Commit Graph

1240 Commits (4c72b096b656c424a3964a688b37cb5b5fb31d16)

Author SHA1 Message Date
jvazquez-r7 efb8591a49 Update apple_quicktime_rdrf references 2013-07-18 13:57:31 -05:00
jvazquez-r7 52079c960f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 12:52:42 -05:00
sinn3r b94cde1d65 Name change for pyoor 2013-07-18 10:50:25 -05:00
jvazquez-r7 104edd8e93 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 10:38:53 -05:00
jvazquez-r7 bf023f261a Delete comma 2013-07-17 20:46:03 -05:00
jvazquez-r7 7ee4855345 Fix msftidy and delete duplicate stack adjustment 2013-07-17 20:45:54 -05:00
sinn3r 6713fb1609 Fix typos 2013-07-17 18:06:40 -05:00
sinn3r 9ae7c80b15 Add more targets plus some other corrections 2013-07-17 14:43:41 -05:00
sinn3r c85b994c07 Add CVE-2013-1017: Apple Quicktime Invalid Atom Length BoF
This module exploits a vulnerability found in Apple Quicktime. The
flaw is triggered when Quicktime fails to properly handle the data
length for certain atoms such as 'rdrf' or 'dref' in the Alis record,
which may result a buffer overflow by loading a specially crafted .mov
file, and allows arbitrary code execution under the context of the user.
2013-07-17 13:45:05 -05:00
jvazquez-r7 6e44cb56bf Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-03 12:44:47 -05:00
sinn3r 7ef5695867 [FixRM:#8129] - Remove invalid metasploit.com references
These "metasploit.com" references aren't related to the vulns,
shouldn't be in them.
2013-07-03 11:52:10 -05:00
jvazquez-r7 90b30dc317 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-26 14:31:52 -05:00
Steve Tornio 6ea622c45e reference updates 2013-06-26 09:44:56 -05:00
jvazquez-r7 7ab4d4dcc4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 17:34:29 -05:00
Steve Tornio 5b71013dde reference updates 2013-06-25 13:41:22 -05:00
jvazquez-r7 0c306260be Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 09:13:01 -05:00
sinn3r 4df943d1a2 CVE and OSVDB update 2013-06-25 02:06:20 -05:00
James Lee 2c12a43e77 Add a method for dealing with hardcoded URIs 2013-06-21 15:48:02 -05:00
jvazquez-r7 ae1a3e3ca1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-17 20:39:31 -05:00
Tod Beardsley 4ca9a88324 Tidying up grammar and titles 2013-06-17 16:49:14 -05:00
jvazquez-r7 11bf17b0d6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-15 11:55:22 -05:00
sinn3r 2abf70a1ca Lower ranking for MS13-009
We haven't been able to make this one more reliable, so todb suggests
we lower the ranking first.
2013-06-14 15:24:43 -05:00
jvazquez-r7 2d083be8e7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-14 13:28:44 -05:00
sinn3r 0d384d23b8 Land #1954 - Fix resource_uri and mp4 file path 2013-06-14 13:15:17 -05:00
jvazquez-r7 060261bb3b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-14 13:15:13 -05:00
sinn3r 933ac88b44 Missing the file param that's needed to download the mp4 2013-06-14 13:13:48 -05:00
sinn3r d2df3234f4 Land #1955 - mozilla_mchannel.rb undefined agent variable 2013-06-14 11:14:20 -05:00
sinn3r 223807d0df Land #1956 - fix regex error for mozilla_reduceright.rb 2013-06-14 11:09:49 -05:00
jvazquez-r7 95118895d6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-13 13:05:42 -05:00
jvazquez-r7 81813a78fc Fix module Name 2013-06-13 11:55:23 -05:00
jvazquez-r7 707bc33148 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-13 10:17:28 -05:00
jvazquez-r7 eaba8e7b59 up to date 2013-06-12 15:44:00 -05:00
jvazquez-r7 afb2f83238 Add module for CVE-2012-1533 2013-06-12 14:40:53 -05:00
jvazquez-r7 c38eabe481 Fix description, code and perform test 2013-06-12 11:07:03 -05:00
jvazquez-r7 5c8053491f Add DEP bypass for ntdll ms12-001 2013-06-12 10:41:05 -05:00
jvazquez-r7 a1c7961cbc Suport js obfuscation for the trigger 2013-06-12 08:06:12 -05:00
jvazquez-r7 5240c6e164 Add module for MS13-037 CVE-2013-2551 2013-06-12 07:37:57 -05:00
jvazquez-r7 9ea58ba165 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-11 10:40:01 -05:00
sinn3r 081baad68c Remove variable 'overflow' because it's not used
The 'overflow' variable isn't needed
2013-06-11 02:26:45 -05:00
Ruslaideemin ca0ab8d6ee maxthon_history_xcs.rb - fix User-agent string
request.headers['User-agent'] is incorrect, it should be
request.headers['User-Agent'].

