infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
44,128 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

10788 Commits (52f56527d80b1435c85d832f559d967417c6d007)

Author SHA1 Message Date
Brent Cook 840c0d5f56
Land #7808, add exploit for VMware VDP with known ssh private key (CVE-2016-7456) 2017-08-20 17:36:45 -05:00
Brent Cook 88f39d924b
Land #8816, added Jenkins v2 cookie support 2017-08-20 14:58:38 -05:00
Brent Cook 2eba188166
Land #8789, Add COM class ID hijack method for bypassing UAC 2017-08-20 13:57:17 -05:00
Brent Cook e8ab518d76
Land #8853, Revert passive stance for multi/handler 2017-08-19 22:04:26 -05:00
William Vu 66a4ea4f0b Revert passive stance for multi/handler 
It's gotten to be a bit annoying. ExitOnSession=false was good, but this
was too much. Typing run -j isn't difficult.
 2017-08-18 13:16:12 -05:00
William Vu d659cdc8f6 Convert quest_pmmasterd_bof to cmd_interact/find 2017-08-18 00:19:09 -05:00
Brendan Coles ac976eee8e Add author 2017-08-15 03:27:40 +00:00
Brent Cook b8f56d14e0
Land #8698, Add HEADERS to php_eval module 2017-08-14 09:54:22 -04:00
Brent Cook 26193216d1
Land #8686, add 'download' and simplified URI request methods to http client mixin 
Updated PDF author metadata downloader to support the new methods.
 2017-08-14 01:40:17 -04:00
Brent Cook 7d4561e0fd rename to download_log to avoid conflicting with the mixin 2017-08-14 01:10:37 -04:00
Brendan Coles 0a374b1a88 Add QNAP Transcode Server Command Execution exploit module 2017-08-13 09:13:56 +00:00
Tim 7881a7ddc4 git submodule command exec 2017-08-13 11:47:44 +08:00
thesubtlety 7e860571ae fix bug where api_token auth was being used without token being set 2017-08-09 12:30:26 -04:00
thesubtlety 9bb102d72d add jenkins v2 cookie support 2017-08-09 12:29:31 -04:00
Martin Pizala 2383afd8dc
Fix improved error handling 2017-08-04 23:42:44 +02:00
Brent Cook 7ce813ae6e
Land #8767, Add exploit module for CVE-2017-8464 
LNK Code Execution Vulnerability
 2017-08-03 17:10:16 -05:00
Brent Cook da3ca9eb90 update some documentation 2017-08-03 17:09:44 -05:00
Brent Cook ddd841c0a8 code style cleanup + add automatic targeting based on payload 2017-08-03 00:27:54 -05:00
Brent Cook b62429f6fa handle drive letters specified like E: nicely 2017-08-03 00:27:22 -05:00
Yorick Koster 46ec04dd15 Removed This PC ItemID & increased timeout in WaitForSingleObject 
Remove the This PC ItemID to bypass (some) AV.

Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
 2017-08-02 15:47:22 -05:00
Yorick Koster e51e1d9638 Added new DLL templates to prevent crashing of Explorer 2017-08-02 15:47:21 -05:00
Yorick Koster 3229320ba9 Code review feedback from @nixawk 2017-08-02 15:46:51 -05:00
Yorick Koster 565a3355be CVE-2017-8464 LNK Remote Code Execution Vulnerability 
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.

