ad832adfc1
Land #2846 - Update mipsle shell_bind_tcp shellcode
2014-01-13 17:37:08 -06:00
b7b1ddf1e8
Sercomm Exploit module fixes
...
Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
Added functionality to the CmdStagerEcho mix-in to support encoding via
octal instead of hex based on the :enc_type option. This is because many
devices would not output hex encoded values properly.
Added options on a per-target basis for the PackFormat (endian pack()
values for communication), UploadPath (because /tmp wasn't always
writable), and PayloadEncode (previously mentioned octal encoding
option)
Note for some reason, some devices communicate over one endianness, but
then require a payload for the other endianess. I'm not sure what's
causing this, but if those specific combinations are not used, the
exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00
804b26bac6
Land #2872 , switch for ARCH_MIPSBE
2014-01-13 15:10:27 -06:00
24c57b34a7
Have into account endianess
2014-01-13 15:04:23 -06:00
7c52f9b496
Update description to use %q{}
2014-01-13 14:42:25 -06:00
61b30e8b60
Land #2869 , pre-release title/desc fixes
2014-01-13 14:29:27 -06:00
207e9c413d
Add the test info for sercomm_dump_config
2014-01-13 14:27:03 -06:00
e6e6d7aae4
Land #2868 , fix Firefox mixin requires
2014-01-13 14:23:51 -06:00
fe6d10ac5d
Land #2852 , @mandreko's scanner for OSVDB 101653
2014-01-13 14:07:07 -06:00
671027a126
Pre-release title/desc fixes
2014-01-13 13:57:34 -06:00
8c3a71a2e7
Clean sercomm_backdoor scanner according to feedback
2014-01-13 13:53:47 -06:00
f11322b29f
Oh right, msftidy.
2014-01-13 13:44:34 -06:00
3db143c452
Remove explicit requires for FF payload.
...
Adds ff payload require to msf/core/payload.rb
2014-01-13 13:07:55 -06:00
771bd039a0
Land #2863 - Update realplayer_ver_attribute_bof.rb
...
Refs & ROP
2014-01-13 11:29:52 -06:00
bc9c865c25
Land #2865 - js payload to firefox_svg_plugin & add BA support for FF JS exploits
2014-01-13 11:17:36 -06:00
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
e7cc3a2345
Removed unnecessary target
2014-01-13 13:17:16 +01:00
26d17c03b1
Replaced ROP chain
2014-01-13 02:54:49 +01:00
f78ec1eeb2
Make sure we unwrap the SecurityWrapper.
2014-01-12 10:46:23 -06:00
b3b04c4159
Fix both firefox js exploits to use browser_autopwn.
2014-01-11 17:34:38 -06:00
d657a2efd3
Added DEP Bypass
2014-01-11 20:31:28 +01:00
72d15645df
Added more references
2014-01-11 20:30:50 +01:00
bd91e36e06
Land #2851 , @wchen-r7's virustotal integration
2014-01-10 19:12:56 -06:00
d1d45059f2
use session_host instead
2014-01-10 18:27:03 -06:00
8534f7948a
Change the post module's default api key as well (to Metasploit's)
2014-01-10 17:59:51 -06:00
8449005b2a
Fixed CVE identifier.
2014-01-10 23:45:34 +01:00
140d1fbf90
Land #2847 - Add MIPS big endian single shell_bind_tcp payload
2014-01-10 15:06:35 -06:00
202e19674c
Land #2856 - Fix ARMLE stagers
2014-01-10 15:05:03 -06:00
96ba41a4b0
Land #2844 - Fix the mipsbe shell_reverse_tcp payload
2014-01-10 15:00:39 -06:00
cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells
2014-01-10 14:29:32 -06:00
238d052073
Update description
...
key is no longer required.
2014-01-10 04:02:01 -06:00
da273f1440
Update the use of report_note
2014-01-10 01:49:07 -06:00
807d8c12c7
Have a default API key
...
Modules now should have a default API key. See the following for
details:
http://blog.virustotal.com/2012/12/public-api-request-rate-limits-and-tool.html
2014-01-10 01:26:42 -06:00
4e8092aceb
Fix armle stagers
2014-01-09 17:34:59 -06:00
9d14dd59eb
Delete parentheses
2014-01-09 15:17:13 -06:00
4a64c4651e
Land #2822 , @mandreko's aux module for OSVDB 101653
2014-01-09 15:15:37 -06:00
410302d6d1
Fix indentation
2014-01-09 15:14:52 -06:00
b1073b3dbb
Code Review Feedback
...