Downloaded following version from oldapps.com to confirm
the exploit code is wrong.

Supported Systems Windows 98, 2000 (Maxthon 2.5.15 Build
  1000), XP, Vista, 7, 8
MD5 Checksum F3791637C886A46940876211209F82F4
SHA1 Checksum 039BB218245E5DC1BAB0F57298C68AC487F86323

Release Date 20 October, 2011 (2 years ago )
2013-06-11 13:37:21 +10:00
Ruslaideemin 4e41e871bb mozilla_reduceright.rb - fix regex error.
[] is character class, and will match on 1, 6, 7, and |.
Where as (16|17) will match on either 16, or 17.

irb(main):053:0> y = /Firefox\/3\.6\.[16|17]/
=> /Firefox\/3\.6\.[16|17]/
irb(main):054:0> x = "Firefox/3.6.13"
=> "Firefox/3.6.13"
irb(main):055:0> x =~ y
=> 0
irb(main):056:0> y = /Firefox\/3\.6\.(16|17)/
=> /Firefox\/3\.6\.(16|17)/
irb(main):057:0> x =~ y
=> nil
2013-06-11 11:52:27 +10:00
Ruslaideemin 996171b35f mozilla_mchannel.rb undefined agent variable
If the TARGET is chosen instead of using the default
automatic, the agent variable will be undefined, which
causes the exploit to fail.
2013-06-11 10:43:47 +10:00
jvazquez-r7 72b871d762 up to date 2013-06-10 16:37:05 -05:00
Ruslaideemin d91b412661 adobe_flash_sps.rb - resource_uri vs get_resource
resource_uri will randomize the returned uri unless
datastore['URIPATH"] is set.

get_resource will return the currently used reosurce_uri

Since the incorrect type is used, this exploit is completely broken.

Tested fix with both URIPATH set to / and unset, and it works after
redirect.
