d43706b65e
It doesn't look like Vista shows the powershell prompt
2015-05-27 18:04:35 -05:00
53774fed56
Be more strict with Win 7 for MS14-064
...
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
e5d42850c1
Add support for Linux to CVE-2015-0336
2015-05-27 17:05:10 -05:00
95b5ff6bea
Minor fixups on recent modules.
...
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301 , @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces
Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in
Edited modules/auxiliary/scanner/http/title.rb first landed in #5333 ,
HTML Title Grabber
Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401 , multi-platform CVE-2015-0311 - Flash uncompress()
UAF
Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290 , Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
60cdf71e6c
Merge branch 'upstream-master' into bapv2
2015-05-26 15:56:48 -05:00
a0e0e3d360
Description
2015-05-25 17:24:41 -05:00
43f505b462
fix contact details
2015-05-25 19:31:50 +02:00
f953dc08d9
Land #5280 , @m-1-k-3's support for Airties devices to miniupnpd_soap_bof
2015-05-24 15:17:38 -05:00
10baf1ebb6
echo stager
2015-05-23 15:50:35 +02:00
60b0be8e3f
Fix a lot of bugs
2015-05-23 01:59:29 -05:00
5bceeb4f27
Land #5349 , @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation
2015-05-22 17:14:20 -05:00
9600f6a30a
rm deprecated exploit
2015-05-22 17:14:08 -05:00
6de75ffd9f
Merge branch 'upstream-master' into bapv2
2015-05-22 17:11:03 -05:00
eb5aadfb4e
Land #5401 , multi-platform CVE-2015-0311 - Flash uncompress() UAF
2015-05-22 16:50:13 -05:00
3aa1ffb4f5
Do minor code cleanup
2015-05-22 16:20:36 -05:00
2bb6f390c0
Add session limiter and fix a race bug in notes removal
2015-05-22 12:22:41 -05:00
03b70e3714
Land #5388 , @wchen-r7's fixes #5373 by add info to BrowserRequiements
2015-05-22 10:21:59 -05:00
6da94b1dd5
Deprecate windows module
2015-05-21 15:01:41 -05:00
b9f9647ab1
Use all the BES power
2015-05-21 14:06:41 -05:00
6e8ee2f3ba
Add whitelist feature
2015-05-21 00:05:14 -05:00
aa919da84d
Add the multiplatform exploit
2015-05-20 18:57:59 -05:00
2cadd5e658
Resolve #5373 , Add ActiveX info in BrowserRequirements
...
Resolve #5373
2015-05-20 16:34:09 -05:00
44f8cf4124
Add more size to stagers, adjust psexec payloads
...
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
a93565b5d1
Add 'Payload' section with 'Size' to psexec_psh
...
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.
This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
89be3fc1f2
Do global requirement comparison in BAP
2015-05-18 16:27:18 -05:00
d99eedb1e4
Adding begin...ensure block
2015-05-17 20:48:11 +02:00
acb053a2a7
CloseHandle cleanup
2015-05-17 20:39:10 +02:00
2882374582
Land #5276 , @lanjelot fixes #4243 and improves java_jdwp_debugger
2015-05-15 11:12:10 -05:00
a46975f1f0
Fix read_reply to use get_once correctly
2015-05-15 11:11:25 -05:00
e075495a5b
string concatenation, clear \ handling
2015-05-15 06:51:42 +02:00
94d39c5c75
remove hard coded pipe name
2015-05-15 06:35:55 +02:00
bb4f5da6d9
replace client.sys.config.getenv with get_env
2015-05-15 06:33:57 +02:00
8bcdd08f34
Some basic code in place for real-time exploit list generation
2015-05-14 19:09:38 -05:00
bba261a1cf
Initial version
2015-05-15 00:36:03 +02:00
1a8ab91ce3
Configurable max exploits
2015-05-13 16:23:22 -05:00
7617217eff
Add ability to exclude
2015-05-13 15:55:19 -05:00
0fb21af247
Verify deletion at on_new_session moment
2015-05-11 18:56:18 -05:00