Removed the parameters from get() since it works without them
2014-01-09 15:54:23 -05:00
d69b658de0
Land #2848 , @sho-luv's MS08-067 scanner
2014-01-09 14:39:25 -06:00
2a0f2acea4
Made fixes from the PR from jvazquez-r7
...
The get_once would *only* return "MMcS", and stop. I
modified it to be a get(3, 3). Additionally, the command
length was set to 0x01 when it needed to be 0x00.
2014-01-09 15:33:04 -05:00
fc616c4413
Clean up formatting
2014-01-09 14:16:31 -06:00
93668b3286
Code Review Feedback
...
Made it less verbose, converting to vprint_error
2014-01-09 14:53:33 -05:00
be6958c965
Clean sercomm_dump_config
2014-01-09 13:42:11 -06:00
e21c97fd4d
Added missing metadata
...
Add credit where due
Add disclosure date and references
2014-01-09 14:33:54 -05:00
9456d26467
Added Scanner module for SerComm backdoor
2014-01-09 14:25:28 -05:00
85203c2f2a
Land #2823 , @mandreko's exploit module for OSVDB 101653
2014-01-09 10:27:44 -06:00
40d2299ab4
Added tested device
2014-01-09 10:46:14 -05:00
c50f7697a5
Merge branch 'review_2823' of https://github.com/jvazquez-r7/metasploit-framework into sercomm_exec
2014-01-09 10:39:12 -05:00
01c5585d44
Moved auxiliary module to a more appropriate folder
2014-01-09 10:17:26 -05:00
d9e737c3ab
Code Review Feedback
...
Refactored the configuration settings so that creds could be reported to
the database more easily, while still being able to print general
configuration settings separately.
2014-01-09 10:14:34 -05:00
81adff2bff
Code Review Feedback
...
Changed datastore['rhost'] to rhost
Made the array storing configuration values into a class const
Moved superfluous array look-over to not be executed unless in verbose
mode
2014-01-09 09:19:13 -05:00
bbaaecd648
Delete commas
2014-01-09 08:01:11 -06:00
5e510dc64c
Add minor fixes, mainly formatting
2014-01-09 07:51:42 -06:00
ed6723655d
Code Review Feedback
...
Fixed some handling of errors and invalid hosts
2014-01-09 08:44:01 -05:00
8414973746
Land #2833 , rm linksys_wrt110_cmd_exec_stager
2014-01-09 01:21:22 -06:00
7fd4935263
Make the module output prettier
2014-01-09 01:03:01 -06:00
27f079ad7c
Move {begin,end}_job from libs to modules
2014-01-09 01:03:01 -06:00
131bfcaf41
Refactor away leftover get_rdymsg
2014-01-09 01:03:01 -06:00
d3bbe5b5d0
Add filesystem commands and new PoC modules
...
This commit also refactors some of the code.
2014-01-09 01:03:01 -06:00
af66310e3a
Address @jlee-r7's comments
2014-01-09 01:03:01 -06:00
bab32d15f3
Address @wchen-r7's comments
2014-01-09 01:03:00 -06:00
1c889beada
Add Rex::Proto::PJL and PoC modules
2014-01-09 01:03:00 -06:00
d2458bcd2a
Code Review Feedback
...
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
a8fcf13972
Added credits and clean initialize
...
Added wvu to creds as he did most of work. ;)
2014-01-08 21:16:09 -05:00
8993c74083
Fix even moar outstanding issues
2014-01-08 19:38:54 -06:00
a99e2eb567
Update the post module
2014-01-08 18:41:22 -06:00
130a99f52b
Add a post module that checks with VirusTotal with a checksum
...
This post module will submit a SHA1 checksum to VirusTotal to see
if it's a malicious file.
2014-01-08 18:26:40 -06:00
1dd29d3b64
Fix moar outstanding issues
2014-01-08 18:11:18 -06:00
945a2a296a
Fix outstanding issues
2014-01-08 17:09:41 -06:00
4e581a35ac
Fix encoder architecture
2014-01-08 16:18:30 -06:00
35ac9712ab
Added auxiliary check for MS08_067
...
