Commit Graph

12677 Commits (496dd944e62a1d708cfb02597ec3bdc8a0a30bfb)

Author SHA1 Message Date
jvazquez-r7 bfdefdb338
Land #3023, @m-1-k-3's module for Linksys WRT120N bof reset password 2014-02-26 09:36:14 -06:00
jvazquez-r7 6ba26bf743 Use normalize_uri 2014-02-26 09:35:42 -06:00
jvazquez-r7 582372ec3e Do minor cleanup 2014-02-26 09:32:11 -06:00
jvazquez-r7 0531abb691
Land #3026, @ribeirux DoS module for CVE-2014-0050 2014-02-26 08:53:55 -06:00
jvazquez-r7 449d0d63d1 Do small clean up 2014-02-26 08:52:51 -06:00
Michael Messner b79197b8ab feedback included, cleanup, login check 2014-02-26 13:44:36 +01:00
Fr330wn4g3 b81642d8ad Update total_video_player_131_ini_bof 2014-02-26 11:37:04 +01:00
Fr330wn4g3 a7cacec0c3 Add module for EDB 29799 2014-02-25 23:07:28 +01:00
jvazquez-r7 96ffb1db47 Delete extra comma 2014-02-25 15:29:46 -06:00
jvazquez-r7 cb18639b66 Add small fixes and clean up 2014-02-25 15:25:01 -06:00
jvazquez-r7 1d4b2ea60d Add module for ZDI-14-015 2014-02-25 15:07:09 -06:00
William Vu 63bbe7bef2
Land #3034, 302 redirect for http_basic 2014-02-25 13:54:58 -06:00
William Vu 4cc91095de Fix minor formatting issues 2014-02-25 13:48:37 -06:00
jvazquez-r7 a45c8c2b4a
Land #3029, @xistence Symantec endpoint exploit 2014-02-25 07:59:35 -06:00
jvazquez-r7 bfe0fdb776 Move module 2014-02-25 07:58:00 -06:00
xistence ab167baf56 Added randomness instead of payload and xxe keywords 2014-02-25 15:23:10 +07:00
jvazquez-r7 4908d80d6c Clean up module 2014-02-24 16:00:54 -06:00
kn0 6783e31c67 Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline 2014-02-24 15:59:49 -06:00
ribeirux ead7cbc692 Author and URI fixed 2014-02-24 22:20:34 +01:00
kn0 f1e71b709c Added 301 Redirect option to Basic Auth module 2014-02-24 14:59:20 -06:00
William Vu 6f398f374e
Land #3032, inside_workspace_boundary? typo fix 2014-02-24 14:55:09 -06:00
James Lee d2945b55c1
Fix typo
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
sinn3r a50b4e88be Fix msftidy warning: Suspect capitalization in module title: 'encoder' 2014-02-24 11:25:46 -06:00
Michael Messner 2935f4f562 CMD target 2014-02-24 18:12:23 +01:00
jvazquez-r7 c981bbeab9
Land #3011, @wchen-r7's fix for Dexter exploit 2014-02-24 10:53:10 -06:00
jvazquez-r7 b2d4048f50
Land #3027, @OJ's fix for ultraminihttp_bof 2014-02-24 10:50:08 -06:00
jvazquez-r7 c9f0885c54 Apply @jlee-r7's feedback 2014-02-24 10:49:13 -06:00
sinn3r 5cdd9a2ff3
Land #2995 - sqlmap minor cleanup, description & file tests 2014-02-24 10:39:01 -06:00
bcoles a29c6cd2b4 Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write 2014-02-25 02:57:25 +10:30
xistence 5485759353 Added Symantec Endpoint Protection Manager RCE 2014-02-24 15:04:37 +07:00
xistence 8e3f70851d Added Symantec Endpoint Protection Manager RCE 2014-02-24 15:01:13 +07:00
Michael Messner 0126e3fcc8 cleanup 2014-02-23 21:17:32 +01:00
Michael Messner dbbd080fc1 a first try of the cmd stager, wget in a seperated module included 2014-02-23 20:59:17 +01:00
OJ fdd0d91817 Updated the Ultra Minit HTTP bof exploit
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:

* Correct use of alpha chars in the buffer leading up to the payload
  which results in bad chars being avoided. Bad chars muck with the
  offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
  of in the thread of the request handler. This prevents the session
  from being killed after the hard-coded 60-second timeout that is
  baked into the application.