This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
 2017-08-02 15:46:30 -05:00
Martin Pizala b78cb12546
Ruby 2.2 support. See #8792 2017-08-02 18:06:48 +02:00
Brent Cook 6f97e45b35 enable Ruby 2.2 compat checks in Rubocop, correct multi/handler compat 2017-08-02 06:18:02 -05:00
OJ 54ded4300e
Land #8791 - Update Accuvant refs to point to Optiv 2017-08-02 13:26:52 +10:00
TC Johnson 8989d6dff2
Modified Accuvant bog posts to the new Optive urls 2017-08-02 13:25:17 +10:00
Brent Cook bb2304a2d1
Land #8769, improve style, compatibility, for ssh modules 2017-08-01 21:43:32 -05:00
Brent Cook 1d75a30936 update style for other ssh exploits 2017-08-01 16:05:25 -05:00
Brent Cook 8c9fb1d529 remove unneeded netssh checks in modules 2017-08-01 14:46:10 -05:00
Brent Cook 4395f194b1 fixup style warnings in f5 bigip privkey exploit 2017-08-01 14:45:05 -05:00
Brent Cook e61cccda0b
Land #8779, Adding error handler for ms17-010 exploit where SMBv1 is disabled 2017-08-01 14:00:12 -05:00
OJ 6ee5d83a15
Add the COM hijack method for bypassing UAC 2017-07-31 14:26:39 +10:00
Professor-plum 055d64d32b Fixed to modules as suggested from upstream 
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
 2017-07-30 10:14:05 -06:00
Martin Pizala 60c3882b84
Improved error handling 2017-07-30 09:07:52 +02:00
Professor-plum 99546330f1 Added PlugX Controller Stack Overflow Module 
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target

Sample output:
```
msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
 2017-07-29 10:36:42 -06:00
Professor-plum c336daec8d Added Gh0st Controller Buffer Overflow Module 
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution 

## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.

- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit

Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
 2017-07-29 10:21:05 -06:00
wchen-r7 c5021bf665 Land #8761, Add CVE-2017-7442: Nitro Pro PDF Reader JS API Code X 2017-07-28 17:02:59 -05:00
Martin Pizala 6a20e1ac7d
Add module Rancher Server - Docker Exploit 2017-07-28 08:04:21 +02:00
multiplex3r b2ecaa489d Rescue only RubySMB::Error::CommunicationError 2017-07-27 19:19:45 +10:00
multiplex3r f2091928ec Adding no SMBv1 error handler for ms17-010 exploit 2017-07-27 16:21:09 +10:00
Ricardo Almeida 4845b4b1fa
Orientdb 2.2.x RCE - Fix regular expression for version detection 2017-07-26 14:35:05 +01:00
Ricardo Almeida 30664924c8
Orientdb 2.2.x RCE - Reverted to send_request_raw due to issues exploiting windows boxes 2017-07-26 13:59:14 +01:00
Martin Pizala 853ae9a6ce
Add new reference 2017-07-26 02:16:56 +02:00
1cph93 9c930aad6e Add space after comma in f5_bigip_known_privkey module to coincide with Ruby style guide 2017-07-25 19:43:29 -04:00
Martin Pizala cd418559bc
Docker Daemon - Unprotected TCP Socket Exploit 2017-07-26 00:21:35 +02:00
Brent Cook 354869205a make exploit/multi/handler passive 
This gives exploit/multi/handler a makeover, updating to use more-or-less
standard Ruby, and removing any mystical hacks at the same time (like select
instead of sleep).

This also gives it a Passive stance, and sets ExitOnSession to be false by
default, which is the setting that people use 99% of the time anyway.