I simply copied the check from ms08_0867_netapi.rb and put them in
a auxiliary check so I could scan for it. This was done because
Nmap's check is not safe and this is more stable.
2014-01-08 16:41:44 -05:00
a0879b39e0
Add mips be shell_bind_tcp payload
2014-01-08 14:48:54 -06:00
1727b7fb37
Allow the Msf::Payload::Linux's generate to make its work
2014-01-08 12:41:10 -06:00
83e5169734
Don't use temporal register between syscals and save some bytes on the execve
2014-01-08 11:45:27 -06:00
5f7582b72d
Don't use a temporary registerfor the dup2 loop counter
2014-01-07 18:02:55 -06:00
c2dce19768
Don't use a temporary registerfor the dup2 loop counter
2014-01-07 17:39:27 -06:00
a85492a2d7
Fix my own busted dup2 sequence
2014-01-07 16:27:01 -06:00
fb1a038024
Update async API to actually be async in all cases.
...
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
3230b193e1
Make better comment
2014-01-07 15:32:46 -06:00
80dcda6f76
Fix bind call
2014-01-07 15:31:42 -06:00
266b040457
Update cachedump.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:14:10 +01:00
d567737657
Update reverse_tcp_rc4_dns.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:12:38 +01:00
385ae7ec38
Update reverse_tcp_rc4.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:11:16 +01:00
693d95526b
Update bind_tcp_rc4.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:09:53 +01:00
1479ef3903
Update typo3_winstaller_default_enc_keys.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:08:10 +01:00
b5524654d5
Delete comment
2014-01-07 14:50:26 -06:00
45c86d149f
Modify authors field
2014-01-07 14:50:12 -06:00
d6639294aa
Save some instructions with dup2
2014-01-07 14:41:33 -06:00
e79ccb08cb
Update rails_secret_deserialization.rb
...
When using aws-sdk with Ruby 2.1.0-rc1, many "Digest::Digest is deprecated; use Digest" warnings are printed.
Even in Ruby 1.8.7-p374, OpenSSL::Digest::Digest is only provided for backward compatibility.
2014-01-07 21:41:15 +01:00
9cf221cdd6
Delete delay slots after syscall
2014-01-07 13:18:20 -06:00
590547ebc7
Modify title to avoid versions
2014-01-07 13:01:10 -06:00
c34af35230
Add wrt100 to the description and title.
...
* The wrt110 and wrt100 share the same firmware, and are both vulnerable to this
bug.
2014-01-07 10:26:15 -06:00
1057cbafee
Remove deprecated linksys module.
2014-01-07 10:22:35 -06:00
70d4082c0c
Add formatting blank lines and delete comment
2014-01-07 09:55:36 -06:00
3edd2a50e2
Shorter mipsle shell_reverse_tcp
2014-01-07 09:45:28 -06:00
e75d87327f
Merge branch 'enum_ad_perf' into enum_ad_users
2014-01-07 12:21:39 +00:00
3bf728da61
Dont store in DB by default
2014-01-07 12:20:44 +00:00
c0a82ec091
Avoid specific versions in module names
...
They tend to be a lie and give people the idea that only that version is
vulnerable.
2014-01-06 13:47:24 -06:00
49d1285d1b
Add explicit json require.
2014-01-06 11:15:10 -06:00
1cdfbfeed5
Land #2820 - vTigerCRM SOAP AddEmailAttachment Arbitrary File Upload
2014-01-06 10:36:02 -06:00
3b29c370bd
Fix bug in the firefox/exec payload.
2014-01-05 11:24:41 -06:00
723c0480ab
Fix description to be accurate.
2014-01-04 19:06:01 -06:00
f2f68a61aa
Use shell primitives instead of resorting to
...
echo hacks.
2014-01-04 19:00:36 -06:00
4329e5a21e
Update firefox payloads to use async runCmd.
2014-01-04 08:49:43 -06:00
fdca396bc8
Update exec to be diskless.
2014-01-04 08:48:58 -06:00
b9c46cde47
Refactor runCmd, allow js exec.
...
* Updates exec payload to not touch disk
* Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options)
2014-01-04 08:46:57 -06:00
a5ebdce262
Add exec payload. Cleans up a lot of code.
...
Adds some yardocs and whatnot.
