14ca2ed325
Added a icon loading trick by Brendan
2017-07-24 10:06:20 -07:00
b2a002adc0
Brendan is an evil genius\!
2017-07-24 09:58:23 -07:00
cc8dc002e9
Added CVE-2017-7442
2017-07-24 08:21:59 -07:00
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
80d18fae6a
update example modules to have zero violations
2017-07-24 06:15:54 -07:00
1d290d2491
resurrect one print_error/bad conversion for symmetry
2017-07-24 05:55:34 -07:00
8db3f74b81
fix a broken link
2017-07-24 05:53:09 -07:00
838b066abe
Merge branch 'master' into land-8716
2017-07-24 05:51:44 -07:00
6c22f785e9
Orientdb 2.2.x RCE - Fine tune vulnerable version detection; removed redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get;
2017-07-24 09:52:47 +01:00
7c55cdc1c8
fix some module documentation
...
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
2017-07-23 07:46:52 -07:00
e710701416
Made msftidy.rb happy
...
...untested with the set-cookie 'fix'
2017-07-21 19:55:26 -07:00
6bb745744b
Land #8471 , Add VICIdial user_authorization Unauthenticated Command Execution module
2017-07-21 15:57:08 -05:00
524373bb48
OCD - Removed un-needed full stop
2017-07-21 07:41:51 -07:00
772bec23a1
Fix various typos
2017-07-21 07:40:08 -07:00
c187f709dc
Update geutebrueck_gcore_x64_rce_bo.rb
...
Review changes with msftidy.
2017-07-21 11:37:12 +02:00
ffad0d1bbf
Land #8559 , Ipfire oinkcode exec
2017-07-19 14:31:18 -05:00
116a838cb0
Version check update and stylistic fix
2017-07-19 13:26:40 -05:00
3f6925196b
OCD - store_loot & print_good
2017-07-19 13:02:49 +01:00
ef826b3f2c
OCD - print_good & print_error
2017-07-19 12:48:52 +01:00
0f453c602e
Even more print_status -> print_good
2017-07-19 11:46:39 +01:00
b8d80d87f1
Remove last newline after class - Make @wvu-r7 happy
2017-07-19 11:19:49 +01:00
3d4feffc62
OCD - Spaces & headings
2017-07-19 11:04:15 +01:00
f3f96babb9
Orientdb 2.2.x RCE - Changed the java_craft_runtime_exec function; Tested the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success
2017-07-19 10:46:10 +01:00
a008f8e795
BruteForce - > Brute Force
2017-07-19 10:39:58 +01:00
219987726f
Orientdb 2.2.x RCE - Changed the CmdStager flavor to VBS script
2017-07-18 17:18:14 +01:00
5ca523e2ce
Orientdb 2.2.x RCE - Add warning about windows
2017-07-18 17:11:54 +01:00
af0a9c2f86
Orientdb 2.2.x RCE tidy stuff
2017-07-18 17:07:29 +01:00
99ba645034
Orientdb 2.2.x RCE
2017-07-18 16:53:44 +01:00
ba92d42b57
Updated version check per @bcoles
2017-07-17 15:52:50 -05:00
2a1c661c79
Land #8723 , Razr Synapse local exploit
...
lands ZeroSteiner's Razr Synapse local priv esc module
2017-07-17 13:34:17 -05:00
b4813ce2c7
Update the pre-exploit check conditions
2017-07-15 14:48:54 -04:00
9775df1f6e
Land #8586 , Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit
2017-07-14 15:20:01 -05:00
ee1c87b868
Land #8172 , example modules
...
lands several example modules
2017-07-14 15:17:20 -05:00
8f6cac9c37
Land #8652 , rpc console write exploit
...
lands pr for the metasploit rpc console write exploit
2017-07-14 14:47:35 -05:00
0fde6c6b42
Land #8650 , igss9 launch path
...
