Commit Graph

914 Commits (52d41c83091f68c99213368f164a17e31b958038)

Author SHA1 Message Date
Tod Beardsley 62a679ebb8
Avoid version numbers in titles
Usually, the versions are more of a range, and nearly always, the module
author never truly knows where the ranges are bounded. It's okay to
clarify in the description.
2015-02-17 10:26:40 -06:00
rastating 40c92f5fe3 Add URL reference 2015-02-14 13:09:37 +00:00
rastating 4dce589bbe Add WordPress Holding Pattern file upload module 2015-02-14 12:54:03 +00:00
Christian Mehlmauer 55f57e0b9b
Land #4746, WordPress photo-gallery exploit 2015-02-12 22:24:12 +01:00
Christian Mehlmauer bce7211f86
added url and randomize upload directory 2015-02-12 22:16:37 +01:00
jvazquez-r7 155651e187 Make filename shorter 2015-02-12 11:45:51 -06:00
jvazquez-r7 95bfe7a7de Do minor cleanup 2015-02-12 11:45:51 -06:00
rastating 30f310321d Added CVE reference 2015-02-12 11:45:51 -06:00
rastating 38ad960640 Add Maarch LetterBox file upload module 2015-02-12 11:45:51 -06:00
rastating cb1efa3edd Improved error handling, tidied up some code 2015-02-11 10:16:18 +00:00
rastating 80a086d5f6 Add WordPress Photo Gallery upload module 2015-02-11 01:03:51 +00:00
Christian Mehlmauer 6d46182c2f
Land #4570, @rastating 's module for wp-easycart 2015-02-07 23:42:23 +01:00
Christian Mehlmauer f2b834cebe
remove check because the vuln is unpatched 2015-02-07 23:38:44 +01:00
Christian Mehlmauer d2421a2d75
wrong version 2015-02-07 23:34:19 +01:00
Christian Mehlmauer 56d2bc5adb
correct version number 2015-02-07 23:22:43 +01:00
rastating 345d5c5c08 Update version numbers to reflect latest release 2015-02-07 19:09:16 +00:00
jvazquez-r7 1ea4a326c1
Land #4656, @nanomebia's fixes for sugarcrm_unserialize_exec 2015-02-06 16:42:01 -06:00
jvazquez-r7 e511f72ab4 Delete final check
* A session is the best proof of success
2015-02-06 16:34:34 -06:00
Tod Beardsley c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 12:36:47 -06:00
jvazquez-r7 c0e1440572
Land #4685, @FireFart's module for Wordpress Platform Theme RCE 2015-02-03 17:35:59 -06:00
jvazquez-r7 28f303d431 Decrease timeout 2015-02-03 17:33:29 -06:00
jvazquez-r7 a1c157a4db
Land #4609, @h0ng10's module for Wordpress Pixabay Images PHP Code Upload 2015-02-03 17:01:32 -06:00
jvazquez-r7 eebee7c066 Do better session creation handling 2015-02-03 17:00:37 -06:00
jvazquez-r7 4ca4fd1be2 Allow to provide the traversal depth 2015-02-03 16:38:40 -06:00
jvazquez-r7 e62a5a4fff Make the calling payload code easier 2015-02-03 16:23:04 -06:00
jvazquez-r7 61cdb5dfc9 Change filename 2015-02-03 16:13:10 -06:00
jvazquez-r7 82be43ea58 Do minor cleanup 2015-02-03 16:07:27 -06:00
Christian Mehlmauer 2c956c0a0f
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00
Nanomebia d04fd3b978 Fixing Indentation
Small indentation fix
2015-01-29 13:03:19 +08:00
Nanomebia af90c6482b Sanity Changes
Reverted failure behaviour on line 70
Removed a space that prevented line 98 from working as intended
2015-01-28 18:40:43 +08:00
Nanomebia 27c412341f Syntax Changes
Cleaned up this statement a tiny bit
2015-01-28 18:34:19 +08:00
Nanomebia fc3094ec9b Syntax changes
Fixed some more syntax - failures
2015-01-28 18:30:21 +08:00
Nanomebia 321eb452c5 Syntax Fixes
Fixed some or's to || - and's to &&.
Fixed failure if statement (fails using fail_with())
Fixed nested else (now and elsif)
Changed final execute logic - checks for success rather than failure.
2015-01-28 18:08:15 +08:00
Nanomebia fefc3d088c Cookie fix and success display
Added handling for if the server doesn't correctly assign a cookie using
Set-Cookie by changing the regex and doing an additional check.  Also
fixed the success display -  changed the if statement to match others in
this module and fixed the text output based on server response.