2013-06-11 07:13:02 +10:00
jvazquez-r7 9c44ea0c61 up to date 2013-06-10 13:02:01 -05:00
jvazquez-r7 b20a38add4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-10 12:22:52 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 9c27a294cb Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-07 13:01:37 -05:00
sinn3r ea2895ac13 Change to AverageRanking
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
2013-06-07 12:08:51 -05:00
sinn3r 9c7b446532 Updates description about default browser setting 2013-06-07 11:58:31 -05:00
sinn3r f3421f2c3a Fix different landings 2013-06-07 10:26:04 -05:00
sinn3r e559824dc8 Remove whitespace 2013-06-06 20:08:50 -05:00
sinn3r d3e57ffc46 Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx.  When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
2013-06-06 20:05:08 -05:00
jvazquez-r7 a5f9ed890b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-03 16:23:12 -05:00
jvazquez-r7 30a019e422 Land #1891, @wchen-r7's improve for ie_cgenericelement_uaf 2013-06-03 15:35:43 -05:00
jvazquez-r7 4079484968 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-03 15:27:36 -05:00
sinn3r cc951e3412 Modifies the exploit a little for better stability
This patch makes sure the LFH is enabled before the CGenericElement
object is created.  Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
jvazquez-r7 5939ca8ce4 Add analysis at the end of the module 2013-06-01 15:59:17 -05:00
jvazquez-r7 9be8971bb0 Add module for ZDI-13-094 2013-06-01 15:44:01 -05:00
jvazquez-r7 d42ac02e3e Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-31 23:01:05 -05:00
jvazquez-r7 f8e9535c39 Add ZDI reference 2013-05-31 20:50:53 -05:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
jvazquez-r7 e678b2c5d8 Add module for CVE-2012-5946 2013-05-26 00:21:20 -05:00
jvazquez-r7 0dee5ae94d Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-22 12:54:44 -05:00
James Lee f4498c3916 Remove $Id tags
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7 352a7afcd6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-14 22:29:24 -05:00
sinn3r e1111928c2 Adds patch info for ie_cgenericelement_uaf
This one is MS13-038
2013-05-14 14:55:02 -05:00
jvazquez-r7 01ce751c51 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-12 17:08:14 -05:00
sinn3r 7fcf20201b Ranking should be the same (to GoodRanking) 2013-05-11 09:19:25 -05:00
jvazquez-r7 823d89935a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-09 12:36:43 -05:00
sinn3r 9043eeda66 A slight change for stability
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable.  I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
jvazquez-r7 866fa167ab Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-08 16:29:52 -05:00
sinn3r 9a1400a75b Forgot to remove this print_warning 2013-05-08 15:44:04 -05:00
sinn3r 075f6e8d45 Updates ROP chain and mstime_malloc usage 2013-05-08 15:42:45 -05:00
sinn3r c7609ac7d1 Initial update 2013-05-08 14:24:52 -05:00
jvazquez-r7 425a16c511 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-05 22:00:07 -05:00
Tod Beardsley 8239998ada Typo on URL for #1797. Thx @Meatballs1 2013-05-05 12:26:06 -05:00
Tod Beardsley c9ea7e250e Fix disclosure date, ref for #1897 2013-05-05 12:13:02 -05:00
sinn3r a33510e821 Add MS IE8 DoL 0day exploit (CVE-2013-1347)
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
jvazquez-r7 796f7a39ac Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-02 20:04:48 -05:00
jvazquez-r7 a2e1fbe7a9 Make msftidy happy 2013-05-02 19:46:26 -05:00
sinn3r eb23b5feeb Forgot to remove function ie8_smil. Don't need this anymore. 2013-05-02 14:04:15 -05:00
sinn3r 329e8228d1 Uses js_mstime_malloc to do the no-spray technique 2013-05-02 14:00:15 -05:00
jvazquez-r7 38e41f20fe Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-24 13:24:13 -05:00