land pr to fix launch path in the igss9 exploit
2017-07-14 14:39:38 -05:00
833b2a67d4
Fix the architecture check for only x64
2017-07-14 07:06:54 -04:00
4720d1a31e
OCD fixes - Spaces
2017-07-14 08:46:59 +01:00
9309115627
OCD - Banner clean up
2017-07-14 08:19:50 +01:00
fd843f364b
Removed extra lines
2017-07-14 08:17:16 +01:00
424522147e
OCD fixes - Start of *.rb files
2017-07-13 23:53:59 +01:00
5470670223
Change the hook for windows 10 compatibility
2017-07-13 11:49:06 -04:00
e43adf0223
Land #8710 , explicitly use Rex::Encoder::XDR
...
The previous use of XDR in these modules allowed for namespace collisions
with similar gems.
2017-07-12 12:01:24 -05:00
345407b0a4
Rex::Encoder::XDR conflicts with the XDR gem
2017-07-12 11:52:10 -05:00
e69460a529
Land #8683 , Remove duplicate setting of suhosin.simulation in php_cgi_arg_injection
2017-07-12 09:34:35 -05:00
55cbd9b6a9
Add headers to php_eval
2017-07-10 21:25:27 -04:00
53d5060fbd
Add the LPE for CVE-2017-9769
2017-07-10 16:57:23 -04:00
2ee6df66cf
Land #8514 , wmi persistence module
2017-07-10 09:53:55 -05:00
f4c739c190
check if running as system
2017-07-10 10:05:57 +01:00
df024bb594
Remove duplicate setting of suhosin.simulation
2017-07-10 00:46:05 +03:00
8e2ff7a4c5
Add command stager and code cleanup
2017-07-07 16:54:56 -05:00
3bda361544
add old hackingteam leak name
2017-07-07 00:52:11 -05:00
f4820d24fb
add a few more AKA references
2017-07-06 22:43:46 -05:00
baff473cae
Add Metasploit RPC Console Command Execution module
2017-07-05 08:48:35 +00:00
45af651993
Fix issue generate/launch path
...
Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\
PoC with windows/meterpreter/reverse_tcp
2017-07-04 22:14:32 +02:00
a2602bf514
Land #8600 , Add GoAutoDial 3.3 RCE Command Injection / SQL injection module
2017-06-30 17:32:51 -05:00
dd530a2953
Minor indentation tweaks.
2017-06-30 17:29:43 -05:00
994f00622f
tidy module output
2017-06-29 16:12:23 +01:00
7e1b50ab3b
Land #8629 , AKA (also known as) module reference
2017-06-28 19:15:45 -05:00
aa8c580aba
updates
2017-06-28 20:14:38 -04:00
d20036e0fb
revise spelling, add heartbleed and tidy checks
2017-06-28 18:50:20 -04:00
43d8c4c5e7
Land #8519 , Apache ActiveMQ file upload exploit
2017-06-28 17:19:39 -05:00
461ab4501d
add 'Also known as', AKA 'AKA', to module references
2017-06-28 15:53:00 -04:00
6349026134
Land #8442 , Exploit module for Backup Exec Windows Agent UaF
2017-06-28 10:39:28 -05:00
66eb89e72a
Exploit now uses HTTP mixin
2017-06-25 16:38:21 +02:00
bc8de0fc66
fixed issue where starting waitfor.exe would hang the module
2017-06-24 20:54:31 +01:00
aa18598580
updated cleanup method to remove_persistence to prevent creating rc file even if module fails
2017-06-24 19:20:02 +01:00
f9493f46d7
bcole fixes
2017-06-24 14:06:11 -04:00
655358cdf1
added missing newline in cleanup method
2017-06-23 17:58:11 +01:00
916a4da182
fixed cleanup method to include all cleanup options
2017-06-23 17:38:48 +01:00
412ea9432d
removed whitespace
2017-06-23 17:17:07 +01:00
e7d6d5350f
added WAITFOR persistence method
2017-06-23 17:05:39 +01:00
a8865252da
Added exploit documentation
2017-06-23 14:12:04 +02:00
18410d8230
Land #8540 , Add Symantec Messaging Gateway RCE
2017-06-22 19:00:32 -05:00
4fdd77f19a
Land #8051 , Add Netgear DGN2200v1/v2/v3/v4 Command Injection Module
2017-06-22 11:46:40 -05:00
a4e8cdfa6e
msftidy fixes
2017-06-22 11:44:40 -05:00
3b248c78f3
resurrect old example modules, integrate into module tree
2017-06-22 11:36:35 -05:00
02e4edc4cb
Land #8579 , Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-22 10:56:41 -05:00
b51fc0a34e
Land #8489 , more httpClient modules use store_valid_credential
2017-06-21 17:18:34 -05:00
99fb905bbd
fix typo
2017-06-21 16:52:09 -05:00
24404ae40f
added heredoc to tidy formatting
...