2014-01-03 18:23:48 -06:00
cd38f1ec5d
Minor touchups to recent modules.
2014-01-03 13:39:14 -06:00
41ac66b5e5
Removed stupid debug line I left in
2014-01-03 11:00:13 -05:00
aaa9fa4d68
Removed RequiredCmd options that didn't work successfully.
2014-01-03 10:56:01 -05:00
20b073006d
Code Review Feedback
...
Removed Payload size restriction. I tested with 10,000 characters and it
worked.
Removed handler for now, since it's unable to get a shell. It's
currently limited to issuing commands.
2014-01-03 10:54:16 -05:00
570e7f87d3
Moved to more appropriate folder
2014-01-02 20:58:46 -05:00
b24e927c1a
Added module to execute commands on certain Sercomm devices through
...
backdoor
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:54:02 -05:00
c5a3a0b5b7
Cleanup
2014-01-02 20:44:18 -05:00
6effdd42fa
Added module to enumerate certain Sercomm devices through backdoor
...
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:42:42 -05:00
2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!)
...
It was the wrong time to mess with my workflow.
2014-01-02 16:39:02 -06:00
67a796021d
Land #2804 , IBM Forms Viewer 4.0 exploit
2014-01-02 16:10:02 -06:00
eaeb457d5e
Fix disclosure date and newline as pointed by @wvu-r7
2014-01-02 16:08:44 -06:00
f5f18965b9
Move the require to the payloads as ruby and nodejs payloads do
2014-01-02 16:05:03 -06:00
3f0ee081d9
Beautify description
2014-01-02 15:37:58 -06:00
06fb2139b0
Digging around to get shell_command_token to work.
2014-01-02 14:05:06 -06:00
d5e196707d
Include Msf::Post::Windows::Error
2014-01-02 13:41:37 -06:00
ec8d24c376
Update against upstream
2014-01-02 12:55:46 -06:00
3bccaa407f
Beautify use of Regexp
2014-01-02 12:54:54 -06:00
90158b9932
Land #2791 , @morisson's support to remote dns resolution on sap_router_portscanner
2014-01-02 12:19:50 -06:00
f75782bc2f
Use RHOST, RPORT for the SAPROUTER options
2014-01-02 12:18:54 -06:00
1b893a5c26
Add module for CVE-2013-3214, CVE-2013-3215
2014-01-02 11:25:52 -06:00
1b0e99b448
Update proto_crmfrequest module.
2014-01-02 10:48:28 -06:00
12fece3aa6
Kill unnecessary comment.
2014-01-02 10:48:28 -06:00
1f9ac12dda
DRYs up firefox payloads.
2014-01-02 10:48:28 -06:00
821aa47d7e
Add firefox paylods.
...
* Adds support for windows or posix shell escaping.
2014-01-02 10:48:28 -06:00
694cb11025
Add firefox platform, architecture, and payload.
...
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
d291cd92d7
Land #2817 , icofx_bof random things
2014-01-01 22:01:48 -06:00
b8e17c2d8e
Don't use Pcap.lookupaddrs any more
2014-01-01 18:50:15 -06:00
b4439a263b
Make things random
2013-12-31 16:06:25 -06:00
184bd1e0b2
Land #2815 - Change gsub hardtabs
2013-12-31 15:58:21 -06:00
2252a037a5
Fix disclosure date
2013-12-31 14:51:43 -06:00
3775b6ce91
Add module for CVE-2013-4988
2013-12-31 14:43:45 -06:00
841f67d392
Make adobe_reader_u3d also compliant
2013-12-31 11:07:31 -06:00
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
0725b9c69c
Refactor JSP payloads
2013-12-31 08:27:37 -06:00
832b0455f1
Class constants and Regex added
2013-12-31 03:20:12 +01:00
80a1e85235
Add :config => false to sysax_ssh_username
2013-12-30 18:13:49 -06:00
619e6aac68
Land #2812 , missing :config => false fix
2013-12-30 18:07:33 -06:00
c3fd657bde
Missing config false flag
...
the sshexec exploit was missing the flag
that tells net:ssh to not use the user's
local config . This can cuase ugly problem
MSP-9262
2013-12-30 14:28:15 -06:00
aa38a23921
Add generate_war to jsp_shell payloads
2013-12-30 13:53:58 -06:00
4366d4da20
Delete comma
2013-12-30 11:45:52 -06:00
54a6a4aafa
Land #2807 , @todb-r7's armory support for bitcoin_jaker
2013-12-30 11:44:51 -06:00
e3d918a8a3
Applying changes
2013-12-30 01:49:13 +01:00
88cf1e4843
Default false KILL_PROCESSES for bitcoin_jacker
...