 2017-07-24 15:47:06 -07:00
mr_me bf4dce19fb I added the SSD advisory 2017-07-24 14:25:10 -07:00
mr_me b099196172 deregistered SSL, added the HTA dodgy try/catch feature 2017-07-24 10:28:03 -07:00
mr_me 17b28388e9 Added the advisory, opps 2017-07-24 10:09:21 -07:00
mr_me 14ca2ed325 Added a icon loading trick by Brendan 2017-07-24 10:06:20 -07:00
mr_me b2a002adc0 Brendan is an evil genius\! 2017-07-24 09:58:23 -07:00
mr_me cc8dc002e9 Added CVE-2017-7442 2017-07-24 08:21:59 -07:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
Brent Cook 80d18fae6a update example modules to have zero violations 2017-07-24 06:15:54 -07:00
Brent Cook 1d290d2491 resurrect one print_error/bad conversion for symmetry 2017-07-24 05:55:34 -07:00
Brent Cook 8db3f74b81 fix a broken link 2017-07-24 05:53:09 -07:00
Brent Cook 838b066abe Merge branch 'master' into land-8716 2017-07-24 05:51:44 -07:00
Ricardo Almeida 6c22f785e9
Orientdb 2.2.x RCE - Fine tune vulnerable version detection; removed redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get; 2017-07-24 09:52:47 +01:00
Brent Cook 7c55cdc1c8 fix some module documentation 
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
 2017-07-23 07:46:52 -07:00
g0tmi1k e710701416 Made msftidy.rb happy 
...untested with the set-cookie 'fix'
 2017-07-21 19:55:26 -07:00
Pearce Barry 6bb745744b
Land #8471, Add VICIdial user_authorization Unauthenticated Command Execution module 2017-07-21 15:57:08 -05:00
g0tmi1k 524373bb48 OCD - Removed un-needed full stop 2017-07-21 07:41:51 -07:00
g0tmi1k 772bec23a1 Fix various typos 2017-07-21 07:40:08 -07:00
M4P0 c187f709dc Update geutebrueck_gcore_x64_rce_bo.rb 
Review changes with msftidy.
 2017-07-21 11:37:12 +02:00
bwatters-r7 ffad0d1bbf
Land #8559, Ipfire oinkcode exec 2017-07-19 14:31:18 -05:00
bwatters-r7 116a838cb0 Version check update and stylistic fix 2017-07-19 13:26:40 -05:00
g0tmi1k 3f6925196b OCD - store_loot & print_good 2017-07-19 13:02:49 +01:00
g0tmi1k ef826b3f2c OCD - print_good & print_error 2017-07-19 12:48:52 +01:00
g0tmi1k 0f453c602e Even more print_status -> print_good 2017-07-19 11:46:39 +01:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k 3d4feffc62 OCD - Spaces & headings 2017-07-19 11:04:15 +01:00
Ricardo Almeida f3f96babb9
Orientdb 2.2.x RCE - Changed the java_craft_runtime_exec function; Tested the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success 2017-07-19 10:46:10 +01:00
g0tmi1k a008f8e795 BruteForce - > Brute Force 2017-07-19 10:39:58 +01:00
Ricardo Almeida 219987726f
Orientdb 2.2.x RCE - Changed the CmdStager flavor to VBS script 2017-07-18 17:18:14 +01:00
Ricardo Almeida 5ca523e2ce
Orientdb 2.2.x RCE - Add warning about windows 2017-07-18 17:11:54 +01:00
Ricardo Almeida af0a9c2f86
Orientdb 2.2.x RCE tidy stuff 2017-07-18 17:07:29 +01:00
Ricardo Almeida 99ba645034 Orientdb 2.2.x RCE 2017-07-18 16:53:44 +01:00
bwatters-r7 ba92d42b57 Updated version check per @bcoles 2017-07-17 15:52:50 -05:00
David Maloney 2a1c661c79
Land #8723, Razr Synapse local exploit 
lands ZeroSteiner's Razr Synapse local priv esc module
 2017-07-17 13:34:17 -05:00
Spencer McIntyre b4813ce2c7 Update the pre-exploit check conditions 2017-07-15 14:48:54 -04:00
Pearce Barry 9775df1f6e
Land #8586, Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit 2017-07-14 15:20:01 -05:00
David Maloney ee1c87b868
Land #8172, example modules 
lands several example modules
 2017-07-14 15:17:20 -05:00
David Maloney 8f6cac9c37
Land #8652, rpc console write exploit 
lands pr for the metasploit rpc console write exploit
 2017-07-14 14:47:35 -05:00
David Maloney 0fde6c6b42
Land #8650, igss9 launch path 
land pr to fix launch path in the igss9 exploit
 2017-07-14 14:39:38 -05:00
Spencer McIntyre 833b2a67d4 Fix the architecture check for only x64 2017-07-14 07:06:54 -04:00
g0tmi1k 4720d1a31e OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
g0tmi1k 9309115627 OCD - Banner clean up 2017-07-14 08:19:50 +01:00
g0tmi1k fd843f364b Removed extra lines 2017-07-14 08:17:16 +01:00
g0tmi1k 424522147e OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00
Spencer McIntyre 5470670223 Change the hook for windows 10 compatibility 2017-07-13 11:49:06 -04:00
James Barnett e43adf0223
Land #8710, explicitly use Rex::Encoder::XDR 
The previous use of XDR in these modules allowed for namespace collisions
with similar gems.