changed USER persistence method to EVENT to better describe technique
removed "auditpol.exe /set /subcategory:Logon /failure:Enable" command from subscription_event method to be more opsec safe
added CUSTOM_PS_COMMAND advanced option
updated description to reflect changes
2017-06-21 18:15:13 +01:00
24d9bec0ae
Land #8260 , OpManager Version Check
2017-06-20 17:58:10 -05:00
241786e71f
Update description with tested versions.
2017-06-20 15:32:08 -05:00
14f0409c6c
Missing regex '+', readding so we get full API key.
2017-06-20 15:28:15 -05:00
b02719e795
Attempt to appease Travis...
2017-06-20 11:36:08 -05:00
c7a55ef92f
Added exploit documentation
2017-06-20 09:03:40 +02:00
af4eb0fbe3
Corrected shellcode
2017-06-20 00:55:18 +02:00
0b04dc0584
Correct EDB Number
2017-06-20 00:52:29 +02:00
bc826cb824
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit
2017-06-20 00:36:59 +02:00
58cd432120
Added docs, minor code tweak to remove duplication.
2017-06-19 17:35:41 -05:00
681f9f37a6
updated check if powershell is available
2017-06-19 08:35:57 +01:00
096469a8ec
added PROCESS persistence method
2017-06-18 20:42:07 +01:00
23831e6df9
Upload requested changes
2017-06-18 11:34:58 +02:00
8c23769cbc
Updated module to use an instance variable for using HTTP session tokens across functions.
2017-06-18 12:59:34 +10:00
7fb36edd50
corrected msftidy warnings
2017-06-17 22:58:47 +02:00
31a5cc94b2
Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-17 22:35:21 +02:00
19ceb53304
Modified payload handling and uploaded documentation
2017-06-18 02:04:22 +10:00
6096e373cc
removed whitespace
2017-06-17 10:44:30 +01:00
85173f36f7
moved exploit method moved to top
...
added logon persistence option
fixed typo
cleaned up formatting
2017-06-17 10:30:38 +01:00
07051d1f00
Removed whitespace
2017-06-17 09:59:46 +10:00
8eb59eac3f
Stuffed up regex.. left some random $ characters floating around and have now removed them.
2017-06-17 08:03:09 +10:00
6363a319d2
Fixed Typo
2017-06-17 07:32:17 +10:00
b34bf76fea
Adding GoAutoDial RCE module
2017-06-17 07:22:41 +10:00
e005e51f05
some edits finished
2017-06-16 06:48:31 -04:00
49d998f7d9
catch invalid tokens
2017-06-15 21:45:29 -04:00
f4ffade406
add ability to specify API token instead of password
2017-06-15 21:05:53 -04:00
9d57197736
Land #8551 , Update processmaker_exec module with workspace support
2017-06-15 17:12:35 -05:00
49383f8f3a
Update and fix grammar to the CryptoLog module
...