sinn3r cae30bec23 Clean up all the whitespace found 2013-04-23 18:27:11 -05:00
jvazquez-r7 6cd6a7d6b9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 12:16:18 +01:00
jvazquez-r7 0109d81c95 fix typo 2013-03-27 17:39:18 +01:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
jvazquez-r7 393d5d8bf5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 19:09:42 +01:00
Nathan Einwechter 89c0e8c27e Fix add_resource call in adobe_flas_mp5_cprt 2013-03-22 19:27:02 -04:00
Patrick Webster 5312c58c72 Added BID for ms09_002_memory_corruption. 2013-03-12 16:57:47 +01:00
Patrick Webster 56bb907f9f Fixed exceptions in ms05_054_onload exploit module. 2013-03-12 16:57:47 +01:00
jvazquez-r7 74b58185cd up to date 2013-03-12 16:48:11 +01:00
Tod Beardsley 2f95d083e8 Updating URL for Honewell EBI exploit 2013-03-11 13:35:58 -05:00
Tod Beardsley 23972fbebc Merge branch 'release' 2013-03-11 13:08:30 -05:00
Tod Beardsley d81d9261e7 Adding Honeywell exploit. 2013-03-11 13:03:59 -05:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
sinn3r 2b65cfa5ab Minor changes 2013-02-22 21:02:19 -06:00
jvazquez-r7 5b16e26f82 change module filename 2013-02-21 20:05:13 +01:00
jvazquez-r7 b4f4cdabbc cleanup for the module 2013-02-21 20:04:05 +01:00
Jeff Jarmoc ade2c9ef56 msftidy - fix line endings. 2013-02-14 11:42:02 -06:00
Jeff Jarmoc 4c90cacffe Send iframe when URIPATH isnt '/' 2013-02-14 11:23:08 -06:00
Jeff Jarmoc 947aa24d44 MS13-009 / CVE-2013-0025 ie_slayout_uaf.rb by Scott Bell 2013-02-14 11:18:19 -06:00
sinn3r 4074a12fd7 Randomize some gadgets 2013-02-13 14:12:52 -06:00
jvazquez-r7 f58cc6a2e0 more fix version info 2013-02-12 18:51:04 +01:00
jvazquez-r7 96b1cb3cfb fix version info 2013-02-12 18:50:36 +01:00
jvazquez-r7 69267b82b0 Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00
jvazquez-r7 17b349ab50 added crash to comments 2013-02-09 17:49:57 +01:00
jvazquez-r7 5b576c1ed0 fix ident and make happy msftidy 2013-02-09 17:40:45 +01:00
sinn3r b706af54a0 Merge branch 'ovftool_format_string_browser' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_browser 2013-02-05 15:12:24 -06:00
jvazquez-r7 9ce5f39bc6 added migrate as initial script 2013-02-04 16:42:56 +01:00
jvazquez-r7 e0d4bb5799 Added module for cve-2012-3569, browser version 2013-02-04 16:37:42 +01:00
Tod Beardsley e8def29b4f Dropping all twitter handles
Also adds "pbot" as an accepted lowercase word. This will come up pretty
routinley for functions and stuff.
2013-02-01 16:33:52 -06:00
sinn3r 04b35a38ff Update MSB ref 2013-01-14 14:59:32 -06:00
jvazquez-r7 5901058a61 Merge branch 'ms11_081' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_081 2013-01-09 23:24:14 +01:00
sinn3r f3b88d34c1 Add MS11-081 2013-01-09 15:52:33 -06:00
jvazquez-r7 736f8db6c0 Deleting from browser autopwn 2013-01-09 09:58:20 +01:00
jvazquez-r7 377905be7f Avoid FileDropper in this case 2013-01-09 09:15:38 +01:00
jvazquez-r7 52982c0785 Added BrowserAutopwn info 2013-01-08 19:53:34 +01:00
jvazquez-r7 0e475dfce1 improvements and testing 2013-01-08 19:43:58 +01:00
jvazquez-r7 b2575f0526 Added module for OSVDB 76681 2013-01-08 17:46:31 +01:00
Christian Mehlmauer 6654faf55e Msftidy fixes 2013-01-04 09:29:34 +01:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
sinn3r 6fd35482cc This exploit should be in browser auto pwn 2013-01-03 14:45:00 -06:00
sinn3r 06b937ec11 Implements WTFUzz's no-spray technique
Do not try to bend the spoon, that is impossible. Instead, only
try to realize the truth: there is no spoon.
2013-01-03 11:57:47 -06:00
sinn3r 38157b86a9 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-31 11:15:44 -06:00
sinn3r f7543e18fe Your def of commit apparently is a little different than mine, git. 2012-12-31 00:35:13 -06:00
sinn3r 2b3f7c4430 Module rename
Sorry, Tod, this must be done.