I seem to able to read associated wallet files while these processes are
running with the greatest of ease. Maybe there was a file locking
concern, but I haven't run into it. Feel free to avoid landing this
particular commit if you disagree.
2013-12-29 14:12:00 -06:00
5e0c7e4741
DRY up bitcoin_jacker.rb, support Armory
...
Also, make the process killing optional.
2013-12-29 13:07:43 -06:00
9384a466c1
Retab bitcoin_jacker.rb
2013-12-29 10:59:15 -06:00
6fcd12e36c
Refactor for clearer syntax and variables
...
This was done on a barely configured Windows machine, so mind the tabs.
2013-12-29 10:15:48 -06:00
ef73ca537f
First, clean up the original a little
2013-12-28 18:57:04 -06:00
f2335b5145
Land #2792 - SSO/Mimikatz module overwrites password with N/A
2013-12-27 17:25:44 -06:00
57d60c66f9
Add masqform version as comment
2013-12-27 10:59:23 -06:00
341e3c0370
Use rexml
2013-12-27 10:55:36 -06:00
ee35f9ac30
Add module for zdi-13-274
2013-12-27 10:20:44 -06:00
d6a63433a6
Space at EOL
2013-12-26 10:37:18 -06:00
5ce862a5b5
Add OSVDB
2013-12-26 10:33:46 -06:00
c34a5f3758
Unacronym the title on Poison Ivy C&C
2013-12-26 10:30:30 -06:00
47765a1c4f
Fix chargen probe title, comment on the CVE
2013-12-26 10:29:11 -06:00
056661e5dd
No at-signs in names please.
2013-12-26 10:26:01 -06:00
b02e21a1d3
Land #2779 , @wchen-r7's mod to raise Msf::OptionValidateError when PORTS is invalid
2013-12-26 09:27:27 -06:00
17c0751677
Create ibm_sametime_room_brute.rb
...
init
2013-12-26 13:02:52 +01:00
7ba1950424
Create ibm_sametime_enumerate_users.rb
...
init
2013-12-26 13:01:48 +01:00
2d6f41d67f
Create ibm_sametime_version.rb
...
init
2013-12-26 13:00:39 +01:00
3814e3edef
Create ibm_sametime_webplayer_dos.rb
...
init
2013-12-26 12:58:51 +01:00
78db7429d0
Turns out the latest Safari is still vulnerable.
...
The version check is currently disabled because turns out the latest
Safari (6.1.1) is still vulnerable - I can still loot it in plain
text.
2013-12-24 19:27:45 -06:00
a26e12b746
Updates descriiption and improves regex for safari_lastsession.rb
...
This updates two things for the safari_lastsession post module:
1. The description is updated: More information is added to describe
how Safari would end up storing the Gmail credential in the last
session state, and what it means to you as an attacker.
2. Regex update for the domain to search for: Before the module starts
extract the session data, it needs to know which domain to extract from.
Originally I only added mail.google.com, but turns out the sensitive info
can be found in accounts.google.com, so I added that one.
2013-12-24 14:00:55 -06:00
86a94022c0
Fix lotus_domino_hashes not working.
...
Some Lotus Domino servers prefix the "dspHTTPPassword" with a dollar
sign. Updated regex to take this into account.
2013-12-24 11:57:13 +00:00
90ce761681
Land #2790 - RealNetworks RealPlayer Version Attribute Buffer Overflow
2013-12-24 00:39:54 -06:00
367dce505b
Minor details
2013-12-24 00:39:15 -06:00
f687a14539
Added support for opening via menu.
2013-12-24 03:12:49 +01:00
213556761a
Land #2765 - Added Poison Ivy Command and Control Scanner
2013-12-23 17:36:18 -06:00
0a07bbdf2e
Minor changes
2013-12-23 17:35:42 -06:00
88b3b2c78e
Switch RHOSTS to TARGETS and add validation
2013-12-23 11:58:26 -06:00
9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution
2013-12-23 02:34:01 -06:00
5b647ba6f8
Change description
...