* The handler thread terminates itself so that the process doesn't
  crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
Meatballs 2f7f344be3
Copy original sleep 2014-02-23 04:53:48 +00:00
Meatballs 6127ff92ce
Fix race condition
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs d396be963a
Use new cmd_exec_get_pid 2014-02-28 20:53:13 +00:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs e0fa1d532c
Dont think this works on vista/8 2014-02-26 23:14:17 +00:00
Meatballs 5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2014-02-25 23:15:47 +00:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs 1f08ad48a4 Fix payload_path method 2014-02-25 22:11:23 +00:00
Meatballs 6687ef80ee
Further bypassuac tidies
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney 23381ea2cb
code tidying
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
ribeirux 8f7f1d0497 Add module for CVE-2014-0050 2014-02-22 14:56:59 +01:00
Michael Messner ec8e1e3d6f small fixes 2014-02-21 21:59:45 +01:00
Michael Messner 1384150b7a make msftidy happy 2014-02-21 21:56:46 +01:00
Michael Messner c77fc034da linksys wrt120 admin reset exploit 2014-02-21 21:53:56 +01:00
jvazquez-r7 998fa06912
Land #2998, @bit4bit's fix for the vtigercrm exploit 2014-02-20 08:36:05 -06:00
jvazquez-r7 0b27cd13e8 Make module work 2014-02-20 08:35:37 -06:00
jvazquez-r7 e75a0ea948 Fix typo 2014-02-19 15:21:02 -06:00
jvazquez-r7 aa07065f67
Land #2959, reverse powershell payload by @Meatballs1 2014-02-19 15:14:54 -06:00
jvazquez-r7 9fad43da08 Add license information 2014-02-19 15:11:12 -06:00
sinn3r ed2ac95396 Always replace \ with / for Dexter exploit
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
Joe Vennix 50fb9b247e Restructure some of the exploit methods. 2014-02-19 02:31:22 -06:00
sinn3r 2e7a56b4a7
Land #3001 - SUB Encoder 2014-02-19 01:54:01 -06:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Meatballs 0480ad16aa
No common 2014-02-18 23:09:35 +00:00
William Vu e7c3b94e60
Land #3006, @todb-r7's pre-release fixes 2014-02-18 14:15:12 -06:00
Tod Beardsley 721e153c7f
Land #3005 to the fixup-release branch
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!

Conflicts:
	modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
Tod Beardsley a863d0a526
Pre-release fixes, including msftidy errors. 2014-02-18 14:02:37 -06:00
Michael Messner 3a8de6e124 replaced rhost by peer 2014-02-18 21:01:50 +01:00
William Vu 28dc742bcf Fix references and disclosure date 2014-02-18 13:59:58 -06:00
jvazquez-r7 4f9ab0b99f
Land #2903, @Meatballs1 SPN gather post module 2014-02-18 13:53:32 -06:00
jvazquez-r7 4903b05214 Fix tabs 2014-02-18 13:51:40 -06:00
William Vu c216357815
Land #3000, audiotran_pls_1424 SEH exploit 2014-02-18 13:27:14 -06:00
Michael Messner 66e2148197 linksys themoon command execution exploit 2014-02-18 19:43:47 +01:00
Michael Messner 4dda7e6bad linksys themoon command execution exploit 2014-02-18 19:42:50 +01:00
Meatballs 8a68323cf0
Dont keep checking domain 2014-02-18 17:52:34 +00:00
jvazquez-r7 1bc94b8a9d Merge for retab 2014-02-17 19:19:47 -06:00
Meatballs e290529841
Sadly this url is dead 2014-02-17 22:07:19 +00:00
Meatballs 6c32848b10
Use correct post methods 2014-02-17 22:03:07 +00:00
Joe Vennix 57449ac719 Adds working shellcode exec local exploit. 2014-02-17 15:31:45 -06:00
Meatballs 83d9a1e7c2
Xp Compat? 2014-02-17 21:28:06 +00:00
Meatballs 5e52e48d16
Gather cached GPO 2014-02-17 20:45:56 +00:00
Philip OKeefe 98958bc7bc Making audiotran_pls_1424 more readable and adding comments 2014-02-17 13:40:03 -05:00
sinn3r 52ac85be11
Land #2931 - Oracle Forms and Reports RCE 2014-02-17 08:54:23 -06:00
sinn3r 110ffbf342 Indent looks off for this line 2014-02-17 08:53:29 -06:00
sinn3r 632ea05688 100 columns 2014-02-17 08:52:56 -06:00
sinn3r 8da7ba131b In case people actually don't know what RCE means 2014-02-17 08:51:48 -06:00
sinn3r 73459baefd Add OSVDB references 2014-02-17 08:50:34 -06:00
Mekanismen fb7b938f8e check func fixed 2014-02-17 15:11:56 +01:00
OJ b2d09ed0d1 Add the NULL byte to the list of valid chars
While rare, I guess it is a possibility that the NULL byte can be
used.
2014-02-17 16:40:56 +10:00
xistence 1864089085 removed rport definition 2014-02-17 11:32:24 +07:00
Philip OKeefe c60ea58257 added audiotran_pls_1424 fileformat for Windows 2014-02-16 16:20:50 -05:00
Mekanismen e27d98368e fixed local server issues 2014-02-16 18:26:08 +01:00
Mekanismen e40b9e5f37 updated and improved 2014-02-16 16:24:39 +01:00
OJ e134ec4691 Remove '*' from valid file system chars 2014-02-16 23:57:54 +10:00
OJ a808053c37 Add first pass of optimised sub encoder
Full details of the encoder are in the detailed description in the
source itself. But this is effectively an "optimised" SUB encoder
which is similar to the add_sub encoder except it doesn't bother to
use the ADD instructions at all, and it doesn't zero out EAX for
each 4-byte block unless absolutely necessary. This results in
payloads being MUCH smaller (in some cases 30% or more is saved).
