8d86ff0065
Land #10138 , Update psnuffle RHOSTS and style
2018-06-13 12:47:32 -07:00
7e2c1fae2c
Land #10148 , Add New Module - Badpdf
...
Merge branch 'land-10148' into upstream-master
2018-06-12 15:21:25 -07:00
60a9e08cdc
Land #10157 , Add IconFile path to .URL files generated with MultiDrop
2018-06-10 20:07:24 -07:00
aa5c114364
Land #10067 , Added `auxiliary/fileformat/odt_badodt`
2018-06-06 09:29:34 -07:00
f6e0f5bd81
Land #10115 , Added module `auxiliary/fileformat/multidrop`
2018-06-05 14:32:25 -07:00
1df5b7655f
Land #10106 , Add the scanner/smb/impacket/wmiexec module
2018-06-05 06:39:34 -07:00
650c5c7a93
Land #10121 , finish deprecating modules
2018-06-04 15:37:56 -07:00
2a9399251c
Land #10102 , SOCKS5 updates for BIND, parsing specs, refactoring
2018-06-01 07:03:23 -07:00
c8ff6cb5a4
Land #9701 , Flexense HTTP Server DoS exploit
2018-06-01 07:03:22 -07:00
caa8b673ed
Land #9990 , add SOCKS5 proxy support
2018-05-25 15:56:23 -07:00
196b302897
Land #10084 , Mark all versions of telpho10 as vulnerable
2018-05-23 13:38:39 -07:00
7b3169ad0a
Land #9999 , Optionally test empty group in cisco_ssl_vpn
2018-05-21 17:01:35 -05:00
6e71f5c5fd
Land #9816 , Add the scanner/smb/impacket/dcomexec module
2018-05-17 08:16:34 -07:00
78f546ce81
Land #9986 , initial ruby_smb simple client integration
2018-05-09 17:48:52 -07:00
635f483b42
Land #9881 , cleanup psexec code
2018-05-01 14:51:20 -07:00
0949bedf67
Land #9628 , Add GitStack v2.3.10 Unauth REST API Aux Module
...
Land #9628
2018-04-23 11:21:11 -07:00
5b42a81d3a
Land #9823 , Private IP leak via WebRTC
2018-04-12 09:27:21 -07:00
084e6b1db3
Land #9813 , Add etcd library and version scanner
2018-04-10 06:55:58 -07:00
9d5ab1dedf
Land #9726 , add simple Rex::Tar wrapper for consistency with other archive types
2018-04-03 09:13:56 -05:00
c2bf848ba9
Land #9748 , Convert the smbloris DoS into an external module
...
Help reliability and performance. This some Ruby-specific external module
tooling as a result as well.
2018-04-03 09:13:56 -05:00
d6f23071ca
Land #9718 , Add get_user_spns 'kerberoasting' module
2018-04-03 09:13:29 -05:00
9d076f6842
Land #9776 , if data is nil, stop reading the heartbleed socket
2018-03-29 09:42:03 -07:00
36ba1468e8
Land #9760 , @h00die's etcd scanner
2018-03-29 09:17:54 -07:00
c31a8ab687
Land #9618 , pipe auditing improvements
2018-03-27 14:21:47 -05:00
72d2b46ac8
Land #9767 land magick number blog link update
2018-03-27 14:21:46 -05:00
37576d19a1
Land #9733 , rename external templates
2018-03-22 11:18:22 -07:00
ef7b77ed01
Land #9529 , Add module for HP iLO CVE-2017-12542 authentication bypass
2018-03-17 20:33:05 -07:00
dcb514e5ac
Land #9694 , move ssh platforms to lib
2018-03-17 20:33:04 -07:00
715279311a
Land #8422 , Typo3 News Module Sql Injection exploit
2018-03-15 09:21:14 -07:00
c5e231cfbf
Land #9686 , add ipv6 to slowloris, rhost to non-scanner modules
2018-03-13 13:33:28 -07:00
028d329b4d
Land #9632 , owa_login and auth_brute enhancements
2018-03-12 10:14:19 -07:00
8c60a73731
varnish anonymous file read
2018-03-09 14:55:11 -06:00
bcc0a2a94c
Land #7654 , varnish file read
2018-03-09 12:53:20 -08:00
49bc0024c1
Land #9678 , Add memcached UDP version scanner
2018-03-07 18:47:47 -08:00
64019d3301
Land #9676 , correcting CVE and adding disclosure date for memcached
...