2012-12-31 00:29:19 -06:00
sinn3r 5703274bc4 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-30 20:34:57 -06:00
sinn3r 1084334d5e Randomness 2012-12-30 20:34:14 -06:00
sinn3r 7cb42a5eb4 Add BID ref 2012-12-30 18:14:22 -06:00
sinn3r cc52e2c533 Where's Juan's name? 2012-12-30 12:58:16 -06:00
jvazquez-r7 14f21c0a29 using the rop as expected 2012-12-30 16:13:48 +01:00
jvazquez-r7 eed5a74f32 description updated and reference added 2012-12-30 16:08:01 +01:00
Christian Mehlmauer f7d6594314 re-deleted comma 2012-12-30 13:39:14 +01:00
jvazquez-r7 6be8ed6168 readd fix for #1219 2012-12-30 13:25:42 +01:00
jvazquez-r7 cd58cc73d9 fixed rop chain for w2003 2012-12-30 13:12:55 +01:00
Christian Mehlmauer cab84b5c27 Fix for issue #1219 2012-12-30 13:02:13 +01:00
Christian Mehlmauer dcf018c339 Comma 2012-12-30 12:54:44 +01:00
Christian Mehlmauer 14d197eeb2 Added Windows Server 2003 2012-12-30 11:35:29 +01:00
jvazquez-r7 6cb9106218 Added module for CVE-2012-4792 2012-12-30 01:46:56 +01:00
sinn3r eb2037bdba Merge branch 'inotes_dwa85w_bof' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-inotes_dwa85w_bof 2012-12-28 12:16:06 -06:00
jvazquez-r7 9ffb0dcf79 switch to some random data 2012-12-28 12:48:36 +01:00
jvazquez-r7 8f62cd5561 swith to some random data 2012-12-28 12:47:20 +01:00
jvazquez-r7 af61438b0b added module for zdi-12-132 2012-12-28 11:45:32 +01:00
jvazquez-r7 8ea5c993a2 added module for zdi-12-134 2012-12-28 11:44:30 +01:00
sinn3r 6a3bf6a2a6 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-24 17:57:02 -06:00
sinn3r 38f0886058 James has more modules that need to be updated.
e-mail update.
2012-12-24 17:51:58 -06:00
jvazquez-r7 4c897c5181 added module for ZDI-12-154 2012-12-24 16:23:19 +01:00
jvazquez-r7 02782258eb fix eol for ms12_004_midi 2012-12-21 21:01:39 +01:00
sinn3r 3c398d0e62 Final cleanup 2012-12-21 10:46:36 -06:00
sinn3r 4c58991c89 Cleanup ROP a little 2012-12-21 10:35:28 -06:00
sinn3r e95f0267c6 Update for some leaky icky 2012-12-21 10:03:38 -06:00
jvazquez-r7 f820ffb32d update authors 2012-12-18 23:57:29 +01:00
jvazquez-r7 8a07d2e53d Added module for ZDI-12-168 2012-12-18 23:48:53 +01:00
jvazquez-r7 3ed36bd66a trying to fix stability issues on w7 2012-12-17 19:17:36 +01:00
jvazquez-r7 bce7d48931 comment updated 2012-12-14 23:55:12 +01:00
jvazquez-r7 0a0b26dc2c after study the crash after the overflow... 2012-12-14 23:54:44 +01:00
jvazquez-r7 3e3f35419b Added module for CVE-2010-2590 2012-12-14 12:50:29 +01:00
sinn3r f5193b595c Update references 2012-12-10 11:42:21 -06:00
sinn3r 811bc49bfd Merge branch 'bug/rm7593-flash-otf' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-bug/rm7593-flash-otf 2012-12-08 17:16:14 -06:00
sinn3r 3f1cfcc184 More changes 2012-12-07 13:47:07 -06:00
jvazquez-r7 1aaecbcf0c cleanup and user agent check 2012-12-07 20:38:08 +01:00
sinn3r a1336c7b5a Some more changes 2012-12-07 13:32:44 -06:00
sinn3r 9838a2c75f This never works for us. Gonna ditch it. 2012-12-07 13:02:26 -06:00
jvazquez-r7 b0be8dc4df history exploit cleanup 2012-12-07 19:23:00 +01:00
sinn3r 38f2348c33 First changes 2012-12-07 11:27:09 -06:00
sinn3r a872362a65 Merge branch 'maxthon3' of git://github.com/malerisch/metasploit-framework into maxthon 2012-12-07 11:17:15 -06:00
James Lee 8812285678 Move print of my_target.name to after nil check
Avoids
  "Exception handling request: undefined method `name' for nil:NilClass"
when we don't have a target for the connecting browser.