2014-02-16 20:12:14 +10:00
Jovany Leandro G.C 74344d6c7e vtigerolservice.php to vtigerservice.php
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
Matteo Cantoni 8a24da9eea Module to query Jboss status servlet 2014-02-15 17:46:52 +01:00
Tod Beardsley f6be574453
Slightly better file checks on sqlmap.py 2014-02-15 09:58:03 -06:00
Tod Beardsley dacbf55fc1
Minor cleanup of title and desc on sqlmap 2014-02-15 09:55:06 -06:00
Mekanismen b7d69c168c bugfix and user supplied local path support 2014-02-15 16:24:59 +01:00
sinn3r 9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec 2014-02-14 17:16:27 -06:00
sinn3r 48199fec27 Change URL identifier, and make the user choose a target 2014-02-14 17:15:00 -06:00
Meatballs c39924188a
Clean up 2014-02-14 20:52:04 +00:00
Royce Davis 0e7074c139 Modififed output for smb_enumshares module 2014-02-14 13:39:13 -06:00
Royce Davis 6dc9840064 Modified output for smb_enumshares 2014-02-14 13:12:52 -06:00
jvazquez-r7 b2ea257204 Include Linux::System post mixin 2014-02-14 08:32:21 -06:00
Meatballs1 ad72ecaf84 Handle SPN array 2014-02-14 09:48:23 +00:00
Meatballs1 4b828e5d45 Dont parse empty SPNs 2014-02-14 09:41:37 +00:00
Meatballs1 2c12952112 Moar corrections 2014-02-14 09:37:00 +00:00
Meatballs1 9dd56d32de Corrections 2014-02-14 09:32:53 +00:00
Meatballs1 7ef68184e1 Handle SPNs differently 2014-02-13 23:24:55 +00:00
Meatballs1 95048b089e Dont search for made up fields 2014-02-13 22:51:55 +00:00
Russell Sim ee3f1fc25b Record successful passwordless access to mongodb 2014-02-14 08:52:17 +11:00
Tod Beardsley 745f313413
Remove @nmonkee as author per twitter convo 2014-02-13 14:41:10 -06:00
Tod Beardsley 371f23b265
Unbreak the URL refs add nmonkee as ref and author
While @nmonkee didn't actually contribute to #2942, he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.

Also added a ref to @nmonkee's thing.

@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
Matteo Cantoni 7c860b9553 fix description 2014-02-13 21:11:50 +01:00
jvazquez-r7 61563fb2af Do minor cleanup 2014-02-13 09:10:04 -06:00
jvazquez-r7 67367092b7 Solve conflicts 2014-02-13 08:42:53 -06:00
William Vu a4035252d6 Land #1910, DISCLAIMER for firefox_creds
Fixed conflict in Author.
2014-02-12 16:32:08 -06:00
jvazquez-r7 51896bcf74
land #2984, @wchen-r7's [FixRM #8765] NameError uninitialized constant in enum_ad_user_comments 2014-02-12 15:31:54 -06:00
sinn3r ce2de8f3bf Different way to write this 2014-02-12 15:08:20 -06:00
Peter Arzamendi 5ef40e3844 Removed bad sets on datastore['USERNAME'] and datastore['PASSWORD'] 2014-02-12 13:31:03 -06:00
jvazquez-r7 ff267a64b1 Have into account the Content-Transfer-Encoding header 2014-02-12 12:40:11 -06:00
sinn3r 45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb 2014-02-12 11:14:25 -06:00
Peter Arzamendi 2b8a8259f9 Updates to support OWA 2013 and some syntax changes 2014-02-12 09:40:49 -06:00
jvazquez-r7 a59ce95901
Land #2970, @sgabe exploit for CVE-2010-2343 2014-02-12 08:10:53 -06:00
jvazquez-r7 9845970e12 Use pop#ret to jump over the overwritten seh 2014-02-12 08:10:14 -06:00
sgabe 11513d94f5 Add Juan as author 2014-02-12 12:17:02 +01:00
sgabe 3283880d65 Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
This partially reverts commit 12471660e9.