Pre-auth is implied.
2013-12-23 02:33:17 -06:00
287271cf98
Fixed date format.
2013-12-22 01:32:16 +01:00
0ac495fef8
Replaced hex with plain text.
2013-12-22 01:31:37 +01:00
94da642f5c
fixed typo: innacurated -> inaccurate
2013-12-21 20:36:43 +00:00
c387a850ca
Fixed default value for RESOLVE (local)
2013-12-21 19:21:57 +00:00
bf8c0b10fa
Dont store n/a creds
2013-12-21 09:04:02 +00:00
6ce0bab036
Cleanup, also split IP addresses separated by commas.
2013-12-21 00:15:00 +00:00
f43bc02297
Land #2787 , @mwulftange's exploit for CVE-2013-6955
2013-12-20 17:03:10 -06:00
163a54f8b1
Do send_request_cgi final clean up
2013-12-20 17:00:57 -06:00
44ab583611
Added newline to end of file.
2013-12-20 22:40:45 +01:00
62f71f6282
Added module for CVE-2013-6877
2013-12-20 22:37:09 +01:00
bf2dc97595
Merge branch 'poisonivyscanner' of github.com:SeawolfRN/metasploit-framework into poisonivyscanner
2013-12-20 18:46:35 +00:00
ae7a0159e7
Changed to Puts and get_once - also forgot the timeout...
2013-12-20 18:44:42 +00:00
8be481f324
Land #2681 , @mcantoni and @todb-r7's support for chargen
2013-12-20 11:53:08 -06:00
12efa99ce5
Fix udp_sweep
2013-12-20 11:47:48 -06:00
2dc7ef4398
Fix udp_probe
2013-12-20 11:45:27 -06:00
af13334c84
Revert gsub!
2013-12-20 11:39:49 -06:00
ce8b8e8ef9
Land #2783 - OpenSIS 'modname' PHP Code Execution
2013-12-20 11:29:10 -06:00
d0ef860f75
Strip default username/password
...
There isn't one. So force the user to supply one.
2013-12-20 11:28:18 -06:00
52a4e55804
Land #2781 - Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
2013-12-20 11:25:50 -06:00
1da961343a
Do final (minor) cleanup
2013-12-20 11:20:29 -06:00
2f34f8458b
Downcase chargen service name
2013-12-20 10:41:53 -06:00
35c847da94
Add chargen to udp_probe and udp_sweep
...
This simplifies the checks considerably for PR #2681 from @mcantoni
2013-12-20 10:32:15 -06:00
a043d384d4
Land #2738 , @jiuweigui update to enum_prefetch
2013-12-20 10:26:54 -06:00
929f3ea35c
Turn Auxiliary module into Exploit module
2013-12-20 16:45:38 +01:00
eba164d2e3
Clean chargen_probe
2013-12-20 09:10:15 -06:00
15f6a62f90
Msf::Exploit::Remote::HttpClient already provides 'peer'
2013-12-20 15:10:10 +01:00
0718c27f47
Use 'unless' instead of 'if not'
2013-12-20 15:09:32 +01:00
f99a5b8b47
Update for extapi
2013-12-20 13:18:01 +00:00
4ca25d5d89
Merge branch 'enum_ad_perf' into enum_ad_users
2013-12-20 12:54:24 +00:00
fe66d2437b
Add module for CVE-2013-6955
...
Auxiliary module for Synology DiskStation Manager (DMS) SLICEUPLOAD
vulnerability, which allows unauthenticated remote command execution
under root privileges.
2013-12-20 11:50:02 +01:00
fb6cd9c149
add osvdb+url refs and module tidy up
2013-12-20 20:27:07 +10:30
2510580c19
Land #2784 - Remove EOL whitespace from OS X hashdump
2013-12-20 03:54:37 -06:00
0db062a1ce
Merge branch 'meatballs-vncdll-submodule'
2013-12-20 18:29:27 +10:00
34cdec5155
Update project VS 2013, clean CLI build
...
