9af9d2f5c2
slight cleanup
2014-06-17 19:08:31 -05:00
1133332702
Finish module
2014-06-17 15:01:35 -05:00
8f8af0e93a
Add draft version
2014-06-17 14:21:49 -05:00
2fe7593559
Land #3433 , @TecR0c's exploit for Easy File Management Web Server
2014-06-13 09:54:12 -05:00
34f98ddc50
Do minor cleanup
2014-06-11 09:20:22 -05:00
b27b00afbb
Added target 4.0 and cleaned up exploit
2014-06-11 06:22:47 -07:00
f1382af018
Added target 4.0 and cleaned up exploit
2014-06-11 06:20:49 -07:00
a554b25855
Use EXITFUNC
2014-06-10 09:51:06 -05:00
3d33a82c1c
Changed to unless
2014-06-09 09:31:14 -07:00
1252eea4b9
Changed to unless
2014-06-09 09:26:03 -07:00
52d26f290f
Added check in exploit func
2014-06-09 03:23:14 -07:00
8ecafbc49e
Easy File Management Web Server v5.3 Stack Buffer Overflow
2014-06-08 04:21:14 -07:00
6bef6edb81
Update efs_easychatserver_username.rb
...
Add targets for versions 2.0 to 3.1.
Add install path detection for junk size calculation.
Add version detection for auto targeting.
2014-06-08 06:36:18 +10:00
079fe8622a
Add module for ZDI-14-136
2014-06-04 10:29:33 -05:00
352e14c21a
Land #3391 , all vars_get msftidy warning fixes
2014-05-26 23:41:46 -05:00
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
8d4d40b8ba
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075
2014-03-02 20:57:02 +00:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
fe767f3f64
Saving progress
...
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path
2014-01-03 08:14:02 +10:00
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
3a9ac303f0
Use rexml for XML data generation
2013-12-10 15:37:44 -06:00
230fcd87a5
Add module for zdi-13-259
2013-12-10 08:45:08 -06:00
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
2d77ed58d5
Land #2648 , @pnegry's exploit for Kaseya File Upload
2013-12-03 09:35:05 -06:00
2606a6ff0e
Do minor clean up for kaseya_uploadimage_file_upload
2013-12-03 09:34:25 -06:00
21bb8fd25a
Update based on jvazquez's suggestions.
2013-12-03 13:49:31 +13:00
d1e4975f76
Use res.get_cookies instead of homebrew parse. Use _cgi
2013-11-28 16:35:36 +13:00
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
ec36cebeb4
Update cmd_psh_payloads to send the architecture.
2013-11-22 23:31:33 +00:00
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00
c76fa32345
Fixed reference format
2013-11-20 12:53:21 +13:00
26a5e37266
Use MSF::Exploit:FileDropper to register the uploaded file for cleanup.
2013-11-20 12:27:22 +13:00
07c76fd3e6
Module cleaned for msftidy compliance.
2013-11-20 11:33:14 +13:00
960f7c9bbb
Add DesktopCentral arbitrary file upload exploit.
2013-11-18 16:11:28 +13:00
60a245b0c3
Fix the arch declaration in uploaded module.
2013-11-18 14:49:03 +13:00
636fdfe2d2
Added Kaseya uploadImage exploit.
2013-11-18 14:23:34 +13:00
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
4c14595525
Land #2535 - Use %PATH% for notepad
2013-10-21 13:14:44 -05:00
d22e4ac2f1
Check timeout condition
2013-10-21 11:13:48 -05:00
27078eb5a6
Add support for HP imc /BIMS 5.1
2013-10-20 18:18:34 -05:00
b0d32a308a
Update version information
2013-10-19 00:52:22 -05:00
7d8a0fc06c
Add BID reference
2013-10-19 00:29:43 -05:00
cf239c2234
Add module for ZDI-13-238
2013-10-19 00:05:09 -05:00
563bf4e639
Fix bug #8502 , used %PATH% for notepad invocation
...
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
ed0b84b7f7
Another round of re-splatting.