2014-02-12 12:09:16 +01:00
xistence 6944c54d13 Added EXTENDED option to smtp_relay 2014-02-12 15:44:53 +07:00
sinn3r 0f620f5aba Fix Uninitialized Constant RequestError
[SeeRM #8765] NameError uninitialized constant
2014-02-12 00:23:23 -06:00
sgabe 7195416a04 Increase the size of the NOP sled 2014-02-12 02:35:53 +01:00
sgabe 3f09456ce8 Minor code formatting 2014-02-11 23:53:04 +01:00
sgabe 7fc3511ba9 Remove unnecessary NOPs 2014-02-11 23:48:54 +01:00
sgabe 12471660e9 Replace unnecessary NOP sled with random text 2014-02-11 23:48:04 +01:00
sgabe 184ccb9e1e Fix payload size 2014-02-11 23:42:58 +01:00
William Vu c67c0dde8f Land #2972, enum_system find/save logs/S[UG]ID 2014-02-11 15:45:27 -06:00
jvazquez-r7 1f0020a61c
Land #2946, @jlee-r7's optimization of the x86 block_api code 2014-02-11 15:00:00 -06:00
bwall 783e62ea85 Applied changes from @wchen-r7's comments 2014-02-11 10:14:52 -08:00
jvazquez-r7 3717374896 Fix and improve reliability 2014-02-11 10:44:58 -06:00
jvazquez-r7 51df2d8b51 Use the fixed API on the mediawiki exploit 2014-02-11 08:28:58 -06:00
Roberto Soares Espreto 68578c15a3 find command modified 2014-02-11 10:08:12 -02:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
Roberto Soares Espreto f181134ef8 Removed hard tabs 2014-02-10 23:16:04 -02:00
sgabe e8a3984c85 Fix ROP NOP address and reduce/remove NOPs 2014-02-11 00:29:37 +01:00
Meatballs 39be214413
Dont use quotes and start in a console 2014-02-10 23:15:59 +00:00
William Vu e6905837eb
Land #2960, rand_text_alpha for amaya_bdo 2014-02-10 16:44:11 -06:00
bwall 13fadffe7e Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial 2014-02-10 13:44:30 -08:00
Meatballs a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-10 21:43:56 +00:00
Roberto Soares Espreto 2e720f8f0f Post::Linux - Added to search for files with setuid/setgid and logfiles 2014-02-10 19:24:51 -02:00
Tod Beardsley 1236a4eb07
Fixup on description and some option descrips 2014-02-10 14:41:59 -06:00
jvazquez-r7 3d4d5a84b6
Land #2957, @zeroSteiner's exploit for CVE-2013-3881 2014-02-10 13:59:45 -06:00
jvazquez-r7 502dbb1370 Add references 2014-02-10 13:55:02 -06:00
sinn3r 8a8bc74687
Land #2940 - DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials 2014-02-10 13:49:02 -06:00
sinn3r 306b31eee3
Small changes before merging 2014-02-10 13:47:31 -06:00
sgabe 08b6f74fb4 Add module for CVE-2010-2343 2014-02-10 20:46:09 +01:00
jvazquez-r7 abb03d0bbe Fixing messages 2014-02-10 13:10:42 -06:00
jvazquez-r7 541bb6134e Change exploit filename 2014-02-10 13:06:23 -06:00
jvazquez-r7 2e130ce843 Make it work with Reader Sandbox 2014-02-10 13:04:13 -06:00
Tod Beardsley 7c43565ea8
Include missing require for powershell 2014-02-10 11:02:53 -06:00
jvazquez-r7 5672a4dae5
Land #2962, @Meatballs1 RequiredCmd property for ARCH_CMD win payloads 2014-02-10 09:51:08 -06:00
jvazquez-r7 8ece4a7750 Delete debug print 2014-02-10 08:57:45 -06:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
Spencer McIntyre 0ac1acda70 Upgrade toolchain to Visual Studio 2013 v120. 2014-02-10 09:35:07 -05:00
xistence 02fb84db20 Changed dns_amp to avoid false positives 2014-02-10 17:13:06 +07:00
sinn3r c96116b193
Land #2949 - Add module Kloxo SQLi 2014-02-08 13:45:11 -06:00
Meatballs 6234528c25
Keep it secret keep it safe 2014-02-08 19:29:01 +00:00
Meatballs 9f04e0081d
Stick with command let encoder handle encoding 2014-02-08 19:28:03 +00:00
Meatballs 92f779ed1b
Cant handle space characters either 2014-02-08 19:16:42 +00:00
Meatballs a42e97395b
Powershell cmd encoder 2014-02-08 19:09:57 +00:00
Meatballs 93b07b0e48
Add missing RequiredCmds 2014-02-08 12:24:49 +00:00
David Maciejak 32c02dd56a Added some randomness 2014-02-08 11:27:25 +08:00
Meatballs 80814adaf9
Credit where credits due 2014-02-08 01:42:45 +00:00
Meatballs efe4d6b41a
Tidyup 2014-02-08 01:03:02 +00:00
Meatballs 2d1a0c3a01
Windows CMD love too 2014-02-08 01:00:31 +00:00
Meatballs dcff06eba1
More verbose failure messages 2014-02-07 23:59:28 +00:00
sinn3r 66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec 2014-02-07 17:41:35 -06:00
sinn3r bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell) 2014-02-07 17:39:06 -06:00
Meatballs 783a986a19
Windows and auto target up and running 2014-02-07 23:26:57 +00:00
Meatballs a0f47f6b2b
Correct error check logic 2014-02-07 22:06:53 +00:00
Meatballs 443a51bbf5
Undo revert from merge 2014-02-07 21:28:04 +00:00
Meatballs 56359aa99f
Merge changes from other dev machine 2014-02-07 21:22:44 +00:00
Meatballs a4cc75bf98
Potential .pdf support 2014-02-07 20:37:44 +00:00
Meatballs e13520d7fb
Handle a blank filename 2014-02-07 20:15:32 +00:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
James Lee f0fd2f0598
Land #2944, add platforms to encoders
This allows encoders to advertise compatibility with a particular
platform (or more accurately, non-compatibility with everything that
isn't that platform).