 2017-07-12 12:01:24 -05:00
Brent Cook 345407b0a4 Rex::Encoder::XDR conflicts with the XDR gem 2017-07-12 11:52:10 -05:00
Pearce Barry e69460a529
Land #8683, Remove duplicate setting of suhosin.simulation in php_cgi_arg_injection 2017-07-12 09:34:35 -05:00
Matt Robinson 55cbd9b6a9
Add headers to php_eval 2017-07-10 21:25:27 -04:00
Spencer McIntyre 53d5060fbd Add the LPE for CVE-2017-9769 2017-07-10 16:57:23 -04:00
David Maloney 2ee6df66cf
Land #8514, wmi persistence module 2017-07-10 09:53:55 -05:00
NickTyrer f4c739c190 check if running as system 2017-07-10 10:05:57 +01:00
Emanuel Bronshtein df024bb594 Remove duplicate setting of suhosin.simulation 2017-07-10 00:46:05 +03:00
Brendan Coles 8e2ff7a4c5 Add command stager and code cleanup 2017-07-07 16:54:56 -05:00
Brent Cook 3bda361544 add old hackingteam leak name 2017-07-07 00:52:11 -05:00
Brent Cook f4820d24fb add a few more AKA references 2017-07-06 22:43:46 -05:00
Brendan Coles baff473cae Add Metasploit RPC Console Command Execution module 2017-07-05 08:48:35 +00:00
syndrome5 45af651993 Fix issue generate/launch path 
Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\
PoC with windows/meterpreter/reverse_tcp
 2017-07-04 22:14:32 +02:00
Pearce Barry a2602bf514
Land #8600, Add GoAutoDial 3.3 RCE Command Injection / SQL injection module 2017-06-30 17:32:51 -05:00
Pearce Barry dd530a2953
Minor indentation tweaks. 2017-06-30 17:29:43 -05:00
NickTyrer 994f00622f tidy module output 2017-06-29 16:12:23 +01:00
William Vu 7e1b50ab3b
Land #8629, AKA (also known as) module reference 2017-06-28 19:15:45 -05:00
Brent Cook aa8c580aba updates 2017-06-28 20:14:38 -04:00
Brent Cook d20036e0fb revise spelling, add heartbleed and tidy checks 2017-06-28 18:50:20 -04:00
William Vu 43d8c4c5e7
Land #8519, Apache ActiveMQ file upload exploit 2017-06-28 17:19:39 -05:00
Brent Cook 461ab4501d add 'Also known as', AKA 'AKA', to module references 2017-06-28 15:53:00 -04:00
William Webb 6349026134
Land #8442, Exploit module for Backup Exec Windows Agent UaF 2017-06-28 10:39:28 -05:00
Mzack9999 66eb89e72a Exploit now uses HTTP mixin 2017-06-25 16:38:21 +02:00
NickTyrer bc8de0fc66 fixed issue where starting waitfor.exe would hang the module 2017-06-24 20:54:31 +01:00
NickTyrer aa18598580 updated cleanup method to remove_persistence to prevent creating rc file even if module fails 2017-06-24 19:20:02 +01:00
h00die f9493f46d7 bcole fixes 2017-06-24 14:06:11 -04:00
NickTyrer 655358cdf1 added missing newline in cleanup method 2017-06-23 17:58:11 +01:00
NickTyrer 916a4da182 fixed cleanup method to include all cleanup options 2017-06-23 17:38:48 +01:00
NickTyrer 412ea9432d removed whitespace 2017-06-23 17:17:07 +01:00
NickTyrer e7d6d5350f added WAITFOR persistence method 2017-06-23 17:05:39 +01:00
Mzack9999 a8865252da Added exploit documentation 2017-06-23 14:12:04 +02:00
dmohanty-r7 18410d8230
Land #8540, Add Symantec Messaging Gateway RCE 2017-06-22 19:00:32 -05:00
Brent Cook 4fdd77f19a