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
2017-06-15 13:00:44 -05:00
46ffd250a0
module working and docs
2017-06-14 21:15:56 -04:00
c147779097
Add CVE number to the symantec-messaging-gateway-exec module
2017-06-14 23:07:58 +03:00
c35dffc648
first draft of oinkcode
2017-06-14 08:04:17 -04:00
55f0edb732
Land #8491 , fixes for service_persistence
2017-06-13 17:17:53 -05:00
0766f92013
Add option for workspace
2017-06-13 12:46:36 +00:00
cbbb57d1a5
Land #8526 , Refactor QNAP and airOS modules for creds
2017-06-12 14:46:11 -05:00
6ae540d889
Adding Symantec messaging gateway rce
2017-06-10 12:23:12 +03:00
a968a74ae0
Update ms17_010_eternalblue description and ranking.
...
The module has been noted to cause crashes, reboots, BSOD, etc, on
some systems.
2017-06-09 11:01:48 +12:00
aa00661fd0
Land #8518 , update CVE references where modules report_vuln
2017-06-08 13:38:12 -05:00
3e20296cf5
Add service_details for SSH
2017-06-08 13:28:29 -05:00
e22334343e
Use store_valid_credential in my modules
...
I used report_note because using the creds API was a pain in the ass.
2017-06-08 00:57:51 -05:00
99fa52e660
Land #8434 , Add Windows 10 Bypassuac fodhelper module
2017-06-07 11:15:01 -05:00
d641058f75
Added module to exploit ActiveMQ CVE-2016-3088
2017-06-06 11:33:42 -07:00
bac17a8e80
Land #8053 , Add DC/OS Marathon UI Exploit
2017-06-06 09:29:26 -05:00
09e4974b99
removed whitespace at end of lines
2017-06-06 14:44:37 +01:00
1831056010
updated disclosure date
2017-06-06 14:32:19 +01:00
1558db375d
update CVE reference in where modules report_vuln
2017-06-05 16:36:44 -05:00
f47cc1a101
Rubocop readability changes
2017-06-05 14:32:45 -05:00
994995671e
added wmi_persistence module
2017-06-05 17:44:37 +01:00
6a3fc618a4
Add bypassuac_injection_winsxs.rb module
2017-06-03 12:59:50 +02:00
2924318ca5
update java_rmi_server modules with CVE
2017-06-02 12:59:48 -05:00
218ec96009
Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module
2017-05-31 13:00:35 +00:00
361cc2dbeb
fix newline issue and service call
2017-05-30 22:37:26 -04:00
f98b40d038
adds check on service writing before running it
2017-05-30 22:14:49 -04:00
0e145573fc
more httpClient modules use store_valid_credential
2017-05-30 14:56:05 -05:00
d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor
2017-05-30 13:59:31 -05:00
a5f910ea63
move trans2 conditional to case statement
...
this is cleaner as a case statement
2017-05-30 13:52:29 -05:00
b65c959347
limited port of the trans2 exploit packets
...
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
2017-05-30 13:49:27 -05:00
72ff4fbf48
Reword warning message, since it didn't make sense
2017-05-30 13:13:08 -05:00
890d35cc30
Fix warning placement to be more helpful
2017-05-30 13:06:23 -05:00
e9ac3fce5a
update credential mode for EB exploit
...
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
2017-05-30 10:55:28 -05:00
9c93aae412
Removed self.class from register
2017-05-30 10:07:07 -04:00
bac23757a4
Updated based on busterb comments
2017-05-30 09:33:03 -04:00
beb1cef835
rescue connection failure for netbios, suggest how to fix it
2017-05-30 08:06:39 -05:00
ea6063138a
Land #8476 , Implement VerifyArch for ETERNALBLUE
2017-05-30 00:31:32 -05:00
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
28fb5cc7da
spelling
2017-05-30 00:14:33 -05:00
e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
a781480e89
Add error handling to get_once
...