See also #2939
2014-02-07 13:38:05 -06:00
sinn3r 63305025aa
Land #2615 - Add Windows Gather Active Directory User Comments 2014-02-07 12:23:43 -06:00
sinn3r 9c76e7fb00 Handle multiple exceptions 2014-02-07 12:23:10 -06:00
sinn3r 40188e1eda
RuntimeError exception should be handled. 2014-02-07 12:16:15 -06:00
jvazquez-r7 c679b1001b Make pring_warning verbose 2014-02-07 10:23:07 -06:00
grimmlin 2d93b38e2a Fixed java_signed_applet for Java 7u51 2014-02-07 16:29:50 +01:00
Spencer McIntyre f686385349 Remove an unnecessary VS file and modify version check. 2014-02-07 08:45:51 -05:00
jvazquez-r7 a18de35fa7 Add module for ZDI-14-011 2014-02-06 18:25:36 -06:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
James Lee 4b37cc7243
Land #2927, PandoraFMS anyterm exploit 2014-02-06 15:22:23 -06:00
James Lee 4236abe282
Better SIGHUP handling 2014-02-06 15:21:54 -06:00
William Vu 19fff3c33e
Land #2942, @jvennix-r7's Android awesomesauce
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
Joe Vennix 362e937c8d Forgot to push local changes. 2014-02-06 11:47:35 -06:00
Joe Vennix 0dc2ec5c4d Use BrowserExploitServer mixin.
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
jvazquez-r7 ac52edabd5
Land #2801, Land @kicks4kittens IBM Sametime modules 2014-02-06 10:17:03 -06:00
jvazquez-r7 30c325c22e Make better json check 2014-02-06 10:16:26 -06:00
kicks4kittens 564f9bccc8 Correct print output
Printing the room details is the purpose of the module.
Reinstated printing the table in non-verbose mode (users won't know it's there otherwise)
2014-02-05 22:00:02 +01:00
kicks4kittens 445cd7be5a remove "on {peer}
line already includes {peer} info
2014-02-05 21:57:58 +01:00
kicks4kittens 4c0c9101aa Correct check, reinstate print
Corrected JSON check (response is empty, but valid JSON on check success)
Reinstated print to warn user (not only in VERBOSE)
2014-02-05 21:56:56 +01:00
kicks4kittens 60cf68f899 added default SSL 2014-02-05 21:54:02 +01:00
kicks4kittens 3560b41eb2 correct variable name
body isn't valid, replaced with res.body and tested
2014-02-05 21:51:55 +01:00
kicks4kittens 38add0ab50 alter print_status
Altered print_status to print_good to differentiate when user is online easier
2014-02-05 21:49:39 +01:00
jvazquez-r7 fdb954fdfb Report credentials 2014-02-05 14:37:33 -06:00
jvazquez-r7 631559a2e8 Add module for Kloco SQLi 2014-02-05 14:18:56 -06:00
James Lee 14aa8ffd5c
Apply blockapi changes to bind_tcp and bind_tcp_rc4 2014-02-04 17:45:18 -06:00
Joe Vennix 553616b6cc Add URL for browser exploit. 2014-02-04 17:04:06 -06:00
Tod Beardsley 3a6626761b
Land #2945, obsolete old modules
Obsoletes:

modules/auxiliary/admin/scada/igss_exec_17.rb
modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb
modules/post/windows/gather/resolve_hosts.rb
modules/post/windows/manage/persistence.rb
2014-02-04 15:11:25 -06:00
sinn3r bda93c2bbc
Land #2811 - Add generate_war to jsp_shell payloads 2014-02-04 15:06:45 -06:00
sinn3r 89e1bcc0ca Deprecate modules with date 2013-something
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
jvazquez-r7 80e7ae144b Use the platform when selecting the payload 2014-02-04 14:34:11 -06:00
Joe Vennix 23fc73924e Msftidy it up. 2014-02-04 14:24:36 -06:00
James Lee 20b8062220
Apply blockapi changes to reverse_tcp_rc4 2014-02-04 12:30:56 -06:00
James Lee c70680cf1c
Fix infinite-retry bug
Derp, block_api clobbers ecx
2014-02-04 11:59:16 -06:00
William Vu a58698c177
Land #2922, multithreaded check command 2014-02-04 11:21:05 -06:00
Meatballs 0a3cb3377f
AppendEncoder 2014-02-04 15:41:10 +00:00
Meatballs 26c506da42
Naming of follow method 2014-02-04 15:25:51 +00:00
James Lee 9c3664bd45
Unify reverse_http and reverse_https
This will make copy-pasta less painful in the future.  There's still the
problem of reverse_https_proxy being very similar, but the logic in how
it gets generated in the module is more than i want to tackle right now
2014-02-04 09:09:12 -06:00
Meatballs f5fa3fb5ce
Windows compat, fixed PHP-CLI 2014-02-04 14:27:10 +00:00
