2013-08-04 08:03:02 +02:00
m-1-k-3
b8ed364cb8
telnet user working
2013-08-03 15:07:10 +02:00
m-1-k-3
62e3c01190
raidsonic nas - command execution
2013-08-02 21:04:19 +02:00
Markus Wulftange
8cc07cc571
Merge Linux and Windows exploit in multi platform exploit
2013-08-02 18:49:03 +02:00
m-1-k-3
a19afd163a
feedback included
2013-08-02 17:30:39 +02:00
Ruslaideemin
f927d1d7d3
Increase exploit reliability
...
From some limited testing, it appears that this exploit is
missing \x0d\x0a in the bad chars. If the generated payload / hunter
or egg contain that combination, it seems to cause reliability issues
and exploitation fails.
The home page for this software can be found at
http://www.leighb.com/intrasrv.htm
2013-08-02 09:06:20 +10:00
Markus Wulftange
4a127c2ed2
Add hp_sys_mgmt_exec module for Linux and enhance module for Windows
...
The hp_sys_mgmt_exec module for Linux is a port of the Windows module with minor changes due to the requirement of quotes. It also uses Perl instead of PHP as PHP may not always be in the environment PATH. Although the Windows module works perfectly, it now uses the same technique to encode the command (thankfully, PHP adopted major syntax characteristics and functions from Perl).
2013-07-31 22:05:25 +02:00
m-1-k-3
15906b76db
dir300 and 615 command injection
2013-07-31 14:36:51 +02:00
m-1-k-3
6b514bb44a
dir300 and 615 command injection telnet session
2013-07-31 14:34:03 +02:00
sinn3r
8c47f1df2d
We don't need this option anymore
2013-07-31 03:30:34 -05:00
sinn3r
af0046658b
Change the way file is stored
2013-07-31 03:28:24 -05:00
Frederic Basse
5e1def26aa
remove Axis M1011 fingerprint, may not be specific enough to be used automatically.
2013-07-30 09:54:33 +02:00
Tod Beardsley
7e539332db
Reverting disaster merge to 593363c5f
with diff
...
There was a disaster of a merge at 6f37cf22eb
that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).
What this commit does is simulate a hard reset, by doing thing:
git checkout -b reset-hard-ohmu
git reset --hard 593363c5f9
git checkout upstream-master
git checkout -b revert-via-diff
git diff --no-prefix upstream-master..reset-hard-ohmy > patch
patch -p0 < patch
Since there was one binary change, also did this:
git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf
Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
Frederic Basse
63940d438e
add new target in libupnp_ssdp_overflow exploit : Axis Camera M1011
2013-07-30 01:56:10 +02:00
jvazquez-r7
05be76ecb7
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-29 16:41:22 -05:00
sinn3r
ab75d00f8a
Land #2169 - Description update
2013-07-29 14:24:57 -05:00
sinn3r
5efcbbd474
Land #2167 - PineApp Mail-SeCure livelog.html Exec
2013-07-29 13:18:18 -05:00
sinn3r
7967426db1
Land #2166 - PineApp Mail-SeCure ldapsyncnow.php EXEC
2013-07-29 13:16:42 -05:00
Meatballs
7801eadbc2
psh description
2013-07-29 19:14:12 +01:00
sinn3r
baa0b983c8
Land #2165 - PineApp Mail-SeCure test_li_connection.php CMD EXEC
2013-07-29 13:13:55 -05:00
jvazquez-r7
455569aee8
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-29 12:10:12 -05:00
jvazquez-r7
3a05993f16
Make msftidy happy and warn user about long times
2013-07-29 11:45:30 -05:00
Tod Beardsley
37312f2aa9
Module, singular
2013-07-29 10:58:36 -05:00
Tod Beardsley
11e9cca855
Spelling and description touch ups.
2013-07-29 10:57:19 -05:00
joernchen of Phenoelit
ac28dbe734
Minor typo fix
2013-07-28 19:44:44 +02:00
jvazquez-r7
a1d9ed300e
Add module for ZDI-13-184
2013-07-28 09:57:41 -05:00
joernchen of Phenoelit
8cdd163150
Module polishing, thanks @todb-r7.
...
Two test-apps (Rails 3/4) are available for this module. Ping me if you want to use them.
2013-07-28 13:52:27 +02:00
jvazquez-r7
f4e35b62ac
Add module for ZDI-13-185
2013-07-27 12:12:06 -05:00
jvazquez-r7
fab9d33092
Fix disclosure date
2013-07-27 12:10:21 -05:00
jvazquez-r7
ac7bb1b07f
Add module for ZDI-13-188
2013-07-27 03:25:39 -05:00
Meatballs
234e49d982
Add type technique
2013-07-26 23:33:16 +01:00
jvazquez-r7
805a9675a7
Modify the check for Integrity Level and Allow dropt o fs
2013-07-26 14:54:50 -05:00
joernchen of Phenoelit
7f3eccd644
Rails 3/4 RCE w/ token
2013-07-26 20:23:18 +02:00
Meatballs
12a58c730a
Small fix
2013-07-26 10:15:47 +01:00
Meatballs
6a13ed0371
Missing include
2013-07-26 03:18:17 +01:00
Meatballs
72b8891ba3
Check for low integrity
2013-07-26 03:16:45 +01:00
Meatballs
030640d5bc
back to cmd
2013-07-26 03:00:36 +01:00