Land #8051, Add Netgear DGN2200v1/v2/v3/v4 Command Injection Module 2017-06-22 11:46:40 -05:00
Brent Cook a4e8cdfa6e msftidy fixes 2017-06-22 11:44:40 -05:00
Brent Cook 3b248c78f3 resurrect old example modules, integrate into module tree 2017-06-22 11:36:35 -05:00
William Webb 02e4edc4cb
Land #8579, Easy File Sharing HTTP Server 7.2 - Post Overflow exploit 2017-06-22 10:56:41 -05:00
Jin Qian b51fc0a34e
Land #8489, more httpClient modules use store_valid_credential 2017-06-21 17:18:34 -05:00
Jeffrey Martin 99fb905bbd
fix typo 2017-06-21 16:52:09 -05:00
NickTyrer 24404ae40f added heredoc to tidy formatting 
changed USER persistence method to EVENT to better describe technique
removed "auditpol.exe /set /subcategory:Logon /failure:Enable" command from subscription_event method to be more opsec safe
added CUSTOM_PS_COMMAND advanced option
updated description to reflect changes
 2017-06-21 18:15:13 +01:00
Pearce Barry 24d9bec0ae
Land #8260, OpManager Version Check 2017-06-20 17:58:10 -05:00
Pearce Barry 241786e71f
Update description with tested versions. 2017-06-20 15:32:08 -05:00
Pearce Barry 14f0409c6c
Missing regex '+', readding so we get full API key. 2017-06-20 15:28:15 -05:00
Pearce Barry b02719e795
Attempt to appease Travis... 2017-06-20 11:36:08 -05:00
Mzack9999 c7a55ef92f Added exploit documentation 2017-06-20 09:03:40 +02:00
Mzack9999 af4eb0fbe3 Corrected shellcode 2017-06-20 00:55:18 +02:00
Mzack9999 0b04dc0584 Correct EDB Number 2017-06-20 00:52:29 +02:00
Mzack9999 bc826cb824 Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-20 00:36:59 +02:00
Pearce Barry 58cd432120
Added docs, minor code tweak to remove duplication. 2017-06-19 17:35:41 -05:00
NickTyrer 681f9f37a6 updated check if powershell is available 2017-06-19 08:35:57 +01:00
NickTyrer 096469a8ec added PROCESS persistence method 2017-06-18 20:42:07 +01:00
L3cr0f 23831e6df9 Upload requested changes 2017-06-18 11:34:58 +02:00
mccurls 8c23769cbc Updated module to use an instance variable for using HTTP session tokens across functions. 2017-06-18 12:59:34 +10:00
Mzack9999 7fb36edd50 corrected msftidy warnings 2017-06-17 22:58:47 +02:00
Mzack9999 31a5cc94b2 Easy File Sharing HTTP Server 7.2 - Post Overflow exploit 2017-06-17 22:35:21 +02:00
mccurls 19ceb53304 Modified payload handling and uploaded documentation 2017-06-18 02:04:22 +10:00
NickTyrer 6096e373cc removed whitespace 2017-06-17 10:44:30 +01:00
NickTyrer 85173f36f7 moved exploit method moved to top 
added logon persistence option
fixed typo
cleaned up formatting
 2017-06-17 10:30:38 +01:00
mccurls 07051d1f00 Removed whitespace 2017-06-17 09:59:46 +10:00
mccurls 8eb59eac3f Stuffed up regex.. left some random $ characters floating around and have now removed them. 2017-06-17 08:03:09 +10:00
mccurls 6363a319d2 Fixed Typo 2017-06-17 07:32:17 +10:00
mccurls b34bf76fea Adding GoAutoDial RCE module 2017-06-17 07:22:41 +10:00
h00die e005e51f05 some edits finished 2017-06-16 06:48:31 -04:00