[FixRM #7593]
2012-12-07 11:00:24 -06:00
malerisch 5e28563e4e Advisories URLs changed 2012-12-05 14:33:25 -08:00
sinn3r b395f8f96d Only XP for target coverage 2012-11-27 10:48:20 -06:00
sinn3r 2e71fc740e No badchars, then no need to have the key 2012-11-27 10:46:20 -06:00
jvazquez-r7 8c53b275c6 Added module for cve-2012-3753 2012-11-27 12:10:00 +01:00
malerisch 6dfda6da37 Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 15:53:58 -08:00
sinn3r 89ddedf773 If no badchars, no need to specify. 2012-11-23 18:46:50 -06:00
jvazquez-r7 4c9b8d4567 targets updated 2012-11-23 18:48:59 +01:00
jvazquez-r7 52ff38ad8a add module for cve-2012-3752 2012-11-22 19:56:12 +01:00
jvazquez-r7 91e6b7cd28 added ie8 target 2012-10-31 11:57:38 +01:00
sinn3r ec8a2955e1 Add OSVDB-86723 Aladdin Knowledge System ChooseFilePath Bof 2012-10-31 03:32:43 -05:00
sinn3r ede5d0f46b This is meant to be a warning, so we use print_warning 2012-10-24 00:55:54 -05:00
sinn3r 799c22554e Warn user if a file/permission is being modified during new session 2012-10-24 00:54:17 -05:00
Michael Schierl 910644400d References EDB cleanup
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
Michael Schierl e9f7873afc Version cleanup
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
sput-nick 60dc83748c Update modules/exploits/windows/browser/mozilla_mchannel.rb 2012-10-17 12:25:44 -03:00
sinn3r 55c0cda86c Merge branch 'fix_vprint_reduceright' of git://github.com/kernelsmith/metasploit-framework into kernelsmith-fix_vprint_reduceright 2012-10-11 16:55:52 -05:00
kernelsmith c911eeece2 change vprint_error to print_error
exploits/windows/browser/mozilla_reduceright does not tell you when an
incompatible browser connects like most other browser exploits do
(unless verbose is true).  This change just changes the vprint to print
to be more consistent w/other browser exploits
2012-10-11 16:51:17 -05:00
sinn3r 1ea73b7bd2 Small description change and favor the use of print_error 2012-10-10 13:37:23 -05:00
jvazquez-r7 f32ce87071 delete comment added by error 2012-10-10 19:32:25 +02:00
jvazquez-r7 13e914d65e added on_new_session handler to warn users about cleanup 2012-10-10 19:31:38 +02:00
jvazquez-r7 37dc19951b Added module for ZDI-12-169 2012-10-10 19:14:54 +02:00
jvazquez-r7 0acd9e4eec Merge branch 'ms10_002_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms10_002_ropdb_update 2012-10-07 17:49:45 +02:00
sinn3r bdb9b75e1e Use RopDb, and print what target the module has selected. 2012-10-07 01:42:29 -05:00
sinn3r 5b656087b5 Use RopDb in adobe_flash_otf_font, also cleaner code & output 2012-10-06 21:03:41 -05:00
sinn3r 94d5eb7a8c Use RopDb in MS11-050, and correct autopwninfo 2012-10-06 01:45:40 -05:00
sinn3r 769fa3743e Explain why the user cannot modify the URIPATH 2012-10-05 17:24:06 -05:00