amplification
2018-03-07 07:49:30 -08:00
f6223c0193
Land #9614 , Juniper post enum module
2018-03-07 07:49:29 -08:00
6909c635bc
Land #9644 , @xistence's memcached stats amplification scanner
2018-03-05 15:29:20 -08:00
2af4f56382
Land #9611 , Fix bug causing all OWA logins to appear valid
2018-02-23 08:31:01 -08:00
178afdaed1
Land #9604 , Fix logged errors when running without Python 3.6 / gmpy2
2018-02-22 08:27:37 -08:00
826b986018
Land #9602 , Create sessions with the Fortinet SSH backdoor scanner
2018-02-22 08:27:36 -08:00
4e8fe54c6c
Land #9524 , prefer 'shell' channels over 'exec' channels for ssh CommandStream
2018-02-22 08:27:36 -08:00
c1d701f656
Land #9593 , finger_users regex fix
2018-02-22 08:27:35 -08:00
8c2484d2da
Land #9164 , add OWA 2016 support
2018-02-20 09:24:13 -06:00
d89a8c3eb9
Land #9571 , specify a python encoding for the claymore DoS module
2018-02-16 15:34:49 -08:00
d2e71cfc8b
Land #9512 , Add Claymore Dual GPU Miner<= 10.5 DoS module
2018-02-16 15:34:48 -08:00
004e228a52
Land #9509 , Ulterius Server < v1.9.5.0 Directory Traversal
...
Land #9509
2018-02-16 15:34:47 -08:00
e8ad3a98e9
Land #9558 , Fix #9417 , map timeout exp to a var for telnet_encrypt_overflow
2018-02-15 14:14:07 -08:00
0cee8485d0
Land #9557 , add back udp_probe for now
2018-02-14 11:26:59 -08:00
bdc0b47844
Land #9552 , add private_type for stored tomcat pw
...
Fixes #9513
2018-02-13 19:55:54 -08:00
e485b152e3
Land #9542 , Correct Typo
2018-02-13 14:46:06 -08:00
32bd516e70
Land #9525 , Update mysql_hashdump for MySQL 5.7 and above
2018-02-12 11:55:17 -06:00
cd723ac86e
Add scanner for Bleichenbacher oracle (ROBOT)
2018-02-09 11:14:30 -06:00
6c350be24e
Land #9473 , new MS17-010 aux and exploit modules
2018-02-02 11:32:40 -06:00
ce3d5d77e4
Land #9481 , Update native DNS spoofer for Dnsruby
2018-02-02 11:32:18 -06:00
ec12d61702
Land #9354 , Debut embedded httpd server (Brother printers) DoS
2018-02-02 11:31:59 -06:00
b7fbffa331
Land #9445 fixes for ssl labs scanner module
2018-02-01 11:23:46 -06:00
b515a582f0
Land #9424 , Add SharknAT&To external scanner
2018-01-24 17:20:03 -06:00
926ce42a01
Land #8632 , colorado ftp fixes
2018-01-24 17:13:20 -06:00
d6beb94c59
Land #6611 , add native DNS to Rex, MSF mixin, sample modules
2018-01-24 17:12:52 -06:00
bb73d2c07e
Land #9431 , Fix owa_login to handle inserting credentials for a hostname
2018-01-24 17:12:39 -06:00
47682e3f37
Land #9404 , update module author
2018-01-24 17:12:34 -06:00
ab610f599b
Land #9442 , Remove NoMethod Rescue for cerberus_sftp_enumusers
...
Land #9442
2018-01-24 17:12:25 -06:00
10fafb62bb
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
...
Land #9436
Thanks Steve!
2018-01-24 17:12:16 -06:00
736d438813
Address second round of feedback
...
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.
Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
1a8eb7bf2a
Update nis_ypserv_map after bootparam feedback
...
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
c080329ee6
Update module after feedback
...
Looks like I can't decide on certain style preferences.
Not keen on using blank?, but I've used it before. Time to commit?
Also, fail_with has been fixed for aux and post since #8643 . Use it!
2018-01-13 15:40:11 -06:00
2916c5ae45
Rescue Rex::Proto::SunRPC::RPCTimeout
...
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
0c9f1d71d3
Add NIS bootparamd domain name disclosure
2018-01-12 19:34:53 -06:00
4b225c30fd
Land #9368 , ye olde NIS ypserv map dumper
2018-01-10 22:02:36 -06:00
f66b11f262
Nix an unneeded variable declaration
2018-01-10 20:24:02 -06:00
b66889ac86
Rescue additional errors and refactor code
...
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
dd737c3bc8
Land #9317 , remove multiple deprecated modules
...