2015-01-28 17:11:05 +08:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
Hans-Martin Münch (h0ng10) 419fa93897 Add OSVDB and WPScan references 2015-01-23 09:27:42 +01:00
Hans-Martin Münch (h0ng10) dfbbc79e0d make retries a datastore option 2015-01-23 09:23:09 +01:00
Hans-Martin Münch (h0ng10) 11bf58e548 Use metasploit methods 2015-01-23 08:48:52 +01:00
rastating 9d3397901b Correct version numbers and code tidy up 2015-01-19 20:59:46 +00:00
Hans-Martin Münch (h0ng10) 5813c639d1 Initial commit 2015-01-19 17:23:48 +01:00
rastating 8a89b3be28 Cleanup of various bits of code 2015-01-13 22:20:40 +00:00
rastating 8246f4e0bb Add ability to use both WP and EC attack vectors 2015-01-12 23:30:59 +00:00
rastating e6f6acece9 Add a date hash to the post data 2015-01-12 21:21:50 +00:00
rastating ea37e2e198 Add WP EasyCart file upload exploit module 2015-01-10 21:05:02 +00:00
Christian Mehlmauer d4d1a53533
fix invalid url 2015-01-09 21:57:52 +01:00
rastating 82e6183136 Add Msf::Exploit::FileDropper mixin 2015-01-08 21:07:00 +00:00
rastating 93dc90d9d3 Tidied up some code with existing mixins 2015-01-08 20:53:56 +00:00
rastating 7b92c6c2df Add WP Symposium Shell Upload module 2015-01-07 22:02:39 +00:00
sinn3r 44dfa746eb Resolve #4513 - Change #inspect to #to_s
Resolve #4513
2015-01-05 11:50:51 -06:00
jvazquez-r7 b5b0be9001 Do minor cleanup 2014-12-26 11:24:02 -06:00
Brendan Coles 5c82b8a827 Add ProjectSend Arbitrary File Upload module 2014-12-23 10:53:03 +00:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart 025c0771f8
Have exploit call check. Have check report_vuln 2014-12-15 09:53:11 -08:00
Jon Hart f521e7d234
Use newer Ruby hash syntax 2014-12-15 09:17:32 -08:00
Jon Hart c93dc04a52
Resolve address before storing the working cred 2014-12-15 09:11:12 -08:00
Jon Hart 5ca8f187b3 Merge remote-tracking branch 'upstream/pr/4328' into temp 2014-12-15 08:15:51 -08:00
Brendan Coles 4530066187 return nil 2014-12-15 01:04:39 +11:00
Brendan Coles 55d9e9cff6 Use list of potential analytics hosts 2014-12-14 23:15:41 +11:00
jvazquez-r7 008c33ff51 Fix description 2014-12-12 13:36:28 -06:00
Tod Beardsley 81460198b0 Add openssl payload to distcc exploit
This is required to test #4274
2014-12-12 13:25:55 -06:00
jvazquez-r7 b334e7e0c6
Land #4322, @FireFart's wordpress exploit for download-manager plugin 2014-12-12 12:41:59 -06:00
jvazquez-r7 aaed7fe957 Make the timeout for the calling payload request lower 2014-12-12 12:41:06 -06:00
Jon Hart 00f66b6050
Correct named captures 2014-12-12 10:22:14 -08:00
jvazquez-r7 98dca6161c Delete unused variable 2014-12-12 12:03:32 -06:00
jvazquez-r7 810bf598b1 Use fail_with 2014-12-12 12:03:12 -06:00
Jon Hart 1e6bbc5be8
Use blank? 2014-12-12 09:51:08 -08:00
jvazquez-r7 4f3ac430aa
Land #4341, @EgiX's module for tuleap PHP Unserialize CVE-2014-8791 2014-12-12 11:48:25 -06:00
jvazquez-r7 64f529dcb0 Modify default timeout for the exploiting request 2014-12-12 11:47:49 -06:00
Jon Hart 24f1b916e0 Minor ruby style cleanup 2014-12-12 09:47:35 -08:00
Jon Hart 1d1aa5838f Use Gem::Version to compare versions in check 2014-12-12 09:47:01 -08:00
jvazquez-r7 d01a07b1c7 Add requirement to description 2014-12-12 11:42:45 -06:00
jvazquez-r7 fd09b5c2f6 Fix title 2014-12-12 10:52:18 -06:00
jvazquez-r7 4871228816 Do minor cleanup 2014-12-12 10:52:06 -06:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