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
4816abe63b
Add module for ZDI-13-263
2013-12-19 17:48:52 -06:00
6ac0aad38b
Prevent report_* when RESOLVE is remote, since hostname may be unknown and local resolution fail, thus spitting out an error and failing
2013-12-19 23:37:13 +00:00
c881ef5472
Unreachable and time out error identification
2013-12-19 22:59:56 +00:00
a199dc39af
used the recvfrom timeout
2013-12-19 20:56:11 +01:00
8e27e87c81
Use the right disclosure date.
2013-12-19 12:58:52 -06:00
955dfe5d29
msftidy it up.
2013-12-19 12:53:58 -06:00
b50bbc2f84
Update module to use sinn3r's beautiful browserexploitserver.
2013-12-19 12:49:24 -06:00
773d4c5cd1
commented out response packet vprint
2013-12-19 18:35:11 +00:00
ad8a156263
RHOSTS can be a comma separated list of hostnames
2013-12-19 18:33:32 +00:00
62ef810e7c
Use Extapi if available
2013-12-19 18:18:47 +00:00
564601e083
msftidy - fixed
2013-12-19 17:30:34 +00:00
2480f023b1
Dropped scanner mixin. Tried to maintain usage
2013-12-19 17:15:44 +00:00
737154c2fe
Update to use extapi
2013-12-19 16:46:09 +00:00
9434d60021
Remove EOL whitespace from OS X hashdump
2013-12-19 10:39:49 -06:00
3ef1c0ecd6
Merge remote-tracking branch 'upstream/master' into enum_ad_perf
2013-12-19 14:25:07 +00:00
244cf3b3f6
Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf
2013-12-19 13:59:57 +00:00
fc2da15c87
Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349
2013-12-19 19:10:48 +10:30
eb08a30293
Update description with new version support.
2013-12-19 02:08:55 -06:00
5ee6c77901
Add a patch for 15.x support.
...
* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00
2add2acc8f
Use a smaller key size, harder to spot.
2013-12-18 21:02:23 -06:00
8d183d8afc
Update versions, 4.0.1 does not work on windows.
2013-12-18 20:57:47 -06:00
cb390bee7d
Move comment.
2013-12-18 20:37:33 -06:00
23b5254ea1
Fix include reference.
2013-12-18 20:35:43 -06:00
5255f8da12
Clean up code. Test version support.
...
* Using #get in Object#defineProperty call makes the payload execute immediately
on all supported browsers I tested.
* Moved Ranking to Excellent since it is now 100% reliable.
2013-12-18 20:30:08 -06:00
21d959c58d
RESOLVE option takes either "remote" or "local"
2013-12-19 00:38:47 +00:00
1778a08e98
Keeping changes away from the "ip" variable
2013-12-19 00:19:58 +00:00
d41f05e0b6
Land #2776 - Avoid having the same port twice
2013-12-18 18:09:43 -06:00
7ebcd5a8c9
Option to perform host resolution on remote saprouter
2013-12-18 23:53:58 +00:00
198667b650
Land #2774 , @Mekanismen's module for CVE-2013-7091
2013-12-18 16:23:44 -06:00
aec2e0c92c
Change ranking
2013-12-18 16:23:14 -06:00
f21d666631
Land #2744 , @rcvalle module for CVE-2013-2050
2013-12-18 16:19:25 -06:00
0eac17083a
Clean cfme_manageiq_evm_pass_reset
2013-12-18 16:16:32 -06:00
d4ec858051
Clean zimbra_lfi
2013-12-18 15:46:37 -06:00
8dfa2e6963
Land #2734 - OSX Gather Autologin Password as Root
2013-12-18 15:37:45 -06:00
5011c4d928
The "unless" Ruby nazi is in town
2013-12-18 15:28:31 -06:00
5ec3d5f3f6
Raise specific exceptions
2013-12-18 15:27:49 -06:00
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
ee87f357b0
Raise Msf::OptionValidateError when the PORTS option is invalid
...
Instead of print_error for invalid ports, modules should be raising
Msf::OptionValidateError to warn the user about the invalid input.
2013-12-18 15:04:53 -06:00
4028dcede7
Add an input check for datastore option PORTS
...
If Rex::Socket.portspec_crack returns an empty array, we assume
there are no valid ports to test, so we raise an OptionValidateError
to warn the user about it.
2013-12-18 14:55:51 -06:00
64273fe41d
Move addon datastore options into mixin.
2013-12-18 14:42:01 -06:00
ca2de73879
It helps to actually commit the exploit.