And check for specific ack result/reason for 32-bit.
2017-05-29 22:28:50 -05:00
6e253a5be7
Use Rex::Proto::DCERPC::Response
2017-05-29 21:58:03 -05:00
42b14a93b8
Add comments
2017-05-28 23:45:09 -05:00
7a2944d113
Implement VerifyArch for ETERNALBLUE
2017-05-28 23:26:59 -05:00
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
018e544295
Add VICIdial user_authorization Unauthenticated Command Execution module
2017-05-27 05:09:38 +00:00
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
ee5f37d2f7
remove nt trans raw sock op
...
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
2017-05-26 15:50:18 -05:00
d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
f0f99ad479
nttrans packet setup correctly,everything broken
...
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
04a701dba5
Check template file extension name
2017-05-26 07:31:34 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
2835c165d7
Land #8390 , Add module to execute powershell on Octopus Deploy server
2017-05-25 17:33:07 -05:00
330526af72
Update check method
2017-05-25 17:30:58 -05:00
ae22b4ccf4
Land #8450 , Samba is_known_pipename() exploit
2017-05-25 16:36:28 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
0b0e2f64ca
update SMB1 "Freehole" packet
...
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
bc8ad811aa
remove old anonymous login packet
...
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
238052a18b
use RubySMB client echo
...
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
4ffe666b52
improve the cred fallback
...
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
4c02b7b13a
added credentialed fallback
...
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
dc67fcd5a8
use RubySMB for anonymous login
...
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
e4ea618edf
Land #8419 , ETERNALBLUE fixes (round two)
...
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
46eb6bdf62
Land #8399 , ETERNALBLUE fixes (round one)
2017-05-23 16:51:19 -05:00
f80c3aa3f4
Correct absolute path
2017-05-23 16:50:25 -05:00
52363aec13
Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
...
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.
Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
b7b1995238
Land #8274 , Wordpress admin upload `check`
2017-05-22 22:08:32 -05:00
d69bfd509f
store the credential using the new store_valid_credential
2017-05-22 15:08:03 -05:00
93bb47d546
msftidy fix
2017-05-22 19:27:15 +01:00
092e7b96b8
typo
2017-05-22 17:27:50 +01:00
74c08cebee
Add bypassuac fodhelper module for Windows 10
2017-05-22 17:25:17 +01:00
467f1ce0ca
Land #8411 , Buffer overflow in VXSearch Enterprise v9.5.12
2017-05-22 07:37:31 -05:00
b5caeb29dd
only support for 32bit so far
2017-05-22 12:30:52 +02:00
036f063988
Fix a stack trace when no SMB response is received
2017-05-19 16:24:41 -05:00
b76229b5f7
removed unessessary line
2017-05-18 19:15:49 -07:00
7ca0fe5a68
Added make_junk function
2017-05-18 19:06:09 -07:00
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
c1624d0967
VX Search Enterprise GET Buffer Overflow
2017-05-18 17:12:47 +01:00
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
d944bdfab0
expect 0xC00000D
2017-05-17 23:05:20 -06:00
646ca14375
basic OS verification, ghetto socket read code
2017-05-17 22:48:45 -06:00
c0bf2cc6e7
Land #8401 , Buffer Overflow on Sync Breeze Enterprise 9.4.28
2017-05-17 23:39:50 -05:00
3360171977
Land #8319 , Add exploit module for Mediawiki SyntaxHighlight extension
2017-05-17 23:23:50 -05:00
ad8788cc74
Update syncbreeze_bof.rb
2017-05-17 11:33:24 +01:00
5329ce56c4
Sync Breeze Enterprise GET Buffer Overflow
2017-05-17 10:53:28 +01:00
2f39daafc5
Updated module removing hardcoded binary payload strings
...