Marc Wickenden 245b76477e Fix issue with execution of perl due to gsub not matching across newlines 2014-12-10 21:38:04 +00:00
EgiX 700ccc71e7 Create tuleap_unserialize_exec.rb 2014-12-09 10:15:46 +01:00
Brendan Coles 42744e5650 Add actualanalyzer_ant_cookie_exec exploit 2014-12-06 19:09:20 +00:00
Christian Mehlmauer 5ea062bb9c
fix bug 2014-12-05 11:30:45 +01:00
Christian Mehlmauer 55b8d6720d
add wordpress download-manager exploit 2014-12-05 11:17:54 +01:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Tod Beardsley 51b96cb85b
Cosmetic title/desc updates 2014-11-03 13:37:45 -06:00
sinn3r b7a1722b46 Pass msftidy, more descriptive name and description 2014-10-30 22:14:18 -05:00
Deral Heiland 64a59e805c Fix a simple typo 2014-10-29 12:40:24 -04:00
Deral Heiland 1bf1be0e46 Updated to module based feedback from wchen-r7 2014-10-29 11:42:07 -04:00
Deral Heiland 9021e4dae6 Xerox Workcentre firmware injection exploit 2014-10-28 11:15:43 -04:00
jvazquez-r7 c77a0984bd
Land #3989, @us3r777's exploit for CVE-2014-7228, Joomla Update unserialize
the commit.
 empty message aborts
2014-10-20 13:39:08 -05:00
jvazquez-r7 4e6f61766d Change module filename 2014-10-20 13:31:22 -05:00
jvazquez-r7 e202bc10f0 Fix title 2014-10-20 13:30:44 -05:00
jvazquez-r7 f07c5de711 Do code cleanup 2014-10-20 13:27:48 -05:00
jvazquez-r7 052a9fec86 Delete return 2014-10-20 10:52:33 -05:00
jvazquez-r7 199f6eba76 Fix check method 2014-10-20 10:46:40 -05:00
us3r777 16101612a4 Some changes to use primer
Follow wiki How-to-write-a-module-using-HttpServer-and-HttpClient
2014-10-20 17:26:16 +02:00
us3r777 1e143fa300 Removed unused variables 2014-10-20 16:58:41 +02:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley b1223165d4
Trivial grammar fixes 2014-10-14 12:00:50 -05:00
us3r777 444b01c4b0 Typo + shorten php serialized object 2014-10-12 21:29:04 +02:00
us3r777 2428688565 CVE-2014-7228 Joomla/Akeeba Kickstart RCE
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
Christian Mehlmauer 1584c4781c Add reference 2014-10-09 06:58:15 +02:00
jvazquez-r7 4f96d88a2f
Land #3949, @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload 2014-10-08 16:35:49 -05:00
jvazquez-r7 66a8e7481b Fix description 2014-10-08 16:35:14 -05:00
jvazquez-r7 8ba8402be3 Update timeout 2014-10-08 16:32:05 -05:00
jvazquez-r7 bbf180997a Do minor cleanup 2014-10-08 16:29:11 -05:00
us3r777 03888bc97b Change the check function
Use regex based detection
2014-10-06 18:56:01 +02:00
us3r777 29111c516c Wordpress Infusionsoft Gravity Forms CVE-2014-6446
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
Christian Mehlmauer f45b89503d change WPVULNDBID to WPVDB 2014-10-03 17:13:18 +02:00
Christian Mehlmauer 33b37727c7 Added wpvulndb links 2014-10-02 23:03:31 +02:00
William Vu df44dfb01a
Add OSVDB and EDB references to Shellshock modules 2014-09-29 21:39:07 -05:00
jvazquez-r7 6e2d297e0c Credit the original vuln discoverer 2014-09-26 13:45:09 -05:00
jvazquez-r7 a4bc17ef89 deregister options needed for exploitation 2014-09-26 10:15:46 -05:00
jvazquez-r7 54e6763990 Add injection to HOSTNAME and URL 2014-09-26 10:13:24 -05:00
James Lee 86f85a356d
Add DHCP server module for CVE-2014-6271 2014-09-26 01:24:42 -05:00
jvazquez-r7 9acccfe9ba Fix description 2014-09-19 17:18:59 -05:00
jvazquez-r7 d826132f87 Delete CVE, add EDB 2014-09-19 17:16:03 -05:00
jvazquez-r7 7afbec9d6c
Land #2890, @Ahmed-Elhady-Mohamed module for OSVDB 93034 2014-09-19 17:12:49 -05:00