30b1c508f1
javascript portion
2015-05-10 16:50:32 -05:00
eeb87a3489
Polish up module
2015-05-09 14:33:41 -05:00
fe907dfe98
Fix the disclosure date
2015-05-09 10:44:28 -05:00
cb51bcc776
Land #5147 , @lightsey's exploit for CVE-2015-1592 MovableType deserialization
2015-05-09 01:56:38 -05:00
89bc405c54
Do minor code cleanup
2015-05-09 01:54:05 -05:00
8e86a92210
Update
2015-05-08 00:25:34 -05:00
71518ef613
Land #5303 , metasploit-payloads Java binaries
2015-05-07 22:39:54 -05:00
2f2169af90
Use single quotes consistently
2015-05-07 22:39:36 -05:00
95f087ffd3
Some progress
2015-05-07 19:26:38 -05:00
51bb4b5a9b
Add module for CVE-2015-0359
2015-05-07 17:00:00 -05:00
a066105a86
prefer reading directly with MetasploitPayloads where possible
2015-05-07 16:59:02 -05:00
134a674ef3
Land #5312 , @todb-r7's release fixes
2015-05-07 15:34:31 -05:00
1469a151ad
Land #5290 , Wordpress RevSlider Module
2015-05-07 22:15:56 +02:00
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
b8c7161819
Fix up NameError'd payload_exe
2015-05-06 11:34:05 -05:00
59ffe5d98f
Land #5306 , payload_exe NameError fix
2015-05-06 11:29:29 -05:00
4b0f54f0aa
Land #5305 , CVE-2015-0336 Flash NetConnection Type Confusion
2015-05-06 11:26:22 -05:00
97807e09ca
Lad #5125 , Group Policy startup exploit
2015-05-06 11:17:01 -05:00
5b57e4e9ca
Add info about the waiting time
2015-05-06 11:15:11 -05:00
94d1905fd6
Added WPVDB reference
...
Added a link to the new WPVDB article 7540 that @FireFart provided.
2015-05-06 05:41:02 -05:00
c293066198
Leverage check_version_from_custom_file in PR #5292
...
Change the 'check' code to leverage check_version_from_custom_file added to wordpress/version.rb by @FireFart in PR #5292
2015-05-06 05:41:02 -05:00
18697d8d02
Fixed the following based on feedback from @FireFart ( Thanks! )
...
- Adjusted references section
- Corrected call to normalize_uri
- Removed unnecessary require for rex/zip
2015-05-06 05:41:02 -05:00
8cb18f8afe
Initial commit of code
2015-05-06 05:41:02 -05:00
5cb8b9a20a
Fix #5304
2015-05-05 22:25:06 -04:00
582919acac
Add module for CVE-2015-0336
2015-05-05 17:25:19 -05:00
a0c806c213
Update java meterpreter and payload references to use metasploit-payloads
2015-05-05 15:01:00 -05:00
c988447c18
title enhancement, OSVDB ref
...
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
c8123c147f
upnp vs hnap
2015-05-05 20:57:05 +02:00
73f7885eea
add comment
2015-05-29 23:08:55 +02:00
b95be1b25f
Support information to include logon scripts
2015-05-04 15:49:19 -05:00
dc42a3ee1a
add OSVDB ref
...
add OSVDB ref
2015-05-04 14:27:44 -06:00
c7e05448e7
various MIPS vs MIPSBE fixes
2015-05-04 12:55:21 +02:00
67a23f2c74
Land #5296 , info hash product name fix
2015-05-03 14:36:25 -05:00
4bfb9262e6
Add exploit module for MovableType CVE-2015-1592
...
This module targets the deserialization of untrusted Storable data in
MovableType before 5.2.12 and 6.0.7. The destructive attack will
function on most installations, but will leave the webapp corrupted.
The non-destructive attack will only function on servers that have the
Object::MultiType (uncommon) and DateTime (common) Perl modules
installed in addition to MovableType.
2015-05-03 14:18:01 -05:00
a5c10b7f10
Fix product name
...
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
53043dcbbc
make msftidy happy
2015-05-03 18:14:51 +02:00
6fbce56a52
realtek upnp command injection
2015-05-03 18:09:22 +02:00
db999d2c62
Remove ff 31-34 exploit from autopwn, requires interaction.