2013-10-15 14:14:15 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
84ec2cbf11
remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient
2013-09-25 23:42:44 +02:00
93486a627d
Whoops on trailing commas
2013-09-24 15:14:11 -05:00
3906d4a2ca
Fix caps that throw msftidy warnings
2013-09-24 13:03:16 -05:00
c547e84fa7
Prefer Ruby style for single word collections
...
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
b4b7cecaf4
Various minor desc fixes, also killed some tabs.
2013-09-16 15:50:00 -05:00
67cd62f306
Land #2366 - HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
2013-09-16 01:44:23 -05:00
54e9cd81f3
Add module for ZDI-13-226
2013-09-13 17:31:51 -05:00
10303a8c2a
Delete debug print_status
2013-09-13 17:05:23 -05:00
dca4351303
Add check function
2013-09-13 16:51:14 -05:00
f7c4e081bb
Add module for ZDI-13-225
2013-09-13 16:40:28 -05:00
aff35a615b
Grammar fixes in descriptions
2013-09-09 15:09:53 -05:00
7d4bf0c739
Retab changes for PR #2327
2013-09-05 23:25:41 -05:00
34b499588b
Merge for retab
2013-09-05 23:24:22 -05:00
5c06a471f9
Get the call result
2013-09-05 08:33:35 -05:00
3681955f68
Use Msf::Config.data_directory
2013-09-05 08:28:50 -05:00
6b1d7545d6
Refactor, avoid duplicate code
2013-09-05 08:26:49 -05:00
b6245eea72
Update target info
2013-09-04 16:43:26 -05:00
34b3ee5e17
Update ranking and description
2013-09-04 16:10:15 -05:00
94125a434b
Add module for ZDI-13-205
2013-09-04 15:57:22 -05:00
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
15b741bb5f
Require the powershell mixin explicitly
2013-08-27 10:36:51 -05:00
6b15a079ea
Update for grammar in descriptions on new modules.
2013-08-26 14:52:51 -05:00
7b5e98d57e
Land #2269 - Oracle Endeca Server Remote Command Execution
2013-08-23 15:40:31 -05:00
ad214da3de
Switch to powershell to exec payload
2013-08-23 14:39:29 -05:00
a45f49e3b7
Use a new Ranking
2013-08-23 08:49:58 -05:00
965e2d88fe
Use normalize_uri
2013-08-21 16:49:24 -05:00
b72566b8aa
Add module for ZDI-13-190
2013-08-21 12:47:47 -05:00
ca313806ae
Trivial grammar and word choice fixes for modules
2013-08-19 13:24:42 -05:00
a75a4906f2
Description update
2013-08-16 23:28:24 -05:00
a8cc15db20
Add module for ZDI-13-178
2013-08-16 18:13:18 -05:00
6c1ba9c9c9
Switch to Failure vs Exploit::Failure
2013-08-15 14:14:46 -05:00
98e0053dc6
Fix indent level
2013-08-14 13:07:01 -05:00
7145a85fb4
Add MiniWeb (Build 300) Arbitrary File Upload
2013-08-15 01:01:46 +09:30
568181de84
Add sthetic spaces
2013-08-12 22:33:34 -05:00
6d70d4924e
Land #2206 , @PsychoSpy module for OSVDB 94097
2013-08-12 22:27:03 -05:00
7981601eb8
Do final cleanup on intrasrv_bof
2013-08-12 22:24:53 -05:00
2d3c2c1c87
Set default target to 0 because there's only one
2013-08-12 20:01:23 -05:00
51d9c59dcd
Extra tabs, bye
2013-08-12 19:13:20 -05:00
db78ffcc46
...
