Commit Graph

8155 Commits (5171e7edd27afcdf64bb1c49e4d0bd455d7b73a2)

Author SHA1 Message Date
Jon Hart 64019d3301
Land #9676, correcting CVE and adding disclosure date for memcached
amplification
2018-03-07 07:49:30 -08:00
Brent Cook f6223c0193
Land #9614, Juniper post enum module 2018-03-07 07:49:29 -08:00
Jon Hart 6909c635bc
Land #9644, @xistence's memcached stats amplification scanner 2018-03-05 15:29:20 -08:00
Brent Cook 2af4f56382
Land #9611, Fix bug causing all OWA logins to appear valid 2018-02-23 08:31:01 -08:00
Jacob Robles 178afdaed1
Land #9604, Fix logged errors when running without Python 3.6 / gmpy2 2018-02-22 08:27:37 -08:00
Brent Cook 826b986018
Land #9602, Create sessions with the Fortinet SSH backdoor scanner 2018-02-22 08:27:36 -08:00
Brent Cook 4e8fe54c6c
Land #9524, prefer 'shell' channels over 'exec' channels for ssh CommandStream 2018-02-22 08:27:36 -08:00
William Vu c1d701f656
Land #9593, finger_users regex fix 2018-02-22 08:27:35 -08:00
Brent Cook 8c2484d2da
Land #9164, add OWA 2016 support 2018-02-20 09:24:13 -06:00
Brent Cook d89a8c3eb9
Land #9571, specify a python encoding for the claymore DoS module 2018-02-16 15:34:49 -08:00
Brent Cook d2e71cfc8b
Land #9512, Add Claymore Dual GPU Miner<= 10.5 DoS module 2018-02-16 15:34:48 -08:00
Wei Chen 004e228a52
Land #9509, Ulterius Server < v1.9.5.0 Directory Traversal
Land #9509
2018-02-16 15:34:47 -08:00
Brent Cook e8ad3a98e9
Land #9558, Fix #9417, map timeout exp to a var for telnet_encrypt_overflow 2018-02-15 14:14:07 -08:00
Brent Cook 0cee8485d0
Land #9557, add back udp_probe for now 2018-02-14 11:26:59 -08:00
Spencer McIntyre bdc0b47844
Land #9552, add private_type for stored tomcat pw
Fixes #9513
2018-02-13 19:55:54 -08:00
Jacob Robles e485b152e3
Land #9542, Correct Typo 2018-02-13 14:46:06 -08:00
Brent Cook 32bd516e70
Land #9525, Update mysql_hashdump for MySQL 5.7 and above 2018-02-12 11:55:17 -06:00
Adam Cammack cd723ac86e Add scanner for Bleichenbacher oracle (ROBOT) 2018-02-09 11:14:30 -06:00
William Vu 6c350be24e
Land #9473, new MS17-010 aux and exploit modules 2018-02-02 11:32:40 -06:00
Brent Cook ce3d5d77e4
Land #9481, Update native DNS spoofer for Dnsruby 2018-02-02 11:32:18 -06:00
Brent Cook ec12d61702
Land #9354, Debut embedded httpd server (Brother printers) DoS 2018-02-02 11:31:59 -06:00
h00die b7fbffa331
Land #9445 fixes for ssl labs scanner module 2018-02-01 11:23:46 -06:00
Matthew Kienow b515a582f0
Land #9424, Add SharknAT&To external scanner 2018-01-24 17:20:03 -06:00
Pearce Barry 926ce42a01
Land #8632, colorado ftp fixes 2018-01-24 17:13:20 -06:00
Brent Cook d6beb94c59
Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-24 17:12:52 -06:00
Brent Cook bb73d2c07e
Land #9431, Fix owa_login to handle inserting credentials for a hostname 2018-01-24 17:12:39 -06:00
Brent Cook 47682e3f37
Land #9404, update module author 2018-01-24 17:12:34 -06:00
Wei Chen ab610f599b
Land #9442, Remove NoMethod Rescue for cerberus_sftp_enumusers
Land #9442
2018-01-24 17:12:25 -06:00
Wei Chen 10fafb62bb
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
Land #9436