jvazquez-r7 1fa5c8c00c Add check method 2014-09-19 17:11:16 -05:00
jvazquez-r7 ce0b00bb0b Change module location and filename 2014-09-19 16:59:35 -05:00
sinn3r c73ec66c7a
Land #3659 - Add HybridAuth install.php PHP Code Execution 2014-08-19 17:19:01 -05:00
Brendan Coles 564431fd41 Use arrays in refs for consistency 2014-08-18 18:54:54 +00:00
Tod Beardsley cad281494f
Minor caps, grammar, desc fixes 2014-08-18 13:35:34 -05:00
Brendan Coles b8b2e3edff Add HybridAuth install.php PHP Code Execution module 2014-08-16 23:31:46 +00:00
Emilio Pinna 4ff73a1467 Add version build check 2014-08-13 09:53:43 +02:00
Emilio Pinna 3440f82b2e Minor description adjustment 2014-08-12 22:18:59 +02:00
Emilio Pinna 9e38ffb797 Add the check for the manual payload setting 2014-08-12 21:55:42 +02:00
Emilio Pinna 5b6be55c50 Fix (properly) 'execute_command()' missing 'opts' parameter 2014-08-12 19:49:27 +02:00
Emilio Pinna 3af17ffad0 Fixed 'execute_command()' missing 'opts' parameter 2014-08-12 19:24:24 +02:00
Emilio Pinna f71589f534 Simplify payload upload using 'CmdStager' mixin 2014-08-12 10:49:17 +02:00
Emilio Pinna cc5770558d Remove local payload saving used for debugging 2014-08-11 19:16:14 +02:00
Emilio Pinna 4790b18424 Use FileDropper mixin to delete uploaded file 2014-08-11 19:02:09 +02:00
Emilio Pinna ac526ca9bd Fix print_* to vprint_* in check method 2014-08-11 18:58:11 +02:00
Emilio Pinna 4b4b24b79d Fix errors printing 2014-08-11 18:54:43 +02:00
Emilio Pinna c97cd75beb Rephrase 'Author' section 2014-08-11 18:52:21 +02:00
Emilio Pinna 0138f3648d Add VMTurbo Operations Manager 'vmtadmin.cgi' Remote Command Execution module. 2014-08-11 16:57:39 +02:00
jvazquez-r7 a79eec84ac
Land #3584, @FireFart's update for wp_asset_manager_upload_exec 2014-07-30 10:28:51 -05:00
jvazquez-r7 9de8297848 Use [] for References 2014-07-30 10:28:00 -05:00
jvazquez-r7 58fbb0b421 Use [] for References 2014-07-30 10:24:14 -05:00
Christian Mehlmauer 75057b5df3
Fixed variable 2014-07-29 21:02:15 +02:00
Christian Mehlmauer cc3285fa57
Updated checkcode 2014-07-29 20:53:54 +02:00
Christian Mehlmauer 61ab88b2c5
Updated wp_asset_manager_upload_exec module 2014-07-29 20:53:18 +02:00
Christian Mehlmauer e438c140ab
Updated wp_property_upload_exec module 2014-07-29 20:34:34 +02:00
Christian Mehlmauer 621e85a32d
Correct version 2014-07-28 22:45:04 +02:00
Christian Mehlmauer d334797116
Updated foxpress module 2014-07-28 22:23:22 +02:00
jvazquez-r7 79fe342688
Land #3558, @FireFart's improvements to wordpress mixin 2014-07-28 09:52:20 -05:00
Christian Mehlmauer a6479a77d6
Implented feedback from @jhart-r7 2014-07-22 19:49:58 +02:00
Christian Mehlmauer baff003ecc
extracted check version to module
also added some wordpress specs and applied
rubocop
2014-07-22 17:02:35 +02:00
sinn3r 6048f21875
Land #3552 - Correct DbVisualizer title name 2014-07-21 13:07:33 -05:00
Tod Beardsley a41768fd7d
Correct DbVisualizer title name
I think "DbVis Software" is the name of the company and the product
itself is called DbVisualizer.

Also fixed the description on the WPTouch module.
2014-07-21 12:35:01 -05:00
Christian Mehlmauer a809c9e0b5
Changed to vprint and added comment 2014-07-18 22:15:56 +02:00
Christian Mehlmauer c6e129c622
Fix rubocop warnings 2014-07-18 21:58:33 +02:00
William Vu ff6c8bd5de
Land #3479, broken sock.get fix 2014-07-16 14:57:32 -05:00
Christian Mehlmauer c1f612b82a
Use vprint_ instead of print_ 2014-07-15 06:58:33 +02:00