thesubtlety 49d998f7d9 catch invalid tokens 2017-06-15 21:45:29 -04:00
thesubtlety f4ffade406 add ability to specify API token instead of password 2017-06-15 21:05:53 -04:00
Pearce Barry 9d57197736
Land #8551, Update processmaker_exec module with workspace support 2017-06-15 17:12:35 -05:00
Tod Beardsley 49383f8f3a Update and fix grammar to the CryptoLog module 
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
 2017-06-15 13:00:44 -05:00
h00die 46ffd250a0 module working and docs 2017-06-14 21:15:56 -04:00
Mehmet Ince c147779097
Add CVE number to the symantec-messaging-gateway-exec module 2017-06-14 23:07:58 +03:00
h00die c35dffc648 first draft of oinkcode 2017-06-14 08:04:17 -04:00
James Lee 55f0edb732
Land #8491, fixes for service_persistence 2017-06-13 17:17:53 -05:00
Brendan Coles 0766f92013 Add option for workspace 2017-06-13 12:46:36 +00:00
Jeffrey Martin cbbb57d1a5
Land #8526, Refactor QNAP and airOS modules for creds 2017-06-12 14:46:11 -05:00
Mehmet Ince 6ae540d889
Adding Symantec messaging gateway rce 2017-06-10 12:23:12 +03:00
Stephen Shkardoon (ss23) a968a74ae0
Update ms17_010_eternalblue description and ranking. 
The module has been noted to cause crashes, reboots, BSOD, etc, on
some systems.
 2017-06-09 11:01:48 +12:00
Brent Cook aa00661fd0
Land #8518, update CVE references where modules report_vuln 2017-06-08 13:38:12 -05:00
William Vu 3e20296cf5 Add service_details for SSH 2017-06-08 13:28:29 -05:00
William Vu e22334343e Use store_valid_credential in my modules 
I used report_note because using the creds API was a pain in the ass.
 2017-06-08 00:57:51 -05:00
bwatters-r7 99fa52e660
Land #8434, Add Windows 10 Bypassuac fodhelper module 2017-06-07 11:15:01 -05:00
Anderson d641058f75 Added module to exploit ActiveMQ CVE-2016-3088 2017-06-06 11:33:42 -07:00
Brent Cook bac17a8e80
Land #8053, Add DC/OS Marathon UI Exploit 2017-06-06 09:29:26 -05:00
NickTyrer 09e4974b99 removed whitespace at end of lines 2017-06-06 14:44:37 +01:00
NickTyrer 1831056010 updated disclosure date 2017-06-06 14:32:19 +01:00
Jeffrey Martin 1558db375d
update CVE reference in where modules report_vuln 2017-06-05 16:36:44 -05:00
bwatters-r7 f47cc1a101 Rubocop readability changes 2017-06-05 14:32:45 -05:00
NickTyrer 994995671e added wmi_persistence module 2017-06-05 17:44:37 +01:00
L3cr0f 6a3fc618a4 Add bypassuac_injection_winsxs.rb module 2017-06-03 12:59:50 +02:00
Jeffrey Martin 2924318ca5
update java_rmi_server modules with CVE 2017-06-02 12:59:48 -05:00
Brendan Coles 218ec96009 Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module 2017-05-31 13:00:35 +00:00
h00die 361cc2dbeb fix newline issue and service call 2017-05-30 22:37:26 -04:00
h00die f98b40d038 adds check on service writing before running it 2017-05-30 22:14:49 -04:00
Jeffrey Martin 0e145573fc
more httpClient modules use store_valid_credential 2017-05-30 14:56:05 -05:00
David Maloney d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor 2017-05-30 13:59:31 -05:00