2013-12-18 14:31:42 -06:00
1235615f5f
Add firefox 15 chrome privilege exploit.
...
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
c4b8178663
Correct camelCase of YouTube
2013-12-18 14:06:45 -06:00
0c0e8c3a49
various updates
2013-12-18 20:54:35 +01:00
b9a9b90088
Update module to use added bcrypt gem
2013-12-18 16:15:35 -02:00
e20569181b
Remove EzCrypto-related code as per review
2013-12-18 16:15:22 -02:00
ab69454f89
Land #2745 , @rcvalle's exploit for CVE-2013-2068
2013-12-18 12:06:27 -06:00
ec64382efc
Fix cfme_manageiq_evm_upload_exec according to chat with @rcvalle
2013-12-18 11:53:30 -06:00
ef081cec49
Add missing disclosure date as per review
2013-12-18 15:47:23 -02:00
a28ea18798
Clean pull request
2013-12-18 11:32:34 -06:00
a4811bd0c3
Land #2760
2013-12-18 17:17:10 +10:00
5e4c395f86
Fix small spacing issue
2013-12-18 17:14:47 +10:00
10e16673a7
There must be read_file
2013-12-17 16:42:49 -06:00
21feae0bbc
Make sure the file path is readable when it's ~/
2013-12-17 16:38:58 -06:00
345e1711b1
Land #2775 , @wchen-r7's post module to Safari get LastSession.plist
2013-12-17 15:57:50 -06:00
7ec96876d9
Delete unnecessary includes
2013-12-17 15:57:09 -06:00
374ef71c12
Favor read_file instead
2013-12-17 15:34:52 -06:00
80eea97ccd
ChrisJohnRiley fix for sap_service_discovery
2013-12-17 13:31:56 -06:00
ea6ba2b159
Add post module to get LastSession.plist
...
LastSession.plist sometimes contains sensitive information such as
usernames and passwords. It'd be nice to keep this in loot.
2013-12-17 13:07:30 -06:00
2de15bdc8b
added module for Zimbra Collaboration Server CVE-2013-7091
2013-12-17 19:32:04 +01:00
252909a609
Land #2448 , @OJ's ReverseListenerBindPort :)
2013-12-17 11:24:09 -06:00
89ffafad0e
Changes to Service mixin
2013-12-17 13:10:27 +01:00
ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 20:32:27 -06:00
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
2eee34babf
added timeout options and rescue timeout
2013-12-16 20:00:13 -06:00
fe34d0e36e
fixed syntax
2013-12-16 19:26:40 -06:00
7b8de95f6b
fixed database overwriting issues
2013-12-16 19:16:12 -06:00
07f686bb1a
added ResolverArgumentError rescue statement
2013-12-16 18:46:14 -06:00
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
24bc10905e
Added Spaces and removed Interrupt
2013-12-16 22:12:35 +00:00
f88a3a55b6
More slight updates.
2013-12-16 15:05:39 -06:00
afcee93309
Land #2771 - Fix description
2013-12-16 15:01:32 -06:00
04b7e8b174
Fix module title and add vendor patch information
2013-12-16 14:59:00 -06:00
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
533accaa87
Add module for CVE-2013-3346
2013-12-16 14:13:47 -06:00
446db78818
Minor fix to gather_pf_info function
2013-12-16 21:33:07 +02:00
bf561fef95
Corrected Extraneous Whitespace\Newlines
2013-12-16 16:38:49 +00:00
79022c2e29
Probably should have checked it worked...
2013-12-16 11:33:08 +00:00
59003a9842
Updated Poison Ivy Scanner
2013-12-15 22:02:14 +00:00
226cd241bf
Added Poison Ivy Command and Control Scanner\n Auxiliary module to scan for Poison Ivy C&C on ports 80,8080,443 and 3460
2013-12-15 14:34:50 +00:00
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
sinn3r
Matt Andreko
Tod Beardsley
jvazquez-r7
William Vu
Joe Vennix
sgabe
sho-luv
Niel Nielsen
Meatballs
bmerinofe
David Maloney
TabAssassin
Tod Beardsley
kicks4kittens
rbsec
Bruno Morisson
SeawolfRN
Markus Wulftange
bcoles
OJ
Matteo Cantoni
Mekanismen
Ramon de C Valle
zeknox
jiuweigui