sinn3r 21ea77ff8b Fix spaces 2012-10-05 15:40:37 -05:00
sinn3r 33db3d9610 RopDb for ntr_activex_check_bof.rb 2012-10-05 14:09:59 -05:00
sinn3r f92843c96e RopDb for ie_execcommand_uaf.rb 2012-10-05 13:49:17 -05:00
sinn3r 9a53a49625 RopDb for vlc_amv.rb 2012-10-05 12:54:16 -05:00
sinn3r d9278d82f8 Adopt RopDb for msxml_get_definition_code_exec.rb 2012-10-05 12:20:41 -05:00
sinn3r 6fc8790dd7 Adopt RopDb for ms12_037_same_id.rb 2012-10-05 12:17:19 -05:00
sinn3r 1268614d54 Adopt RopDb for adobe_flash_mp4_cprt.rb 2012-10-05 11:15:53 -05:00
sinn3r 98931e339a Adopt RopDb for adobe_flash_rtmp.rb 2012-10-05 11:05:19 -05:00
sinn3r 631a06f3bb Adopt RopDb for adobe_flashplayer_flash10o.rb 2012-10-05 10:55:55 -05:00
sinn3r 77438d2fc7 Make URI modification more obvious, and let the user know why 2012-10-04 17:52:04 -05:00
kernelsmith 6ef87d1695 update info to reflect use of webdav
ms10_042_helpctr_xss_cmd_exec.rb doesn't tell you that it's going to
use webdav, and it's options dont' have the (Don't change) warning for
SRVPORT and URIPATH.  This update fixes all that
2012-10-04 14:09:53 -05:00
sinn3r 2db2c780d6 Additional changes
Updated get_target function, comment for original author, possible
bug in handling page redirection.
2012-09-24 17:38:19 -05:00
jvazquez-r7 2784a5ea2d added js obfuscation for heap spray 2012-09-24 21:28:34 +02:00
sinn3r 57b3aae9c0 Only JRE ROP is used 2012-09-24 10:21:02 -05:00
jvazquez-r7 d476ab75cc fix comment 2012-09-24 10:03:31 +02:00
jvazquez-r7 f3a64432e9 Added module for ZDI-12-170 2012-09-24 10:00:38 +02:00
sinn3r d3611c3f99 Correct the tab 2012-09-21 12:29:24 -05:00
sinn3r 25f4e3ee1f Update patch information for MS12-063 2012-09-21 12:28:41 -05:00
sinn3r 54b98b4175 Merge branch 'ntr_activex_check_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ntr_activex_check_bof 2012-09-20 16:43:20 -05:00
sinn3r 4ead0643a0 Correct target parameters 2012-09-20 16:41:54 -05:00
sinn3r 41449d8379 Merge branch 'ntr_activex_stopmodule' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ntr_activex_stopmodule 2012-09-20 16:33:12 -05:00
Tod Beardsley a5ffe7297f Touching up Kernelsmith's wording.
It is merely the ROP chain, not the vuln, that requires Java.
2012-09-20 14:52:52 -05:00
jvazquez-r7 e98e3a1a28 added module for cve-2012-0266 2012-09-20 19:03:46 +02:00
jvazquez-r7 b61c8b85b8 Added module for CVE-2012-02672 2012-09-20 19:02:20 +02:00
kernelsmith f1a39c76ed update to ie_execcommand_uaf's info to add ROP info
This module requires the following dependencies on the target for the
ROP chain to function.  For WinXP SP3 with IE8, msvcrt must be present
(which it is on default installs).  For Vista/Win7 with IE8 or Win7
with IE9, ire 1.6.x or below must be installed.