2015-05-03 10:42:21 -05:00
1bc6822811
Delete Airties module
2015-05-22 11:57:45 -05:00
70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof
2015-05-22 11:57:19 -05:00
a531ad9ec2
Land #5096 , @pedrib's exploit for Novell ZCM CVE-2015-0779
2015-05-01 14:35:28 -05:00
0ff33572a7
Fix waiting loop
2015-05-01 14:34:43 -05:00
645f239d94
Change module filename
2015-05-01 14:18:34 -05:00
11a3f59b0b
Return false if there isn't a positive answer
2015-05-01 14:06:57 -05:00
093c2e3ace
Do minor style cleanup
2015-05-01 13:56:48 -05:00
d38adef5cc
Make TOMCAT_PATH optional
2015-05-01 13:54:39 -05:00
d2a7d83f71
Avoid long sleep times
2015-05-01 13:51:52 -05:00
8fcf0c558d
Use single quotes
2015-05-01 13:20:27 -05:00
08b5f71f99
More options
2015-04-30 19:09:08 -05:00
5ae06310b6
Do some option handling
2015-04-30 18:59:44 -05:00
aa59b3acc6
title enhancement, description touch-up
...
Expanded title to be more precise and standardized use of vendor name
2015-04-30 17:23:15 -06:00
89d026c900
Fix merge conflict
2015-04-30 12:33:45 -05:00
5ab9f01eee
Use byte[] so it works even if Base64 unavailable
2015-04-30 12:46:14 +10:00
15bb4d1ea4
Fix #4243 , regression introduced by commit 6e80481384
2015-04-30 12:42:39 +10:00
ca32db3e23
Merge branch 'upstream-master' into BAPv2
2015-04-29 18:53:37 -05:00
d773f85dca
Add reference to malware
2015-04-29 17:53:29 -05:00
dbba466b5b
Add module for CVE-2014-8440
2015-04-29 17:52:04 -05:00
5defb50252
Fix #5267 , references fixes
2015-04-29 14:21:23 -05:00
a4531e62a0
Clean up references
2015-04-29 14:21:08 -05:00
b2d08251e4
Move reference
2015-04-29 14:18:45 -05:00
fd567195e3
Fix punctuation and missing comma
2015-04-29 14:12:44 -05:00
5f0736fa4c
enhance title and description, add OSVDB reference, standardized JBoss
2015-04-29 11:39:40 -06:00
65b7659d27
Some progress
2015-04-29 01:01:36 -05:00
43492b7c67
Some progress
2015-04-28 18:17:32 -05:00
c01fc829ab
Title enhancement, OSVDB refs
2015-04-28 15:56:34 -06:00
d8b8017e0b
remove debugging
2015-04-27 06:36:34 +02:00
8db88994ac
fingerprint, title
2015-04-27 06:34:46 +02:00
285d767e20
initial commit of UPnP exploit for Airties devices
2015-04-27 05:34:30 +02:00
b537c8ae2c
Changed fail_with output.
2015-04-26 01:28:55 -03:00
a4b4d7cf6a
Add WordPress Front-end Editor File Upload Vuln
2015-04-25 22:00:05 -03:00
ff96101dba
Land #5218 , fix #3816 , remove print_debug / DEBUG
2015-04-24 13:41:07 -05:00
7167dc1147
Land #5243 , @espreto's WordPress WPshop eCommerce File Upload exploit
2015-04-24 11:30:28 -05:00
558103b25d
Do code cleanup
2015-04-24 11:30:08 -05:00
8a8d9a26f4
Do code cleanup
2015-04-24 10:47:46 -05:00
b5223912cb
Fix check method
2015-04-24 10:41:41 -05:00
c9b4a272e3
Changed fail_with output.
2015-04-24 12:16:23 -03:00
e14c6af194
Removed double 'Calling payload'.
2015-04-24 06:26:04 -03:00
01efc97c4a
Add WordPress WPshop eCommerce File Upload.
2015-04-24 06:21:49 -03:00
5bf4c9187a
Removed double "Calling payload..."
2015-04-23 03:41:34 -03:00
844f768eee
Add WordPress InBoundio Marketing File Upload
2015-04-23 03:32:17 -03:00
f5b0a7e082
include rop gadget description
2015-04-23 00:11:02 +02:00
1ec0e09a43
msftidy
2015-04-22 10:32:47 +02:00
58099d0469
airties login bof module
2015-04-22 10:21:58 +02:00
92c91c76f7
Proftpd 1.3.5 Mod_Copy Command Execution
2015-04-22 01:41:16 -04:00
3f40342ac5
Fix sock_sendpage
2015-04-21 14:17:19 -05:00
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
4f59abe842
Land #5203 , @Meatballs1 fixes #5199 by using the correct namespace
...