Thanks Steve!
2018-01-24 17:12:16 -06:00
William Vu 736d438813 Address second round of feedback
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
2018-01-13 15:40:11 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
William Vu 0c9f1d71d3 Add NIS bootparamd domain name disclosure 2018-01-12 19:34:53 -06:00
William Vu 4b225c30fd
Land #9368, ye olde NIS ypserv map dumper 2018-01-10 22:02:36 -06:00
William Vu f66b11f262 Nix an unneeded variable declaration 2018-01-10 20:24:02 -06:00
William Vu b66889ac86 Rescue additional errors and refactor code
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
William Vu 4a5a17a8e1 Add NIS ypserv map dumper 2018-01-08 14:27:53 -06:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Aaron Soto 7849155347
Land #9359, Improve DCE/RPC fault handling 2018-01-03 20:42:17 -06:00
Adam Cammack a98de2d9a3
Land #9358, Support password protected key files 2018-01-03 15:12:28 -06:00
bka-dev 086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
RageLtMan f2a8d68a1f Permit encrypted SSH keys for login scanner
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.

Testing:
  None yet
2017-12-31 02:53:06 -05:00
Jan-Frederik Rieckers 7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
Add error handling if request fails

Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
Jan-Frederik Rieckers 289e887895
Adding Module for Postfixadmin CVE-2017-5930
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
Brent Cook 8de760f1f7
Land #9348, Only use basic auth in couchdb_enum when credentials are provided 2017-12-28 21:24:45 -06:00
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
james fad4ccece9 Only use basic auth in couchdb_enum when credentials are provided 2017-12-27 20:16:01 -06:00
Jon Hart bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-27 13:08:44 -08:00
Tod Beardsley e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
These cover several of the CVEs mentioned in

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
Tod Beardsley 1bb2bb9d2c Oops, no admin in that path 2017-12-26 12:06:45 -06:00
Tod Beardsley 9af88681a2
Move deprecation out 60 days 2017-12-26 11:56:47 -06:00
juushya 038119d9df Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more 2017-12-23 00:14:27 +05:30
Tod Beardsley 5dfb5d581a
Switch get_cookies to get_cookies_parsed
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart 298cb16b1a
Set default USER/PASS files 2017-12-20 18:44:43 -08:00
Jon Hart b9af835d06
Style 2017-12-20 18:05:00 -08:00
Jon Hart d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
Jon Hart 495c649c7d
Better printing 2017-12-20 14:40:42 -08:00
Jon Hart ed5f177fcd
syntax 2017-12-20 14:20:08 -08:00
Jon Hart e66ec85677
Set default u/p 2017-12-20 14:18:33 -08:00
Jeffrey Martin 8cd7185a7f
Land #9313, Add DirectAdmin login_scanner module 2017-12-20 15:23:24 -06:00
Jeffrey Martin 7f8a5d3834
improved credential reporting 2017-12-20 15:09:11 -06:00
Jon Hart 14c779b945
Fix rubocop warning 2017-12-20 12:44:27 -08:00
Jon Hart c817df0bbc
Add module for bruteforcing authentication on MQTT endpoints 2017-12-20 12:30:21 -08:00
Jon Hart 7e91274796
Add module for connecting to/discovering MQTT endpoints 2017-12-20 12:29:50 -08:00
Brent Cook a8b845fff9
Land #9283, Add node.js ws websocket library DoS module 2017-12-20 14:20:42 -06:00
Brent Cook 9fb445fbf0
Land #9300, Add private data type to auxiliary scanner ftp_login and telnet_login 2017-12-20 00:30:43 -06:00
Tod Beardsley 216d00e39f
Use a random fname destination for /etc/passwd 2017-12-19 17:02:16 -06:00
Tod Beardsley e93282b71d
Drop calls to vprint_* 2017-12-19 16:53:02 -06:00
Tod Beardsley 2dc2ac134e
Don't default verbose 2017-12-19 16:48:41 -06:00
Jon Hart a2c5cc0ffb
Remove old deprecated modules 2017-12-19 07:56:16 -08:00
Nick Marcoccio acc6951bf3 fixed typo 2017-12-19 08:35:11 -05:00
Tod Beardsley f0df1750de
Land #9180
Land @RootUp's Samsung browser SOP module
2017-12-18 17:28:03 -06:00
Tod Beardsley 85350a9645
Add Rapid7 blog references 2017-12-18 17:11:47 -06:00
Tod Beardsley ae4edd65e1
Hard wrap descriptions 2017-12-18 17:03:13 -06:00
Tod Beardsley 27a324237b
Initial commit for Cambium issues from @juushya
Note, these will trigger a bunch of WARNING msftidy messages for setting
cookies directly. This is on purpose.
2017-12-18 16:32:55 -06:00
Jon Hart a33ed82a40
Land #9214, @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs 2017-12-18 12:22:26 -08:00
Nick Marcoccio 6d565b6c33 added author information 2017-12-18 09:18:36 -05:00
Nick Marcoccio f447fa1a12 Added DirectAdmin Login Utillity 2017-12-17 22:43:37 -05:00
RootUp 917dd8e846
Update samsung_browser_sop_bypass.rb 2017-12-16 22:10:02 +05:30
RootUp 8f91377acb
Update samsung_browser_sop_bypass.rb 2017-12-16 22:09:21 +05:30
Tod Beardsley 3b3b0e6e96
And this is why I hate using single quotes
Also, restored the store_cred call.