Meatballs 64d11e58c2
Use semicolon for win compat 2014-02-04 13:53:33 +00:00
jvazquez-r7 cccf2e4258
Land #2926, @xistence A10 Networks Loadbalancer dir traversal module 2014-02-04 07:28:51 -06:00
jvazquez-r7 cc09367c62 Change the datastore name option 2014-02-04 07:28:14 -06:00
Joe Vennix 700e09f386 Wording tweak. 2014-02-04 02:55:10 -06:00
Joe Vennix bbabd72b0e Whitespace tweaks. 2014-02-04 02:52:52 -06:00
Joe Vennix eb6a5a4c19 Tweak checks. 2014-02-04 02:49:44 -06:00
Joe Vennix 4923a93974 Tweak description. 2014-02-04 02:47:49 -06:00
Joe Vennix 37479884a5 Add browserautopwn support. 2014-02-04 02:32:12 -06:00
Joe Vennix eba3a5aab0 More accurate description. 2014-02-04 01:44:39 -06:00
Joe Vennix 177bd35552 Add webview HTTP exploit. 2014-02-04 01:37:09 -06:00
Meatballs 2fd8257c7e
Use bperry's trigger 2014-02-04 00:51:34 +00:00
Meatballs a8ff6eb429
Refactor send_request_cgi_follow_redirect 2014-02-03 21:49:49 +00:00
Meatballs 83925da2f1
Refactor form_data code 2014-02-03 21:16:58 +00:00
James Lee f163bc7f7a
Unbreak reverse_https_proxy
Broken by #2448, 063da8a22e
2014-02-03 15:07:59 -06:00
Tod Beardsley 7e2a9a7072
More desc fixes, add a vprint to give a hint 2014-02-03 13:18:52 -06:00
Tod Beardsley d34020115a
Fix up on apache descs and print_* methods 2014-02-03 13:13:57 -06:00
jvazquez-r7 ffd90a3d38 Add confirmation datastore option 2014-02-03 12:40:58 -06:00
Tod Beardsley 9953821451
Fix desc on Drupal module, some peer prints 2014-02-03 12:16:06 -06:00
Meatballs 08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
Conflicts:
	lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
James Lee be0b9fc2f8 Use the new block_api in windows/reverse_tcp 2014-02-03 11:34:52 -06:00
James Lee bfc0ac4dd4 Golf a few bytes off of reverse_http(s) 2014-02-03 11:33:55 -06:00
bcoles 9b9b2fab58 Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module 2014-02-04 02:00:11 +10:30
jvazquez-r7 a92256e8d1 Clean a10networks_ax_directory_traversal 2014-02-03 08:41:23 -06:00
xistence 50f860757b Changes made to pandora_fms_exec module as requested 2014-02-03 14:10:27 +07:00
sinn3r e54abb4274
Add support for shell session type 2014-02-02 23:37:56 -06:00
sinn3r ae84e354e8
Be consistent with get_smartermail_creds method's return value 2014-02-02 22:06:14 -06:00
sinn3r 662fbf53b6
Update check_smartermail method
Instead of using exception handling to determine the right path,
the new method simply uses the file? method. It's also renamed as
"get_mail_config_path" to properly describe its functionality.
2014-02-02 22:01:38 -06:00
sinn3r 2b2194cee8
Modify prints 2014-02-02 21:58:10 -06:00
Meatballs 67c18d8d2d
I had a problem, then I used regex. 2014-02-02 22:19:54 +00:00
Meatballs 95eb758642
Initial commit 2014-02-02 19:04:38 +00:00
Meatballs 57f4998568
Better failures and handle unconfigured server 2014-02-02 16:26:22 +00:00
Meatballs 9fa9402eb2
Better check and better follow redirect 2014-02-02 16:07:46 +00:00
Meatballs 0d3a40613e
Add auto 30x redirect to send_request_cgi 2014-02-02 15:03:44 +00:00
Meatballs 8b33ef1874
Not html its form-data... 2014-02-02 13:57:29 +00:00
bcoles 62dca111f8 Conform to style 2014-02-02 08:07:18 +10:30
bcoles e30195348e Add Windows Gather SmarterMail Password Extraction post module 2014-02-02 05:51:21 +10:30
Meatballs 7ddc6bcfa5
Final tidyup 2014-02-01 01:05:02 +00:00
Meatballs 486a9d5e19
Use msf branded djvu 2014-02-01 00:37:28 +00:00
Meatballs fd1a507fda
Rename file 2014-02-01 00:27:32 +00:00
Meatballs 700c6545f0
Polished 2014-02-01 00:26:55 +00:00
William Vu a5bff638c5 Remove EOL spaces 2014-01-31 15:01:03 -06:00
Mekanismen 5a883a4477 updated 2014-01-31 21:59:26 +01:00
Meatballs 7fa1522299
Initial commit 2014-01-31 18:51:18 +00:00
sinn3r b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution 2014-01-31 12:06:58 -06:00
sinn3r 60ead5de43 Explain why we flag the vuln as "Appears" instead of vulnerable 2014-01-31 12:05:58 -06:00
jvazquez-r7 2fca2da9f7 Add an vprint message on check 2014-01-31 11:57:20 -06:00