* Fixes web_delivery
2015-04-20 11:20:48 -05:00
eb1c01417a
Bogus :
2015-04-20 11:00:26 +01:00
aa4f913800
Resolves #5199
...
Fix Powershell namespace in web_delivery module
2015-04-20 09:37:42 +01:00
a60fe4af8e
Land #5201 , Change module wording to conform with other WP modules
2015-04-20 10:07:05 +02:00
1a32cf7fc0
Change module wording to conform with other WP modules.
2015-04-20 16:48:35 +10:00
a5583debdc
Land #5131 , WordPress Slideshow Upload
2015-04-19 23:12:26 +02:00
c1a1143377
Remove line in description and output line in fail_with
2015-04-18 15:38:42 -03:00
b991dec0f9
Dlink UPnP SOAP-Header Injection
2015-04-17 22:54:32 +02:00
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
bba0927c7e
Land #5163 , WordPress Reflex Gallery Plugin File Upload
2015-04-17 11:26:34 +02:00
3927024f79
Land #5154 , CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
...
sage aborts
2015-04-16 21:21:09 -05:00
153344a1dd
fix Unkown typo
2015-04-16 23:59:28 +02:00
33cf2f1578
Added Faliure:: symbol to fail_with
2015-04-16 17:40:25 -03:00
2138325129
Add Failure:: symbol to fail_with
2015-04-16 17:15:24 -03:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
b4b8ac0849
moar fail_with's
2015-04-16 21:26:37 +02:00
a193ae42b0
moar fail_with's
2015-04-16 21:25:05 +02:00
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
f0d6735332
Land #5165 , version number correction
2015-04-16 12:10:12 -05:00
26f2b350d2
Land #5168 , more fail_with fixes
2015-04-16 12:04:55 -05:00
904339f0d7
Fix #5130 , Correct use of fail_with in wp_worktheflow_upload.rb
2015-04-16 10:32:50 -05:00
5c98270f4d
Fix #5137 - Correct use of fail_with
2015-04-16 09:57:02 -05:00
418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload
2015-04-16 16:24:41 +02:00
7f79acb996
Land #5137 , WordPress N-Media Website File Upload
2015-04-16 16:17:20 +02:00
517ad54617
Fix the correct version in check.
2015-04-16 10:56:43 -03:00
95310dbe4f
Fix 'if' condition.
2015-04-16 10:51:36 -03:00
626a9f0508
Fix the correct version in check.
2015-04-16 10:46:08 -03:00
6ef074cd28
Fix the correct version in check
2015-04-16 10:34:34 -03:00
d9f4c7548f
Land #5136 , WordPress Creative Contact Form upload
2015-04-16 15:17:14 +02:00
84c74b8d42
use correct version number
2015-04-16 15:01:54 +02:00
ee8dc49a25
Fix wrong version in check.
2015-04-16 09:45:18 -03:00
e16cc6fa82
Fix the correct version in check.
2015-04-16 09:38:42 -03:00
7dde7f6f7c
Land #5130 , WordPress WorkTheFlow Upload
2015-04-16 14:06:37 +02:00
dc7f161339
Add author, EDB, OSVDB and WPVDB.
2015-04-16 08:56:33 -03:00
1112a3b0ae
Add WordPress Reflex Gallery Plugin File Upload
2015-04-16 08:40:51 -03:00
4aa4f83372
Removed timeout 2.
2015-04-16 05:37:11 -03:00
39556c10c7
Rewrote check method.
2015-04-16 05:36:20 -03:00
ace316a54f
Added WPVDB and EDB references.
2015-04-16 05:29:21 -03:00
10c218319a
Rewrote response condition.
2015-04-16 05:26:48 -03:00
5cb9b1a44c
Removed timeout 2.
2015-04-16 05:21:59 -03:00
0e1b173d15
Renamed USER/PASSWORD to WP_USER/WP_PASSWORD.
2015-04-16 05:11:56 -03:00
13ded8abe7
Added WPVDB.
2015-04-16 05:08:45 -03:00
64923ffdc2
Fixed plugin name in check method
2015-04-16 05:06:36 -03:00
e9212c4d6b
wordpress_url_admin_ajax intead of wordpress_url_backend
2015-04-16 04:53:05 -03:00
81d898fd7e
Rewrote check code.
2015-04-16 04:51:40 -03:00
aeb0484889
Removed timeout 2.
2015-04-16 04:48:00 -03:00
e6e9c173e3
Rewrote res conditions.