David Maloney a5f910ea63
move trans2 conditional to case statement 
this is cleaner as a case statement
 2017-05-30 13:52:29 -05:00
David Maloney b65c959347
limited port of the trans2 exploit packets 
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
 2017-05-30 13:49:27 -05:00
William Vu 72ff4fbf48 Reword warning message, since it didn't make sense 2017-05-30 13:13:08 -05:00
William Vu 890d35cc30 Fix warning placement to be more helpful 2017-05-30 13:06:23 -05:00
David Maloney e9ac3fce5a
update credential mode for EB exploit 
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
 2017-05-30 10:55:28 -05:00
wolfthefallen 9c93aae412 Removed self.class from register 2017-05-30 10:07:07 -04:00
wolfthefallen bac23757a4 Updated based on busterb comments 2017-05-30 09:33:03 -04:00
Brent Cook beb1cef835 rescue connection failure for netbios, suggest how to fix it 2017-05-30 08:06:39 -05:00
Brent Cook ea6063138a
Land #8476, Implement VerifyArch for ETERNALBLUE 2017-05-30 00:31:32 -05:00
Brent Cook a01a2ead1a
Land #8467, Samba CVE-2017-7494 Improvements 2017-05-30 00:15:03 -05:00
Brent Cook 28fb5cc7da spelling 2017-05-30 00:14:33 -05:00
Brent Cook e31e3fc545 add additional architectures and targets 2017-05-30 00:07:37 -05:00
William Vu a781480e89 Add error handling to get_once 
And check for specific ack result/reason for 32-bit.
 2017-05-29 22:28:50 -05:00
William Vu 6e253a5be7 Use Rex::Proto::DCERPC::Response 2017-05-29 21:58:03 -05:00
William Vu 42b14a93b8 Add comments 2017-05-28 23:45:09 -05:00
William Vu 7a2944d113 Implement VerifyArch for ETERNALBLUE 2017-05-28 23:26:59 -05:00
HD Moore 66f06cd4e3 Fix small typos in comments 2017-05-28 14:40:33 -05:00
HD Moore 965915eb19 Fix typo, thanks! 2017-05-27 22:22:34 -05:00
HD Moore 38491fd7ba Rename payloads with os+libc, shrink array inits 2017-05-27 19:50:31 -05:00
HD Moore f9ecdf2b4d Add some bonus archs for interact mode 2017-05-27 17:26:50 -05:00
HD Moore 41253ab32b Make msftidy happy 2017-05-27 17:17:20 -05:00
HD Moore 184c8f50f1 Rework the Samba exploit & payload model to be magic. 2017-05-27 17:03:01 -05:00
Brendan Coles 018e544295 Add VICIdial user_authorization Unauthenticated Command Execution module 2017-05-27 05:09:38 +00:00
HD Moore 78d649232b Remove obsolete module options 2017-05-26 21:21:05 -05:00
HD Moore 123a03fd21 Detect server-side path, work on Samba 3.x and 4.x 2017-05-26 17:02:18 -05:00
David Maloney ee5f37d2f7
remove nt trans raw sock op 
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
 2017-05-26 15:50:18 -05:00
William Webb d4ba28a20b
Land #8457, Update multi/fileformat/office_word_macro to allow custom templates 2017-05-26 15:09:23 -05:00
David Maloney f0f99ad479
nttrans packet setup correctly,everything broken 
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
 2017-05-26 14:54:46 -05:00
wchen-r7 162a660d45 Remove the old windows/fileformat/office_word_macro 
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.