jvazquez-r7 356692f2f5
Land #2923, @rangercha tomcat deploy module compatible with tomcat8 2014-01-31 10:53:53 -06:00
jvazquez-r7 53c2a737e9 Don't register rport again 2014-01-31 09:42:41 -06:00
jvazquez-r7 452042e757
Land #2925, @xistence aux module for Support Center Plus traversal 2014-01-31 09:38:01 -06:00
jvazquez-r7 e9f04d9203 Do final cleanup for Support Center Plus module 2014-01-31 09:37:40 -06:00
jvazquez-r7 a010748056
Land #2924, @xistence's exploit for CVE-2014-1683 2014-01-31 09:20:10 -06:00
jvazquez-r7 710902dc56 Move file location 2014-01-31 09:18:59 -06:00
jvazquez-r7 810605f0b7 Do final cleanup for the skybluecanvas exploit 2014-01-31 09:17:51 -06:00
jvazquez-r7 32c5d77ebd
Land #2918, @wvu's fix for long argument lists 2014-01-31 08:49:22 -06:00
Mekanismen f6291eb9a8 updated 2014-01-31 14:33:18 +01:00
xistence e81a0ed22b Changes as requested for SupportCenterPlus module 2014-01-31 13:28:45 +07:00
xistence ffd8f7eee0 Changes as requested in SkyBlue Canvas RCE module 2014-01-31 12:52:48 +07:00
jvazquez-r7 93db1c59af Do small fixes 2014-01-30 17:16:43 -06:00
jvazquez-r7 9daacf8fb1 Clean exploit method 2014-01-30 16:58:17 -06:00
jvazquez-r7 4458dc80a5 Clean the find_csrf mehtod 2014-01-30 16:39:19 -06:00
jvazquez-r7 697a86aad7 Organize a little bit the code 2014-01-30 16:29:45 -06:00
jvazquez-r7 50317d44d3 Do more easy clean 2014-01-30 16:23:17 -06:00
jvazquez-r7 1a9e6dfb2a Allow check to detect platform and arch 2014-01-30 15:17:20 -06:00
jvazquez-r7 b2273dce2e Delete Automatic target
It isn't usefull at all, when auto targeting is done, the payload (java platform and arch)
has been already selected.
2014-01-30 15:04:08 -06:00
jvazquez-r7 cebbe71dba Do easy cleanup of exploit 2014-01-30 14:42:02 -06:00
jvazquez-r7 c336133a8e Do a first clean related to auto_target 2014-01-30 14:27:20 -06:00
jvazquez-r7 57b8b49744 Clean query_manager 2014-01-30 14:20:02 -06:00
jvazquez-r7 148e51a28b Clean metadata and use TARGETURI 2014-01-30 14:03:52 -06:00
William Vu 56287e308d Clean up unused variables 2014-01-30 11:20:21 -06:00
Mekanismen e7ab77c736 added module for Oracle Forms and Reports 2014-01-30 14:45:17 +01:00
xistence 8ac0ef396e Added DNS recursion amplification scanner 2014-01-29 14:21:21 +07:00
xistence d3be54fed6 Added Extended SMTP Open Relay aux module 2014-01-29 13:46:54 +07:00
xistence 9a929e75e4 Added Pandora FMS RCE 2014-01-29 12:46:23 +07:00
xistence c8296298b3 added A10Networks AX loadbalancer Dir Traversal Auxiliary Module 2014-01-28 16:37:25 +07:00
xistence 32d7f15a5c added ManageEngine Support Center Plus directory traversal auxiliary module 2014-01-28 15:45:23 +07:00
xistence bac6e2a3e1 added SkyBlueCanvas CMS 1.1 r248-03 RCE 2014-01-28 11:06:25 +07:00
jvazquez-r7 f766a74150
Land #2920, @wvu-r7's author metadata update for printer aux modules 2014-01-27 13:02:31 -06:00
William Vu d19e9307c6 Fix missing colon in :caller_host symbol
Good catch, @jvazquez-r7!
2014-01-27 12:43:59 -06:00
jvazquez-r7 0dbaeb6742 Add Matteo's email 2014-01-27 08:40:44 -06:00
jvazquez-r7 f086655075
Land #2913, @bcoles Exploit for Simple E-Document 2014-01-27 08:09:45 -06:00
jvazquez-r7 861126fdbd Clean exploit code 2014-01-27 08:09:18 -06:00
RangerCha a49473181c Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 09:04:59 -05:00
sinn3r f471f50092 ms08_067_check.rb is deprecated.
[SeeRM #8755]
2014-01-26 12:22:13 -06:00
jvazquez-r7 8fe74629fe Allow send_request_cgi to take care of the uri encoding 2014-01-26 00:06:41 -06:00
jvazquez-r7 37adf1251c Delete privileged flag because is configuration dependant 2014-01-25 18:25:31 -06:00
jvazquez-r7 038cb7a981 Add module for CVE-2012-0394 2014-01-25 18:17:01 -06:00
William Vu 52371be52a Clarify why contributors are listed as authors
Also adding @mcantoni to the list of authors. Sorry we missed you!

Dear contributors,

Even though we weren't able to use your code, we absolutely appreciate
that you wrote it. That's why we're listing you as authors. Thanks!!!

