Commit Graph

21020 Commits (4ea48a87cb0512d671b507805491f3505565b3cd)

Author SHA1 Message Date
Filipe Reis 94b05d7943 Joomla Account Creation and Privilege Escalation
This module allows to create an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3.
2016-10-26 23:11:38 +01:00
William Webb 9672759be8
Land #7462, Add support for Unicode domains 2016-10-26 16:47:09 -05:00
attackdebris 18c3d42aca This commit adds the kerberos_enumusers module 2016-10-26 20:56:41 +01:00
Brent Cook 1a1841d441 rebuilt metasploit-payloads without debug info 2016-10-26 05:43:36 -05:00
Brent Cook ed35bf5011 remove unneeded badchars from payload specification 2016-10-26 04:47:33 -05:00
Jon Hart 342bfd628a Dont' set default PORTS or PROBE options. Require user configuration. 2016-10-25 15:58:46 -05:00
Jon Hart 2a18ea0e33 Initial commit of generic module for detecting UDP amplification vulnerabilities 2016-10-25 15:58:46 -05:00
Louis Sato f7f28a0833 Land #7480, deprecation msg for udp_probe 2016-10-25 15:52:56 -05:00
David Maloney 6a31dad678
clean up some style guide issues with rubocop
applied rubocop to the module for some
tidying up
2016-10-25 11:24:32 -05:00
drforbin 94979f4541 changed formatting for else statements 2016-10-25 09:42:00 -05:00
drforbin 6f3c20069b fixed formatting errors for travis 2016-10-25 09:42:00 -05:00
drforbin 0ec153eb9c changed formatting, changed to OptPath. cleaned unneeded code 2016-10-25 09:41:59 -05:00
drforbin 3b9a441382 cleaned up write_target, and variables REXE 2016-10-25 09:41:59 -05:00
drforbin c3ada74728 changed formatting to comform with travis 2016-10-25 09:41:59 -05:00
drforbin 0395d57512 formatting changes and design changes. tested 2016-10-25 09:41:58 -05:00
drforbin 337e3b6cce added persistence_exe.rb to windows post modules 2016-10-25 09:41:58 -05:00
David Maloney c00df4dd71
Land #6969, Regsrv cmd delivery server module
This Lands kn0's PR for the Regsrv32 command delivery server
2016-10-24 11:46:59 -05:00
Jon Hart 7f65b28483
Deprecate udp_probe in favor of udp_sweep 2016-10-23 13:06:58 -07:00
Pearce Barry 51ffea3e03
Land #7470, fixes bad file refs for cmdstagers 2016-10-21 14:01:04 -05:00
David Maloney e442f5f76b
Land #7460, zoomeye search module
typo in previous land commit
2016-10-21 13:48:28 -05:00
David Maloney 264fe7b8f8 Land #7460, zoomeye search module 2016-10-21 13:47:46 -05:00
Pearce Barry 9a0307b0c0
Land #7369, Panda Antivirus Priv Esc 2016-10-21 13:20:41 -05:00
David Maloney 6b77f509ba
fixes bad file refs for cmdstagers
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced

Fixes #7466
2016-10-21 12:31:18 -05:00
David Maloney 05ffa0074c
Land 37460, zoomeye search module
Lands nixawk's zoomeye search aux module
2016-10-21 10:25:58 -05:00
nixawk ada571bfdf Fix login - check condition 2016-10-20 22:52:24 -05:00
nixawk 344b688ae5 remove ZoomEye_APIKEY, add (USERNAME / PASSWORD) 2016-10-20 22:48:01 -05:00
h00die 12e4fe1c5c updated dlls and docs 2016-10-20 20:45:50 -04:00
nixawk 097a273abb fix dork_search 2016-10-19 20:54:31 -05:00
nixawk 72b2ba2e88 replace [Net::HTTP] with [rex/proto/http] 2016-10-19 20:40:45 -05:00
nixawk a77f415893 remove unuseful condition 2016-10-19 20:05:12 -05:00
nixawk 9f3f0fd358 make [matches_records] simple 2016-10-19 19:59:02 -05:00
Brendan b5a41c3011 Convert ANSI data to UTF-8 char by char because MS might
put an invalid character in the WORKGROUP name during SMB
handshake
2016-10-19 17:42:26 -05:00
nixawk fcc22d9027 add module references info 2016-10-19 02:23:11 -05:00
William Vu 2668a4a1cd
Fix #6993, tnspoison_checker cleanup 2016-10-19 00:53:33 -05:00
nixawk 3630388e91 zoomeye search 2016-10-18 22:52:23 -05:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
OJ 25238f1a26
Update capcom exploit module to support Windows 10 2016-10-15 11:56:48 +10:00
William Webb 8e2ff8df80
Land #7433, Add IP Addresses to HTTP PUT/DELETE scanner output 2016-10-14 13:27:17 -05:00
William Webb 5e7d546fa2
Land #7094, OpenNMS Java Object Deserialization RCE Module 2016-10-14 13:19:11 -05:00
Brent Cook cfddc734a8
Land #7286, WiFi pineapple preconfig command injection module 2016-10-14 12:57:42 -05:00
Brent Cook e05a325786
Land #7285, WiFi pineapple command injection via authentication bypass 2016-10-14 12:57:05 -05:00
William Vu 1da40b5deb Change HAVE_POPEN to USE_POPEN
PS target doesn't support it, so the option should be renamed.
2016-10-14 11:58:39 -05:00
Brent Cook 4c248ebe9e Merge branch 'master' into land-7430- 2016-10-14 09:48:33 -05:00
Brent Cook acec45c8b3
Land #7409, CVE-2013-5093 Graphite Pickle Handling - Add Version Check 2016-10-14 08:54:57 -05:00
Brent Cook 9fbe1ddd9d
Land #7384, CVE-2016-6415 - Cisco IKE Information Disclosure 2016-10-14 08:41:34 -05:00
h00die 12493d5c06 moved c code to external sources 2016-10-13 20:37:03 -04:00
William Vu 5b46e72aea Update module logic 2016-10-13 17:40:16 -05:00
William Vu 6f4f2bfa5f Add PS target and remove MIFF 2016-10-13 17:39:55 -05:00
William Vu e70ba8110d Update references 2016-10-13 17:35:55 -05:00
William Vu 88bb2e2295 Update description 2016-10-13 17:35:30 -05:00
wchen-r7 9e97febcd1
Land #7429, Ruby on Rails Dynamic Render File Upload Remote Code Exec 2016-10-13 11:45:46 -05:00
nixawk b74539be44 check if isakmp payload is same to IKE Leak data 2016-10-13 04:20:23 -05:00
Brent Cook 2014b2d2ab
Land #7432, Fix erroneous cred reporting in SonicWALL exploit 2016-10-12 22:39:15 -05:00
Pearce Barry a2a1d6c28a
Land #7411, Add an HTA server module using Powershell 2016-10-12 13:05:40 -05:00
nixawk 7536d1d94a print leak data 2016-10-12 02:42:50 -05:00
nixawk 70d4833654 Fix report_vuln 2016-10-12 02:16:00 -05:00
William Vu e78d3d6bf0 Fix erroneous cred reporting in SonicWALL exploit
A session ID will be returned in the parsed JSON if the login succeeded.

Bad user:

{"noldapnouser"=>1, "loginfailed"=>1}

Bad password:

{"loginfailed"=>1}

Good user/password:

{"userid"=>"1", "sessionid"=>"4WJ9cNg1TkBrwjzX"}
2016-10-11 19:25:52 -05:00
Alton J 98d7b19ab9 Passed IP parameter to additional functions. 2016-10-11 15:09:50 -05:00
Alton J acff0fa9cf Added IP addresses to output. 2016-10-11 14:43:42 -05:00
Alton J f0ff4a0721 Added IP addresses to output. 2016-10-11 14:42:06 -05:00
Spencer McIntyre bd110430e9 Remove unnecessary require statements 2016-10-11 15:35:49 -04:00
mr_me bd646ded1b fixed the check function 2016-10-11 14:06:03 -05:00
Sonny Gonzalez 3fd806b87f Merge remote-tracking branch 'upstream/pr/6993' into land-6993 2016-10-11 09:33:26 -05:00
mr_me 95017cea0c Merge remote-tracking branch 'upstream/master' into rails 2016-10-11 08:31:33 -05:00
Brent Cook 157740ba06 update payload sizes 2016-10-11 07:01:17 -05:00
Tim 3d9cb7375c
store Android payload information in byte array 2016-10-11 14:41:32 +08:00
mr_me d8f98ccd4e run through msftidy 2016-10-10 22:36:20 -05:00
mr_me f2252bb179 fixed a few things, thanks @h00die 2016-10-10 22:30:01 -05:00
mr_me 3c3f424a4d added a some references 2016-10-10 17:56:03 -05:00
mr_me bca3aab1db added CVE-2016-0752 2016-10-10 17:36:20 -05:00
OJ e139a1ee8f
Land #7383: Rebase/Fix + SSL stager support for python 2016-10-10 13:06:09 +10:00
Pearce Barry 7b84e961ed
Minor output correction. 2016-10-09 19:01:06 -05:00
Pearce Barry d1a11f46e8
Land #7418, Linux recvmmsg Priv Esc (CVE-2014-0038) 2016-10-09 18:37:52 -05:00
h00die 2dfebe586e working cve-2014-0038 2016-10-08 23:58:09 -04:00
Brent Cook b77a910205
Land #7355, allwinner post to local exploit conversion 2016-10-08 21:38:54 -05:00
Brent Cook e074669406
Land #7296, Added a SCADA module for detecting Profinet devices, e.g. Siemens controllers 2016-10-08 21:34:40 -05:00
Brent Cook bd24e7eba0 more cleanups and print output on auto-run 2016-10-08 21:14:26 -05:00
Brent Cook 5284db6b58 module cleanup 2016-10-08 20:17:29 -05:00
Brent Cook 199bf8e726 cleanups and update to require 4.0 CLR by default 2016-10-08 15:24:13 -05:00
RageLtMan 44c5fc3250 Sync build_net_code post module upstream
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.

Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
wchen-r7 0e57808914 Update to class name MetasploitModule 2016-10-08 14:06:35 -05:00
RageLtMan f24bfe7d4e Import Powershell::exec_in_place
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
2016-10-08 14:06:35 -05:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
h00die 7c20f20493 remove unneeded bash 2016-10-07 21:12:27 -04:00
Spencer McIntyre bbdb58eb00 Add an HTA server module using powershell 2016-10-06 19:25:22 -04:00
funkypickle fb0a438fdf Perform a version check to determine exploitability for graphite pickle 2016-10-05 16:08:02 -07:00
William Vu e8c3a61e72
Land #7405, nil fix for ntp_protocol_fuzzer 2016-10-05 15:26:39 -05:00
“lvarela” 8749eaf097 Fix the default num to be 0 when not specified. 2016-10-05 14:52:43 -05:00
Jon Hart b95cc7bbbe
Set correct default options; fix usage on OS X
Fixes 7404
2016-10-05 09:51:31 -07:00
h00die 27cf5c65c4 working module 2016-10-04 23:21:53 -04:00
William Vu 63ed5624ff
Land #7395, Ninja Forms module update 2016-10-04 11:14:30 -05:00
William Vu f60d575d62 Add EOF newline back in 2016-10-04 11:14:15 -05:00
Brent Cook 705d15037a
Land #7396, Add Meterpreter API to list installed drivers 2016-10-04 07:17:10 -05:00
Tonimir Kisasondi 691a250d78 add reverse_tcp handler to fix bug in latest update
The payload was missing require 'msf/core/handler/reverse_tcp', latest update pulled with msfupdate broke the startup of the framework, where you got this kind of an error:

!master ~/4tools/metasploit-framework> msfconsole 
/home/tony/4tools/metasploit-framework/modules/payloads/singles/android/meterpreter_reverse_tcp.rb:28:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
	from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:71:in `on_module_load'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:182:in `load_module'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:237:in `block in load_modules'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:55:in `block (2 levels) in each_module_reference_name'
	from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:127:in `block in find'
	from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `catch'
	from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `find'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:46:in `block in each_module_reference_name'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `foreach'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `each_module_reference_name'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:236:in `load_modules'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:117:in `block in load_modules'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `each'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `load_modules'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `each'
	from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path'
	from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `block in init_module_paths'
	from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `each'
	from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths'
	from /home/tony/4tools/metasploit-framework/lib/msf/ui/console/driver.rb:204:in `initialize'
	from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `new'
	from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `driver'
	from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
	from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
	from /home/tony/4tools/metasploit-framework/msfconsole:48:in `<main>'
2016-10-04 10:40:04 +02:00
OJ 3101564a0a
Enable support for windows 8 in the exploit 2016-10-04 16:27:33 +10:00
OJ a4efa77878
Support driver list, adjust capcom exploit
This commit adds MSF-side support for listing currently loaded drivers
on the machine that Meterpreter is running on. It doesn't add a UI-level
command at this point, as I didn't see the need for it. It is, however,
possible to enumerate drivers on the target using the client API.

Also, the capcom exploit is updated so that it no longer checks for the
existence of the capcom.sys file in a fixed location on disk. Instead,
it enumerates the currently loaded drivers using the new driver listing
function, and if found it checks to make sure the MD5 of the target file
is the same as the one that is expected. The has is used instead of file
version information because the capcom driver doesn't have any version
information in it.
2016-10-04 11:27:20 +10:00
wchen-r7 b1cb153c31 Make errors more meaningful 2016-10-03 15:29:40 -05:00
David Maloney 9853daeb4e
Land #7376, mysql_writable_dir module #2
some comits got missed here somehow
2016-10-03 10:42:37 -05:00
Stephen Haywood 2d361fabc6 No need to interpolate when using .to_s 2016-10-03 11:38:36 -04:00
David Maloney e13a9667c2
Land #7376, mysql_writable dirs mdoule
Lands avgsecurityguy's new mysql_writable_dirs module
2016-10-03 10:34:03 -05:00