2015-04-16 04:43:34 -03:00
d11db4edc7
Rewrote check code.
2015-04-16 04:37:30 -03:00
f13d31c7c2
Added WPVDB.
2015-04-16 04:31:23 -03:00
cccda4e851
Removed unnecessary line.
2015-04-16 04:27:15 -03:00
d3a6de761d
Removed timeout 2.
2015-04-16 04:09:02 -03:00
01625e3bba
Land #5148 , DRY BSD/OS X shellcode
...
Also fix a semi-regression in the Rootpipe exploit.
2015-04-16 02:08:18 -05:00
13da15e434
Add default PAYLOAD again
...
PrependSetreuid doesn't work with generic/shell_reverse_tcp.
2015-04-16 02:07:02 -05:00
1249f29ee8
Add JSON::ParserError exception handler.
2015-04-16 04:03:54 -03:00
c1753672bf
Delete file_contents initialization
2015-04-15 17:58:32 -05:00
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
ef6bf54e2f
Fix metadata
2015-04-15 09:22:59 -05:00
1da6b32df7
Land #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
...
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
6019bbe0d2
Add ranking comment
2015-04-15 09:12:03 -05:00
ad465c4d5b
Do code cleanup
2015-04-15 09:10:18 -05:00
b5335ab266
Some progress, mostly documentation
2015-04-14 19:03:08 -05:00
aca93cc86e
Add missing Rank
2015-04-14 13:33:37 -05:00
6c9cc7c725
Some progress
2015-04-14 13:30:34 -05:00
4486831ba3
Module loading portion
2015-04-14 01:33:02 -05:00
e114c85044
Land #5127 , x64 OS X prepend stubs 'n' stuff
2015-04-14 01:25:39 -05:00
a09e643a71
Add author, URL, WPVDB and disclosure date.
2015-04-13 22:54:05 -03:00
271a81778e
Add Module WP N-Media Website Contact Form Upload
2015-04-13 22:48:34 -03:00
7f10fb5bf0
Fix disclosure date
2015-04-13 18:53:20 -03:00
e94ca0bdd1
Add EDB, OSVDB and author.
2015-04-13 18:42:17 -03:00
d5d975c450
Add Module WordPress Creative Contact Form Upload
2015-04-13 18:38:43 -03:00
e324819feb
Add Privileged to info hash
...
Also remove default payload. Was set for CMD.
2015-04-13 15:23:30 -05:00
bd3b6514fa
Dubbed. Whump whump.
2015-04-13 10:52:32 -05:00
d87483b28d
Squashed commit of the following:
...
commit 49f480af8b9d27e676c02006ae8873a119e1aae6
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:42:13 2015 -0500
Fix funny punctuation on rootpipe exploit title
See #5119
commit 0b439671efd6dabcf1a69fd0b089c28badf5ccff
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:37:39 2015 -0500
Fix vendor caps
Trusting the github repo README at
https://github.com/embedthis/goahead
See #5101
2015-04-13 10:46:47 -05:00
7b57496501
Fix typo and add email addr.
2015-04-13 04:12:32 -03:00
abee3f17c4
Add author, CVE and EDB references
2015-04-13 04:08:34 -03:00
58c4042321
Add Module WP Slideshow Gallery Shell Upload
2015-04-13 03:56:59 -03:00
2d1f8c510e
Add author and references
2015-04-12 21:21:49 -03:00
9f06cee53d
Add Module WordPress WorkTheFlow Shell Upload
2015-04-12 21:09:44 -03:00
c132a3fb0a
Fix OSX prepends and implement x64 setreuid.
2015-04-11 20:04:21 -05:00
656abac13c
Use keyword arguments
2015-04-10 18:03:45 -05:00
1720d4cd83
Introduce get_file_contents
2015-04-10 17:34:00 -05:00
ca6a5cad17
support changing files
2015-04-10 16:53:12 -05:00
b2e17a61a9
Fix disclosure date
2015-04-10 13:09:24 -05:00
ab944b1897
Add module to exploit dangerous group policy startup scripts
2015-04-10 13:01:50 -05:00
3313dac30f
Land #5119 , @wvu's addition of the OSX rootpipe privesc exploit.
...
orts
borts
2015-04-10 12:38:25 -05:00
4419c1c728
Land #5120 , Adobe Flash Player casi32 Integer Overflow
2015-04-10 12:18:11 -05:00
fc814a17ae
Add admin check
...