If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
 2017-05-26 07:33:46 -05:00
wchen-r7 04a701dba5 Check template file extension name 2017-05-26 07:31:34 -05:00
HD Moore 072ab7291c Add /tank (from ryan-c) to search path 2017-05-26 06:56:41 -05:00
wchen-r7 2835c165d7 Land #8390, Add module to execute powershell on Octopus Deploy server 2017-05-25 17:33:07 -05:00
wchen-r7 330526af72 Update check method 2017-05-25 17:30:58 -05:00
William Vu ae22b4ccf4
Land #8450, Samba is_known_pipename() exploit 2017-05-25 16:36:28 -05:00
HD Moore 1474faf909 Remove ARMLE for now, will re-PR once functional 2017-05-25 16:14:35 -05:00
HD Moore 2ad386948f Small cosmetic typo 2017-05-25 16:10:37 -05:00
HD Moore 18a871d6a4 Delete the .so, add PID bruteforce option, cleanup 2017-05-25 16:03:14 -05:00
wchen-r7 ee13195760 Update office_word_macro exploit to support template injection 2017-05-25 15:53:45 -05:00
David Maloney 0b0e2f64ca
update SMB1 "Freehole" packet 
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
 2017-05-25 13:43:16 -05:00
nks 1a8961b5e3 fied typo 2017-05-25 19:14:59 +02:00
David Maloney bc8ad811aa
remove old anonymous login packet 
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
 2017-05-25 10:49:42 -05:00
David Maloney 238052a18b
use RubySMB client echo 
replaced the manually created echo packet
with the RubySMB client echo command
 2017-05-25 10:47:14 -05:00
HD Moore cf7cfa9b2c Add check() implementation based on bcoles notes 2017-05-25 09:49:45 -05:00
HD Moore 0520d7cf76 First crack at Samba CVE-2017-7494 2017-05-24 19:42:04 -05:00
David Maloney 4ffe666b52
improve the cred fallback 
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
 2017-05-24 17:36:07 -05:00
David Maloney 4c02b7b13a
added credentialed fallback 
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
 2017-05-24 16:09:51 -05:00
David Maloney dc67fcd5a8
use RubySMB for anonymous login 
use the new anonymous login capabilities in
RubySMB
 2017-05-24 15:40:05 -05:00
William Vu e4ea618edf
Land #8419, ETERNALBLUE fixes (round two) 
Hope I resolved the conflicts correctly.
 2017-05-23 17:03:21 -05:00
William Vu 46eb6bdf62
Land #8399, ETERNALBLUE fixes (round one) 2017-05-23 16:51:19 -05:00
William Vu f80c3aa3f4 Correct absolute path 2017-05-23 16:50:25 -05:00
Matthew Daley 52363aec13 Add module for CVE-2017-8895, UAF in Backup Exec Windows agent 
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.

Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
 2017-05-24 00:18:20 +12:00
Jeffrey Martin b7b1995238
Land #8274, Wordpress admin upload `check` 2017-05-22 22:08:32 -05:00
Jeffrey Martin d69bfd509f
store the credential using the new store_valid_credential 2017-05-22 15:08:03 -05:00
amaloteaux 93bb47d546 msftidy fix 2017-05-22 19:27:15 +01:00
amaloteaux 092e7b96b8 typo 2017-05-22 17:27:50 +01:00
amaloteaux 74c08cebee Add bypassuac fodhelper module for Windows 10 2017-05-22 17:25:17 +01:00
William Webb 467f1ce0ca
Land #8411, Buffer overflow in VXSearch Enterprise v9.5.12 2017-05-22 07:37:31 -05:00
Christian Mehlmauer b5caeb29dd
only support for 32bit so far 2017-05-22 12:30:52 +02:00
HD Moore 036f063988 Fix a stack trace when no SMB response is received 2017-05-19 16:24:41 -05:00
lincoln b76229b5f7 removed unessessary line 2017-05-18 19:15:49 -07:00
lincoln 7ca0fe5a68 Added make_junk function 2017-05-18 19:06:09 -07:00
James Lee 4def7ce6cc
Land #8327, Simplify storing credentials 2017-05-18 16:49:01 -05:00
Daniel Teixeira c1624d0967 VX Search Enterprise GET Buffer Overflow 2017-05-18 17:12:47 +01:00
zerosum0x0 bdf121e1c0 x86 kernels will safely ret instead of BSOD 2017-05-17 23:48:14 -06:00
zerosum0x0 d944bdfab0 expect 0xC00000D 2017-05-17 23:05:20 -06:00
zerosum0x0 646ca14375 basic OS verification, ghetto socket read code 2017-05-17 22:48:45 -06:00
wchen-r7 c0bf2cc6e7 Land #8401, Buffer Overflow on Sync Breeze Enterprise 9.4.28 2017-05-17 23:39:50 -05:00