2012-09-19 14:10:02 -05:00
sinn3r cc8102434a CVE assigned for the IE '0day' 2012-09-18 16:13:27 -05:00
Tod Beardsley 25475ffc93 Msftidy fixes.
Whitespace on ie_execcommand_uaf, and skipping a known-weird caps check
on a particular software name.
2012-09-18 11:25:00 -05:00
sinn3r 5fbc4b836a Add Microsoft advisory 2012-09-17 22:13:57 -05:00
Tod Beardsley 75bbd1c48d Being slightly more clear on Browser Not Supported
With this and the rest of sinn3r's fixes, it looks like we can close the
Redmine bug.

[FixRM #7242]
2012-09-17 11:16:19 -05:00
sinn3r d77ab9d8bd Fix URIPATH and nil target
Allow random and '/' as URIPATh, also refuse serving the exploit
when the browser is unknown.
2012-09-17 10:54:12 -05:00
Tod Beardsley 48a46f3b94 Pack / Unpack should be V not L
Packing or unpacking to/from L, I, or S as pack types will cause
problems on big-endian builds of Metasloit, and are best avoided.
2012-09-17 09:52:43 -05:00
Tod Beardsley d77efd587a Merge remote branch 'wchen-r7/ie_0day_execcommand' 2012-09-17 08:48:22 -05:00
sinn3r 5eaefcf4c7 This is the right one, I promise 2012-09-17 08:41:25 -05:00
sinn3r 8f50a167bd This is the right module 2012-09-17 08:36:04 -05:00
sinn3r e43cae70a7 Add IE 0day exploiting the execcommand uaf 2012-09-17 08:28:33 -05:00
Tod Beardsley 39f2cbfc3c Older targets confirmed for CoolType SING 2012-09-12 16:51:51 -05:00
sinn3r 783ffb13c2 Add Adobe security bulletin references 2012-09-04 00:07:53 -05:00
sinn3r 9d97dc8327 Add Metasploit blogs as references, because they're useful. 2012-09-03 15:57:27 -05:00
sinn3r 8e56d4f2eb This reference is too damn useful, must add 2012-08-25 16:05:58 -05:00
sinn3r d51f8cad25 Change title and description 2012-08-24 15:39:56 -05:00
jvazquez-r7 57c6385279 heap spray from flash works pretty well on ie9 too 2012-08-22 20:47:11 +02:00
jvazquez-r7 730c0e9368 added windows vista and w7 targets 2012-08-22 20:13:10 +02:00
sinn3r f715527423 Improve CVE-2012-1535 2012-08-21 19:58:21 -05:00
sinn3r d1370c0f33 Alexander Gavrun gets a cookie 2012-08-17 12:23:49 -05:00
sinn3r 53a835dc85 Imply that we only garantee 11.3 2012-08-17 12:18:45 -05:00
sinn3r 13df1480c8 Add exploit for CVE-2012-1535 2012-08-17 12:16:54 -05:00
jvazquez-r7 44dd8b0cc5 Merge branch 'update_juan_author' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-update_juan_author 2012-08-06 19:04:26 +02:00
jvazquez-r7 c2cc4b3b15 juan author name updated 2012-08-06 18:59:16 +02:00
sinn3r 349c841f6b Blah, OSVDB ref shouldn't be a link 2012-08-06 11:57:59 -05:00
sinn3r 647b587f75 Merge branch 'Meatballs1-uplay' 2012-08-06 11:54:51 -05:00
sinn3r 69ff9e7c1c Lots of changes before commit. 2012-08-06 11:54:08 -05:00
sinn3r 25b2b2de68 Merge branch 'uplay' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-uplay 2012-08-06 11:33:27 -05:00
sinn3r 13aca3fe4c Merge branch 'oracle_autovue_setmarkupmode' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-oracle_autovue_setmarkupmode 2012-08-06 03:13:27 -05:00
Steve Tornio 79e04bb793 add osvdb ref 2012-08-05 09:02:11 -05:00