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
4a5a17a8e1
Add NIS ypserv map dumper
2018-01-08 14:27:53 -06:00
51e5fb450f
Detect and return on bad VNC negotiations
2018-01-05 10:12:13 -06:00
7849155347
Land #9359 , Improve DCE/RPC fault handling
2018-01-03 20:42:17 -06:00
a98de2d9a3
Land #9358 , Support password protected key files
2018-01-03 15:12:28 -06:00
086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
...
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
f2a8d68a1f
Permit encrypted SSH keys for login scanner
...
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.
Testing:
None yet
2017-12-31 02:53:06 -05:00
7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
...
Add error handling if request fails
Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
289e887895
Adding Module for Postfixadmin CVE-2017-5930
...
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
8de760f1f7
Land #9348 , Only use basic auth in couchdb_enum when credentials are provided
2017-12-28 21:24:45 -06:00
c2bb144d0f
Land #9302 , Implement ARD auth and add remote CVE-2017-13872 (iamroot) module
2017-12-28 14:11:26 -06:00
fad4ccece9
Only use basic auth in couchdb_enum when credentials are provided
2017-12-27 20:16:01 -06:00
bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-27 13:08:44 -08:00
e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
...
These cover several of the CVEs mentioned in
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
1bb2bb9d2c
Oops, no admin in that path
2017-12-26 12:06:45 -06:00
9af88681a2
Move deprecation out 60 days
2017-12-26 11:56:47 -06:00
038119d9df
Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more
2017-12-23 00:14:27 +05:30
5dfb5d581a
Switch get_cookies to get_cookies_parsed
...
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 18:58:36 -08:00
298cb16b1a
Set default USER/PASS files
2017-12-20 18:44:43 -08:00
b9af835d06
Style
2017-12-20 18:05:00 -08:00
d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
...
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
495c649c7d
Better printing
2017-12-20 14:40:42 -08:00
ed5f177fcd
syntax
2017-12-20 14:20:08 -08:00
e66ec85677
Set default u/p
2017-12-20 14:18:33 -08:00
8cd7185a7f
Land #9313 , Add DirectAdmin login_scanner module
2017-12-20 15:23:24 -06:00
7f8a5d3834
improved credential reporting
2017-12-20 15:09:11 -06:00
14c779b945
Fix rubocop warning
2017-12-20 12:44:27 -08:00
c817df0bbc
Add module for bruteforcing authentication on MQTT endpoints
2017-12-20 12:30:21 -08:00
7e91274796
Add module for connecting to/discovering MQTT endpoints
2017-12-20 12:29:50 -08:00
a8b845fff9
Land #9283 , Add node.js ws websocket library DoS module
2017-12-20 14:20:42 -06:00
9fb445fbf0
Land #9300 , Add private data type to auxiliary scanner ftp_login and telnet_login
2017-12-20 00:30:43 -06:00
216d00e39f
Use a random fname destination for /etc/passwd
2017-12-19 17:02:16 -06:00
e93282b71d
Drop calls to vprint_*
2017-12-19 16:53:02 -06:00
2dc2ac134e
Don't default verbose
2017-12-19 16:48:41 -06:00
a2c5cc0ffb
Remove old deprecated modules
2017-12-19 07:56:16 -08:00
acc6951bf3
fixed typo
2017-12-19 08:35:11 -05:00
f0df1750de
Land #9180
...
Land @RootUp's Samsung browser SOP module
2017-12-18 17:28:03 -06:00
85350a9645
Add Rapid7 blog references
2017-12-18 17:11:47 -06:00
ae4edd65e1
Hard wrap descriptions
2017-12-18 17:03:13 -06:00
27a324237b
Initial commit for Cambium issues from @juushya
...
Note, these will trigger a bunch of WARNING msftidy messages for setting
cookies directly. This is on purpose.
2017-12-18 16:32:55 -06:00
a33ed82a40
Land #9214 , @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs
2017-12-18 12:22:26 -08:00
6d565b6c33
added author information
2017-12-18 09:18:36 -05:00
f447fa1a12
Added DirectAdmin Login Utillity
2017-12-17 22:43:37 -05:00
917dd8e846
Update samsung_browser_sop_bypass.rb
2017-12-16 22:10:02 +05:30
8f91377acb
Update samsung_browser_sop_bypass.rb
2017-12-16 22:09:21 +05:30
3b3b0e6e96
And this is why I hate using single quotes
...
Also, restored the store_cred call.