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
7e2dab4ddc
Land #8303 , Buffer Overflow on Dupscout Enterprise v9.5.14
2017-05-17 01:04:59 -05:00
6fb4040d11
add core buffer dump for OS version
2017-05-16 23:18:39 -06:00
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
77a9676efb
Land #8347 , Add Serviio Media Server checkStreamUrl Command Execution
2017-05-16 16:20:39 -05:00
6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue
2017-05-16 15:53:34 -05:00
e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue
2017-05-16 15:41:16 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
e62fc3e93c
Land #8376 , Add BuilderEngine 3.5 Arbitrary file upload & exec exploit
2017-05-16 14:53:32 -05:00
631267480d
Update module description
2017-05-16 14:48:46 -05:00
2ed8ae11b4
Add doc and make minor changes
2017-05-16 14:47:19 -05:00
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
53bb5a8440
Update ms17_010_eternalblue.rb
2017-05-16 10:43:43 -06:00
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
3c4dfee4f5
Module to execute powershell on Octopus Deploy server
...
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.
During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).
Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.
More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
cb4c700e62
fix typo
2017-05-14 21:52:36 -06:00
865a36068e
sleep fix and new shellcode
2017-05-14 21:45:19 -06:00
e3dcf0ab2d
added docs
2017-05-14 19:22:26 -06:00
9634f974dd
fix msftidy
2017-05-14 18:14:02 -06:00
fa79339432
eternalblue module
2017-05-14 18:11:41 -06:00
f39e378496
Land #8330 , fix ps_wmi_exec and psh staging
2017-05-13 14:26:47 -04:00
c622e3fc22
Deregister URIPATH because it's overridden by Path
2017-05-12 11:56:38 -05:00
84af5d071d
Deregister VHOST because it's overridden by Host
2017-05-12 11:44:10 -05:00
27e1de14b0
BuilderEngine 3.5 Arbitrary file upload and execution exploit
2017-05-12 18:37:08 +02:00
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
2ae943d981
Use payload common case instead of general case
...
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
42c7d64b28
Update style
2017-05-10 06:37:09 +00:00
72388a957f
Land #8355 , IIS ScStoragePathFromUrl
...
See #8162
2017-05-09 11:06:01 -05:00
2b4ace9960
convert to "screaming snake"
2017-05-09 09:30:45 +02:00
32dafb06af
Replace NoTarget with NotVulnerable
2017-05-08 22:29:44 +00:00
f70b402dd9
add comment
2017-05-09 00:17:00 +02:00
806963359f
fix fail with condition
2017-05-08 23:47:48 +02:00
f62ac6327d
add @rwhitcroft
2017-05-08 23:20:12 +02:00
26373798fa
change rank
2017-05-08 23:07:12 +02:00
962a31f879
change minimum length
2017-05-08 23:01:17 +02:00
7dccb17834
auto extract values and implement brute forcing
2017-05-08 22:47:29 +02:00
841f63ad20
make office_word_hta backward compat with older Rubies
2017-05-08 15:10:48 -05:00
406a7f1ae2
Merge remote-tracking branch 'dmchell/dmchell-cve-2017-7269' into iis2
2017-05-08 21:51:51 +02:00
fede672a81
further revise templates
2017-05-08 14:26:24 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
ab245b5042
added note to description
2017-05-07 13:56:50 +01:00
4f12a1e271
added note to description
2017-05-07 13:54:28 +01:00
05bf16e91e
Land #8331 , Adding module CryptoLog Remote Code Execution
2017-05-05 18:24:14 -05:00
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
720a02f5e2
Addressing Spaces at EOL issue reported by Travis
2017-05-05 11:05:17 +03:00
0eacf64324
Add Serviio Media Server checkStreamUrl Command Execution
2017-05-05 07:54:00 +00:00
58d2e818b1
Merging multiple sqli area as a func
2017-05-05 10:49:05 +03:00
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
a8983c831d
Updated links and authors
2017-05-04 18:25:45 -04:00
81bcf2ca70
updating all LHOST to use the new opt type
2017-05-04 12:57:50 -05:00
afe801b9e8
Updated target to 'universal'
2017-05-04 16:25:41 +02:00
073cd59cd3
Added qmail_bash_env_exec exploit module, which exploit the ShellShock flaw via Qmail.