Also break out version check.
2015-04-10 11:24:49 -05:00
41885133d8
Refactor and clean
...
Finally breaking free of some stubborn old habits. :)
2015-04-10 11:22:27 -05:00
a7601c1b9a
Use zsh to avoid dropping privs
...
Also add some configurable options.
2015-04-10 11:22:00 -05:00
4cc6ac6eaa
Clarify vulnerable versions
2015-04-10 11:22:00 -05:00
c4b7b32745
Add Rootpipe exploit
2015-04-10 11:22:00 -05:00
c6f062d49e
Ensure that local variable `upload_path` is defined
...
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
4808d61af3
Add OSVDB id and full disclosure URL
2015-04-09 16:32:22 +01:00
e03f2df691
Land #5002 , RMI/JMX improvements
2015-04-08 15:23:29 -05:00
cf8b92b747
Create zcm_file_upload.rb
2015-04-07 16:05:51 +01:00
7a2d3f5ebd
Land #5082 , firefox_proxy_prototype autopwn_info
2015-04-06 13:36:03 -05:00
e1af495d21
Add extra release fixes
2015-04-06 13:08:40 -05:00
b62011121b
Minor word choice fix on Solarwinds exploit
...
Removing the second person pronoun usage.
[See #5050 ]
2015-04-06 12:40:22 -05:00
5be5b6097c
Minor grammar on #5030 , Adobe Flash
...
[See #5030 ]
2015-04-06 12:36:25 -05:00
1e6d895975
Description fixes on #4784 , jboss exploit
...
Also, needed to run through msftidy.
[See #4784 ]
2015-04-06 12:34:49 -05:00
cd65e6f282
Add browser_autopwn info to firefox_proxy_prototype
2015-04-06 10:42:32 +05:00
56dc7afea6
Land #5068 , @todb-r7's module author cleanup
2015-04-03 16:00:36 -05:00
e3bbb7c297
Solve conflicts
2015-04-03 14:57:49 -05:00
828301a6cc
Land #5050 , @wchen-r7's exploit for Solarwinds Firewall Security Manager
...
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
7c9b19c6f8
Do minor cleanup
2015-04-03 11:53:50 -05:00
0f7c644fff
Land #4784 , JBoss Seam 2 upload exec exploit
2015-04-02 22:32:35 -05:00
3ff91d74ca
More cleanup, mostly abysssec
...
[See #5012 ]
2015-04-02 16:16:38 -05:00
11057e5b3b
Fix up the last couple from Tenable, missed last
...
[See #5012 ]
2015-04-02 15:27:46 -05:00
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
6532fad579
Remove credits to Alligator Security Team
...
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.
The one that didn't was credited to dflah_ specifically, so merely
changed the author name.
Longer description, if needed, wrapped at 72 characters.
[See #5012 ]
2015-04-02 15:12:22 -05:00
b17727d244
Switching to privileged => false
2015-04-01 14:35:45 -05:00
0825534d2c
Fix reference
2015-04-01 14:16:45 -05:00
8ec71e9daf
Add a module for R7-2015-05
2015-04-01 14:05:41 -05:00
02a5730d92
Use calculate_interface_hash
2015-04-01 12:09:42 -05:00
0b14a18ad2
This is final
2015-04-01 12:00:49 -05:00
f954ff78c0
Fix typo
2015-04-01 10:51:54 -05:00
0ee858cd65
Some useful messages
2015-04-01 01:41:31 -05:00
8ad07cdc0f
This should be on the right track
2015-04-01 01:27:50 -05:00
6795c90eac
Some progress
2015-03-31 20:46:34 -05:00
97305629cb
Add Solarwinds FSM module
...