This will fix up RootUp/metasploit-framework#3 for PR #9180
2017-12-14 14:28:25 -06:00
jgor 0b3a5567a4 Add module for CVE-2017-13872 iamroot remote exploit via ARD (VNC) 2017-12-14 13:59:35 -06:00
nromsdahl 384b250659
Add credential data type
Added credential data type so that successful passwords are stored in the database and accessible via the creds command.
2017-12-14 08:07:59 -06:00
nromsdahl be4939b56a
Add credential data type
Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command.
2017-12-14 08:05:57 -06:00
William Vu 3cd287ddd6 Update the MS17-010 scanner to use dcerpc_getarch 2017-12-14 02:08:30 -06:00
h00die d7ad443be1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master 2017-12-13 19:33:05 -05:00
h00die c0a534140d
Land #9284 a regex dos for ua_parser_js npm module 2017-12-13 19:31:49 -05:00
Wei Chen deacebc46b
Land #9264, Add private type when storing SSH password
Land #9264
2017-12-13 18:24:31 -06:00
Tod Beardsley 5226181d6d
Better conditionals from @bcoles 2017-12-13 16:48:05 -06:00
Tod Beardsley 966060d470
Nits picked by @bcoles: commas, quotes, and <head> 2017-12-13 16:38:17 -06:00
Nicholas Starke dd5532c5de Addressing Formatting Issues
There were several formatting and layout issues
that are fixed in this commit.  Also changing
`RHOSTS` to `RHOST`.
2017-12-13 14:26:27 -06:00
Tod Beardsley 622050ddfc
Oops, leftover comment 2017-12-12 14:48:00 -06:00
Tod Beardsley efa46efb48
Actually save creds, or fail through sanely
This incidentally also allows for a custom collector to be implemented
by the user -- for example, if they'd rather pick up a session ID or
inject a browser hook or something along those lines. It's a little
clunky, using the advanced option of CUSTOM_JS, but it seems to work
fine.
2017-12-12 14:06:18 -06:00
RootUp 5f70199218
Update samsung_browser_sop_bypass.rb 2017-12-12 15:52:55 +05:30
Nicholas Starke 2d23054a1f Changes as per comments
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
2017-12-11 14:11:40 -06:00
Ryan Knell c5f218c84c Addressing comments
1. Updated documentation
2. Made the Sec-WebSocket-Key header a random value
2017-12-11 11:49:31 -05:00
Tod Beardsley cba5c7cb0f
Rename to actually call out the browser name 2017-12-08 13:53:13 -06:00