2017-05-04 15:44:18 +02:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
d04e7cba10
Rename the module as well as title
2017-05-03 19:18:46 +03:00
ae8035a30f
Fixing typo and using shorter sqli payload
2017-05-03 16:45:17 +03:00
db2a2ed289
Removing space at eof and self.class from register_options
2017-05-03 01:31:13 +03:00
77acbb8200
Adding cryptolog rce
2017-05-03 01:05:40 +03:00
494711ee65
Land #8307 , Add lib for writing Python modules
2017-05-02 15:53:13 -05:00
6870a48c48
Code suggestion from @jvoisin
2017-05-02 16:41:06 +02:00
03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory
2017-05-01 16:23:14 -05:00
006ed42248
Added fix information
...
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/0002
09.html
2017-05-01 09:01:14 +02:00
673dbdc4b9
Code review feedback from h00die
2017-04-29 20:37:39 +02:00
fcf14212b4
Fixed disclosure date
2017-04-29 16:25:25 +02:00
f9e7715adb
Fixed formatting
2017-04-29 16:07:45 +02:00
1569d2cf8e
MediaWiki SyntaxHighlight extension exploit module
...
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
2017-04-29 14:29:56 +02:00
c4b3ba0d14
Actually removing msf/core this time... ><
...
Helps to actually remove the bits that were failing. Now with even more
removal of msf/core!
2017-04-28 21:42:06 -04:00
ff263812fc
Fix msftidy warnings
...
Remove explicitly loading msf/core and self.class from the register_
functions.
2017-04-28 21:26:53 -04:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
f8fb03682a
Fix issue in ps_wmi_exec and powershell staging
...
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.
Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
18fa411189
Updated with Egypt's suggestion, also changed the target name to include other versions
2017-04-27 13:19:44 +01:00
037fdf854e
move common json-rpc bits to a library
2017-04-26 18:08:08 -05:00
a60e5789ed
update mettle->meterpreter references in modules
2017-04-26 17:55:10 -05:00
a3a4ba7605
Buffer Overflow on Dup Scout Enterprise v9.5.14
2017-04-26 15:19:00 +01:00
bbee7f86b5
Land #8263 , Mercurial SSH exec module
2017-04-26 01:38:01 -05:00
f60807113b
Clean up module
2017-04-26 01:37:49 -05:00
56685bbfaa
Update office_word_hta.rb
2017-04-26 11:05:21 +08:00
320898697a
Land #8266 , Add Buffer Overflow Exploit on Disk Sorter Enterprise
2017-04-24 17:17:30 -05:00
mr_me
Brent Cook
Ricardo Almeida
g0tmi1k
Pearce Barry
M4P0
bwatters-r7
David Maloney
Spencer McIntyre
James Barnett
Matt Robinson
NickTyrer
Emanuel Bronshtein
Brendan Coles
syndrome5
William Vu
William Webb
Mzack9999
h00die
dmohanty-r7
Jin Qian
Jeffrey Martin
L3cr0f
mccurls
thesubtlety
Tod Beardsley
Mehmet Ince
James Lee
Stephen Shkardoon (ss23)
Anderson
wolfthefallen
Brent Cook
HD Moore
wchen-r7
nks
Matthew Daley
amaloteaux
Christian Mehlmauer
lincoln
Daniel Teixeira
zerosum0x0
zerosum0x0
james-otten
Adam Cammack
Bryan Chu
m0t
Gabriel Follon
darkbushido
Yorick Koster
Yorick Koster
Brandon Knight
Sara Perez
anhilo