starter
2015-03-31 16:21:52 -05:00
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
28b9e89963
removed duplicate "uses" from description
2015-03-29 19:40:31 -04:00
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
4f4bf9debb
paylod vs payload
2015-03-27 11:55:15 -07:00
0a8fe781d1
paylod vs payload
2015-03-27 11:54:14 -07:00
5ba614a325
payloda vs payload
2015-03-27 11:53:20 -07:00
2d81460583
Explot vs Exploit
2015-03-27 11:37:11 -07:00
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
48484c1f09
Filed vs Failed fix
2015-03-27 11:27:36 -07:00
b57eb0897e
BAP v2 place holder
2015-03-27 03:08:24 -05:00
955c0557e0
Land #4988 , Relative URL for ms14_064_ole_code_execution
2015-03-26 13:36:37 -05:00
d81a246660
target_uri
2015-03-26 12:16:20 +01:00
b7f469b747
feedback
2015-03-26 07:39:36 +01:00
d84c48cb7d
Use newer hash syntax
2015-03-25 13:39:34 -05:00
72a0909e9b
Land #4992 , @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge
2015-03-25 13:30:36 -05:00
356e8c727c
Add specs for Msf::Java::Rmi::Client::Jmx::Server
2015-03-24 18:56:58 -05:00
39e87f927a
Make code consistent
2015-03-24 11:44:26 -05:00
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
7c456f2ad8
Land #4993 , ams_xfr "payload_exe" NameError fix
2015-03-24 00:51:49 -05:00
8255e7a2dc
Fix #4987 - undef payload_exe for ams_xfr
...
Fix #4987
2015-03-24 00:42:22 -05:00
3dac6377d0
Fix #4983 , bad copy pasta'd deprecation year
2015-03-24 00:34:54 -05:00
fadac30f00
Fix deprecated year
2015-03-24 00:34:38 -05:00
6353154865
Land #4983 , renamed WordPress modules
2015-03-23 23:49:40 -05:00
e338b77389
Readd and deprecate renamed WordPress modules
2015-03-23 23:48:56 -05:00
db243a8225
x360_video_player_set_text_bof actually uses SetText for ActiveX
2015-03-23 23:36:20 -05:00
3248f02c2c
These exploits use :activex, so I update the usage for them
2015-03-23 19:34:24 -05:00
04341bfc78
Support JMX_ROLE again
2015-03-23 17:32:26 -05:00
d8d4c23d60
JMX code refactoring
2015-03-23 17:06:51 -05:00
962bb670de
Remove old JMX mixin
2015-03-23 15:48:10 -05:00
89e27d98ab
Use relative URL to GET payload for WinXP
...
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE
2015-03-23 13:44:41 -05:00
156520338d
Making some changes to how BES handles ActiveX
2015-03-23 12:21:27 -05:00
79068c8ec2
Delete JMX discovery stream
2015-03-23 10:21:37 -05:00
b191f92713
Renamed WordPress files to fit majority naming convention.
2015-03-23 18:15:04 +11:00
2d1adf6ef4
Land #4923 , @m-1-k-3's exploit for overflow on belkin routers
2015-03-22 02:05:35 -05:00
ee74bb3c5b
The default concat operator should be ok
2015-03-22 02:05:02 -05:00
5499b68e02
Do code cleanup
2015-03-22 01:58:32 -05:00
07b82ec640
Land #4974 , minishare_get_overflow WfsDelay change
2015-03-20 18:55:58 -05:00
859b54f8a3
Land #4956 , Qualys' Exim GHOST module
2015-03-20 18:44:30 -05:00
921b9eab8e
Update minishare_get_overflow.rb
...
set WfsDelay 30
2015-03-20 23:42:54 +01:00
505ecd32fb
Update minishare_get_overflow.rb
...
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
0c2ed21e90
Land #4318 , Lateral movement through PSRemoting
2015-03-20 11:39:35 -05:00
23d8479683
Fix typo
2015-03-20 11:39:00 -05:00
0da79edb9c
Add a print_status to let the user know the module is over
...
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
1b67a06d35
No banner var
2015-03-20 02:26:59 -05:00
b55ffc9ff1
Change option to FORCE_EXPLOIT
2015-03-20 01:44:10 -05:00
127d07342e
Remove trailing space
2015-03-20 01:36:56 +00:00
7426e72317
Grammar - traq_plugin_exec
2015-03-20 01:31:01 +00:00
5709d49aae
Clean up traq_plugin_exec
2015-03-20 01:19:46 +00:00
72794e4c1a
Removed double spaces
2015-03-20 01:16:49 +00:00
wchen-r7
jvazquez-r7
Tod Beardsley
Michael Messner
OJ
Hans-Martin Münch (h0ng10)
William Vu
HD Moore
Brent Cook
Christian Mehlmauer
Tom Sellers
Sam Roth
Darius Freamon
m-1-k-3
John Lightsey
joev
lanjelot
Roberto Soares
xistence
Meatballs
aushack
Jon Cave
Pedro Ribeiro
root
scriptjunkie
h00die
C-P
andygoblins
Adam Ziaja
g0tmi1k