This will fix up RootUp/metasploit-framework#3 for PR #9180
2017-12-14 14:28:25 -06:00
0b3a5567a4
Add module for CVE-2017-13872 iamroot remote exploit via ARD (VNC)
2017-12-14 13:59:35 -06:00
384b250659
Add credential data type
...
Added credential data type so that successful passwords are stored in the database and accessible via the creds command.
2017-12-14 08:07:59 -06:00
be4939b56a
Add credential data type
...
Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command.
2017-12-14 08:05:57 -06:00
3cd287ddd6
Update the MS17-010 scanner to use dcerpc_getarch
2017-12-14 02:08:30 -06:00
d7ad443be1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2017-12-13 19:33:05 -05:00
c0a534140d
Land #9284 a regex dos for ua_parser_js npm module
2017-12-13 19:31:49 -05:00
deacebc46b
Land #9264 , Add private type when storing SSH password
...
Land #9264
2017-12-13 18:24:31 -06:00
5226181d6d
Better conditionals from @bcoles
2017-12-13 16:48:05 -06:00
966060d470
Nits picked by @bcoles: commas, quotes, and <head>
2017-12-13 16:38:17 -06:00
dd5532c5de
Addressing Formatting Issues
...
There were several formatting and layout issues
that are fixed in this commit. Also changing
`RHOSTS` to `RHOST`.
2017-12-13 14:26:27 -06:00
622050ddfc
Oops, leftover comment
2017-12-12 14:48:00 -06:00
efa46efb48
Actually save creds, or fail through sanely
...
This incidentally also allows for a custom collector to be implemented
by the user -- for example, if they'd rather pick up a session ID or
inject a browser hook or something along those lines. It's a little
clunky, using the advanced option of CUSTOM_JS, but it seems to work
fine.
2017-12-12 14:06:18 -06:00
5f70199218
Update samsung_browser_sop_bypass.rb
2017-12-12 15:52:55 +05:30
2d23054a1f
Changes as per comments
...
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
2017-12-11 14:11:40 -06:00
c5f218c84c
Addressing comments
...
1. Updated documentation
2. Made the Sec-WebSocket-Key header a random value
2017-12-11 11:49:31 -05:00
cba5c7cb0f
Rename to actually call out the browser name
2017-12-08 13:53:13 -06:00
0a9dcafb77
Actually collect the creds, sort of
...
Instead of an alert() (which the attacker won't see), this collects the
offered credentials in a POST action, and displays them in the console.
This should further store the creds somewhere handy, but this is good
enough for now for testing from @RootUp
2017-12-08 13:51:02 -06:00
aee883a706
Fixed up description to be descriptive
2017-12-08 12:24:58 -06:00
306c5d20d9
Adding ua_parser_js ReDoS Module
...
"ua-parser-js" is an npm module for parsing browser
user-agent strings. Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs. The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
2017-12-07 10:25:29 -06:00
c992837f0d
Adding ws DoS module
...
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
2017-12-07 10:45:57 -05:00
b24f70c7c6
Update ssh_login.rb
...
Added credential data type so password is stored in creds.
2017-11-30 11:02:06 -06:00
283b7c5145
Add WS-Discovery Information Discovery module
2017-11-29 12:21:22 +00:00
778e69f929
Land #9229 , Randomize slowloris HTTP headers
2017-11-22 14:42:24 -06:00
ae43883e2b
Fix mongodb_login typo
2017-11-22 08:03:12 -05:00
99555dde02
sleep! per feedback
2017-11-21 21:33:29 -05:00
5484ee840e
Correct port when eating cisco config
2017-11-21 18:09:51 -08:00
bdc822c67d
Improve logging when requesting config
2017-11-21 18:09:02 -08:00
5a358db260
Clean up shutdown messaging
2017-11-21 17:55:17 -08:00
93c424c255
Remove unused
2017-11-21 17:54:31 -08:00
b0d8b0a191
Clean up incoming file handling
2017-11-21 17:54:02 -08:00
785e5944d6
Enhanced slowloris HTTP headers and minor cleanup
2017-11-21 18:19:20 -05:00
b6c81e6da0
Reimplement slowloris as external module
2017-11-21 16:21:01 -05:00
Adam Cammack
bwatters-r7
Brendan Coles
Aaron Soto
Jacob Robles
Brent Cook
Jeffrey Martin
Wei Chen
h00die
Jon Hart
William Vu
Spencer McIntyre
Matthew Kienow
Pearce Barry
jgor
bka-dev
RageLtMan
Jan-Frederik Rieckers
james
Tod Beardsley
juushya
Nick Marcoccio
RootUp
nromsdahl
Nicholas Starke
Ryan Knell
attackdebris
Austin