2013-08-12 18:21:10 -04:00
49bcec5c92
Additional cleanup
2013-08-12 18:20:03 -04:00
7014322dfd
Code cleanup
2013-08-12 18:16:00 -04:00
264fe32705
Added new badchars
2013-08-12 18:08:49 -04:00
bbc93b2a58
msftidy
2013-08-12 15:14:01 -04:00
28f030494e
Use tcp mixin/clean corrupt bytes
2013-08-12 15:12:15 -04:00
7854c452d2
Added more payload padding
2013-08-12 11:10:10 -04:00
9f33a59dc2
Fix target ret
2013-08-12 11:04:55 -04:00
6f96445b42
Change target ret/cleanup
2013-08-12 10:13:48 -04:00
a35d548979
Use HttpClient
2013-08-12 10:01:01 -04:00
896320ed42
fix typo
2013-08-11 16:48:43 -04:00
4b14fa53e0
tidy debugs
2013-08-11 16:39:41 -04:00
90ef224c46
Implement CVE-2012-5019
2013-08-11 16:33:40 -04:00
185ef2ecae
msftidy
2013-08-10 16:01:44 -04:00
6fe4e3dd0e
Added Intrasrv 1.0 BOF
2013-08-10 15:56:07 -04:00
8cc07cc571
Merge Linux and Windows exploit in multi platform exploit
2013-08-02 18:49:03 +02:00
f927d1d7d3
Increase exploit reliability
...
From some limited testing, it appears that this exploit is
missing \x0d\x0a in the bad chars. If the generated payload / hunter
or egg contain that combination, it seems to cause reliability issues
and exploitation fails.
The home page for this software can be found at
http://www.leighb.com/intrasrv.htm
2013-08-02 09:06:20 +10:00
4a127c2ed2
Add hp_sys_mgmt_exec module for Linux and enhance module for Windows
...
The hp_sys_mgmt_exec module for Linux is a port of the Windows module with minor changes due to the requirement of quotes. It also uses Perl instead of PHP as PHP may not always be in the environment PATH. Although the Windows module works perfectly, it now uses the same technique to encode the command (thankfully, PHP adopted major syntax characteristics and functions from Perl).
2013-07-31 22:05:25 +02:00
7e539332db
Reverting disaster merge to 593363c5f with diff
...
There was a disaster of a merge at 6f37cf22eb593363c5f9
2013-07-29 21:47:52 -05:00
99a345f8d1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-22 13:54:26 -05:00
164153f1e6
Minor updates to titles and descriptions
2013-07-22 13:04:54 -05:00
15b0e39617
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-21 13:47:40 -05:00
cb108a8253
Add module for ZDI-13-147
2013-07-18 15:37:11 -05:00
1a5e0e10a5
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-18 13:53:57 -05:00
b90e1d54e2
Land #2117 - HP Managed Printing Administration jobAcct Command Exec
2013-07-18 13:21:11 -05:00
280529f885
Make some changes to the description
2013-07-18 13:20:36 -05:00
52079c960f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-18 12:52:42 -05:00
b94cde1d65
Name change for pyoor
2013-07-18 10:50:25 -05:00
3780b1b59f
Add module for ZDI-11-352
2013-07-18 09:39:55 -05:00
90b30dc317
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-26 14:31:52 -05:00
6ea622c45e
reference updates
2013-06-26 09:44:56 -05:00
7ab4d4dcc4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-25 17:34:29 -05:00
5b71013dde
reference updates
2013-06-25 13:41:22 -05:00
0c306260be
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-25 09:13:01 -05:00
4df943d1a2
CVE and OSVDB update
2013-06-25 02:06:20 -05:00
2150d9efb0
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-22 12:06:18 -05:00
5de7fff685
Credit
2013-06-21 21:38:40 -05:00
afa0e6c42a
Use CmdStagerVBS instead of CmdStagerTFTP
...
By using `php.exe` as stager, the bad characters can be completely
bypassed. This allows the use of the CmdStagerVBS, which should be
working on all supported Windows systems.
2013-06-22 01:13:03 +02:00
785639148c
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-20 17:18:42 -05:00
8dfe9b5318
Add login feature
2013-06-20 04:16:23 -05:00
ebde05b783
Improve check
2013-06-20 03:18:33 -05:00
20621d17de
Add CVE-2013-3576 - HP System Management Homepage exploit
2013-06-20 03:08:42 -05:00
b20a38add4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-10 12:22:52 -05:00
f58e279066
Cleanup on module names, descriptions.