https://dev.metasploit.com/redmine/issues/6034
https://dev.metasploit.com/redmine/issues/5217
https://dev.metasploit.com/redmine/issues/6864
2014-01-25 18:02:17 -06:00
sinn3r cc4dea7d49 Was playing with ms08_067 check and realized I forgot this print 2014-01-25 16:15:52 -06:00
Matteo Cantoni f18fef1864 Module to HP LaserJet Printer SNMP Enumeration 2014-01-25 15:48:13 +01:00
William Vu eaeb2af97f Use opts hash for h323_version
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:32:37 -06:00
William Vu 7c5229e2eb Use opts hash for glassfish_deployer
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:17:02 -06:00
William Vu 47b9bfaffc Use opts hash for adobe_pdf_embedded_exe
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:16:53 -06:00
sinn3r a7fa4e312b This module fails to load due to the missing end 2014-01-24 17:56:47 -06:00
jvazquez-r7 9db295769d
Land #2905, @wchen-r7's update of exploit checks 2014-01-24 16:49:33 -06:00
sinn3r f7ecae3f75
Land #2909 - Drupal OpenID External Entity Injection 2014-01-24 15:03:07 -06:00
sinn3r c8e2301111 Be more informative about why CheckCode::Unknown
This is just kind of personal preference here. In case users wonder
why Unknown.
2014-01-24 15:01:52 -06:00
sinn3r cdc425e4eb Update some checks 2014-01-24 12:08:23 -06:00
Tod Beardsley 82bf02910d
Land #2911, correct author name for PJL credit 2014-01-24 11:00:12 -06:00
jvazquez-r7 fdaa172cc5
Land #2896, @wchen-r7's check's normalization for auxiliary modules 2014-01-24 08:53:53 -06:00
jvazquez-r7 e8b591ef54 Delete registering of check on bailiwicked modules 2014-01-24 08:47:04 -06:00
sgabe 16b8b58a84 Fix the dwSize parameter 2014-01-24 11:38:57 +01:00
sgabe 8f6dcd7545 Add some randomization to the ROP chain 2014-01-24 10:28:59 +01:00
bcoles 32d6032893 Add Simple E-Document Arbitrary File Upload module 2014-01-24 19:19:25 +10:30
sinn3r 9ba72ffc71 Remove check support
Actually, you can't support check because in check mode the module
doesn't know the IP
2014-01-23 21:30:11 -06:00
sinn3r dc52d00be6 Modify vmware_http_login to work with check 2014-01-23 21:27:36 -06:00
jvazquez-r7 cf17bf2e72 Small fix 2014-01-23 19:34:50 -06:00
jvazquez-r7 43de7eb74f Use REXML 2014-01-23 19:32:42 -06:00
William Vu a67068f019 Correct author name
Was using the name quoted in Redmine. Technically, the author is Myo Soe
of the YGN Ethical Hacker Group (YEHG).
2014-01-23 19:09:20 -06:00
jvazquez-r7 5a59e3d4e4 Fix typo 2014-01-23 18:53:58 -06:00
jvazquez-r7 f529eb1d4b Clean code 2014-01-23 18:51:24 -06:00
sgabe 021aa77f5f Add module for BID-46926 2014-01-24 01:48:21 +01:00
jvazquez-r7 8e17d38c77 Add check method 2014-01-23 18:30:18 -06:00
Meatballs 09b70d1574
Remove max search 2014-01-24 00:27:46 +00:00
Meatballs 0a15e07473
Merge remote-tracking branch 'upstream/master' into service_principle_name 2014-01-24 00:26:52 +00:00
Meatballs 5880f7ebf2
Remove max search 2014-01-24 00:25:03 +00:00
Meatballs f6054e6581
Merge remote-tracking branch 'upstream/master' into enum_ad_users 2014-01-24 00:24:31 +00:00
jvazquez-r7 b0deb45fad Add Drupal advisory as reference 2014-01-23 18:10:57 -06:00
jvazquez-r7 6d0d7eda10 Delete garbage comment 2014-01-23 18:09:05 -06:00
jvazquez-r7 72b72effa6 Add module for CVE-2012-4554 2014-01-23 18:04:31 -06:00
Meatballs1 982795ee5d Merge pull request #32 from todb-r7/saner-ifs-pr1473
Clean up the if.nils?
2014-01-23 15:50:25 -08:00
Meatballs 790e4d7559
Move options to mixin 2014-01-23 23:47:46 +00:00
Tod Beardsley e066d86d41
Clean up the if.nils? 2014-01-23 17:36:10 -06:00
sinn3r 7faa41dac0 Change Unknown to Safe because it's just a banner check 2014-01-23 15:36:19 -06:00
sinn3r 81a3b2934e Fix prints 2014-01-23 15:33:24 -06:00
sinn3r f5a935a186 Support check for bailiwicked_host 2014-01-23 15:31:37 -06:00
sinn3r 8d411d2037 Fix bailiwicked_domain to allow support of check() 2014-01-23 15:29:40 -06:00
sinn3r c403c521b3 Change check code 2014-01-23 11:03:40 -06:00
sinn3r 0a10c1297c Address nil 2014-01-23 11:00:28 -06:00
sinn3r 333229ea7e Throw Unknown if connection times out 2014-01-23 10:54:45 -06:00
Meatballs 6e8b6732c2
Merge remote-tracking branch 'upstream/master' into service_principle_name 2014-01-22 21:50:10 +00:00
Meatballs c109a32165
Merge remote-tracking branch 'upstream/master' into enum_ad_users 2014-01-22 21:48:34 +00:00
sinn3r 7f560a4b41 Oops, I broke this module 2014-01-22 11:23:18 -06:00
sinn3r c83053ba9b Progress 2014-01-22 11:20:10 -06:00