2013-06-10 10:52:22 -05:00
e5a17ba227
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-05 09:41:23 -05:00
0c1d46c465
Add more references
2013-06-05 02:43:43 -05:00
46aa6d38f8
Add a check for it
2013-06-05 02:41:03 -05:00
a270d37306
Take apart the version detection code
2013-06-05 02:34:35 -05:00
25fe03b981
People like this format better: IP:PORT - Message
2013-06-05 02:26:18 -05:00
02e29fff66
Make msftidy happy
2013-06-05 02:25:08 -05:00
35459f2657
Small name change, don't mind me
2013-06-05 02:18:11 -05:00
227fa4d779
Homie needs a default target
2013-06-05 02:16:59 -05:00
ed4766dc46
initial commit of novell mdm modules
2013-06-04 09:20:10 -07:00
0f3b13e21d
up to date
2013-05-16 15:02:41 -05:00
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
352a7afcd6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-14 22:29:24 -05:00
ce594a3ba2
Deprecate modules/exploits/windows/http/sap_mgmt_con_osexec_payload
2013-05-12 08:46:40 -05:00
a4632b773a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-28 12:59:16 -05:00
99b46202b9
Do final cleanup for sap_configservlet_exec_noauth
2013-04-26 08:45:34 -05:00
308b880d79
Land #1759 , @andrewkabai's exploit for SAP Portal Command Execution
2013-04-26 08:44:11 -05:00
5839e7bb16
simplify code
2013-04-26 12:14:42 +02:00
4aadd9363d
improve description
2013-04-26 12:13:45 +02:00
f3f60f3e02
Fixes P/P/R for target 0 (BadBlue 2.72b)
...
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken. Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.
[FixRM #7875 ]
2013-04-25 20:20:24 -05:00
9dd9b2d1ba
implement cleanup functionality
...
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
a28ef1847b
update references
2013-04-25 18:26:13 +02:00
676f2f5f4a
implement "check" functionality
2013-04-25 07:47:30 +02:00
3b46d5d4cd
fix typos
2013-04-25 07:22:16 +02:00
2759ef073e
correction on error handling
2013-04-25 07:19:27 +02:00
6b14ac5e71
add rank to module
2013-04-25 07:07:35 +02:00
f22d19a10c
remove unused code block
...
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
0339be229a
implement dynamic timeout handling
2013-04-24 18:22:37 +02:00
6f8fc81497
improve error handling
2013-04-24 17:59:11 +02:00
57113bee80
fine correction
...
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
6485124cdf
fix module name
2013-04-24 10:54:52 +02:00
358b8934bf
clarify description
2013-04-24 10:31:40 +02:00
00e6eeca54
implement command line magick to prevent bad char usage
...
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
783cca6c17
allow only ARCH_X86 payloads
2013-04-24 09:29:47 +02:00
750638e4d6
note on bad characters
2013-04-22 17:24:08 +02:00
a1e52b5b27
command execution needs cmd /c
2013-04-22 10:20:45 +02:00
d26289e05a
proper output handling in case of CMD payloads
2013-04-20 17:38:58 +02:00
d59ba37e6d
resize linemax
2013-04-20 17:37:50 +02:00
e36b58169b
implement CmbStagerVBS payload execution
2013-04-20 16:37:47 +02:00
8244c4dcac
multiple payload types, different paths to execute payloads
2013-04-20 14:20:30 +02:00
7b6a784a84
basic payload execution through OS command execution
2013-04-20 13:02:22 +02:00
223556a4e6
switch to exploit module environment
...
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
cff47771a2
initial commit
...
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
cc35591723
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-15 17:43:15 -05:00
29101bad41
Removing VERBOSE offenders
2013-04-15 15:29:56 -05:00
393d5d8bf5
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-25 19:09:42 +01:00
d54687cb37
fix typo
2013-03-25 00:58:47 +01:00
Joshua Smith
jvazquez-r7
TecR0c
Brendan Coles
William Vu
Christian Mehlmauer
Meatballs
Tod Beardsley
OJ
sinn3r
Thomas Hibbert
jvazquez-r7
Norbert Szetei
Tab Assassin
HD Moore
Nathan Einwechter
Markus Wulftange
Ruslaideemin
Steve Tornio
steponequit
James Lee
Andras Kabai
Tod Beardsley