Martin Pizala
853ae9a6ce
Add new reference
2017-07-26 02:16:56 +02:00
1cph93
9c930aad6e
Add space after comma in f5_bigip_known_privkey module to coincide with Ruby style guide
2017-07-25 19:43:29 -04:00
Martin Pizala
cd418559bc
Docker Daemon - Unprotected TCP Socket Exploit
2017-07-26 00:21:35 +02:00
Brent Cook
354869205a
make exploit/multi/handler passive
...
This gives exploit/multi/handler a makeover, updating to use more-or-less
standard Ruby, and removing any mystical hacks at the same time (like select
instead of sleep).
This also gives it a Passive stance, and sets ExitOnSession to be false by
default, which is the setting that people use 99% of the time anyway.
2017-07-24 15:47:06 -07:00
mr_me
bf4dce19fb
I added the SSD advisory
2017-07-24 14:25:10 -07:00
mr_me
b099196172
deregistered SSL, added the HTA dodgy try/catch feature
2017-07-24 10:28:03 -07:00
mr_me
17b28388e9
Added the advisory, opps
2017-07-24 10:09:21 -07:00
mr_me
14ca2ed325
Added a icon loading trick by Brendan
2017-07-24 10:06:20 -07:00
mr_me
b2a002adc0
Brendan is an evil genius\!
2017-07-24 09:58:23 -07:00
mr_me
cc8dc002e9
Added CVE-2017-7442
2017-07-24 08:21:59 -07:00
Brendan Coles
d66e8062e7
Add TeamTalk Gather Credentials auxiliary module
2017-07-24 14:24:38 +00:00
Brent Cook
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
Brent Cook
80d18fae6a
update example modules to have zero violations
2017-07-24 06:15:54 -07:00
Brent Cook
1d290d2491
resurrect one print_error/bad conversion for symmetry
2017-07-24 05:55:34 -07:00
Brent Cook
8db3f74b81
fix a broken link
2017-07-24 05:53:09 -07:00
Brent Cook
838b066abe
Merge branch 'master' into land-8716
2017-07-24 05:51:44 -07:00
Ricardo Almeida
6c22f785e9
Orientdb 2.2.x RCE - Fine tune vulnerable version detection; removed redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get;
2017-07-24 09:52:47 +01:00
Brent Cook
8444038c62
Add eval alternative to PHP Meterpreter to bypass suhosin
...
See https://suhosin.org/stories/index.html for more information on this system.
2017-07-23 22:04:09 -07:00
Pearce Barry
fb905c4bc7
Land #8754 , fix some module documentation
2017-07-23 11:44:07 -05:00
Pearce Barry
a140209c36
Land #8739 , cleanup windows_autologin
2017-07-23 11:35:34 -05:00
Brent Cook
7c55cdc1c8
fix some module documentation
...
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
2017-07-23 07:46:52 -07:00
Brent Cook
df22e098ed
Land #8695 , Fix #8675 , Add Cache-Control header, also meta tag for BAP2
2017-07-23 07:17:45 -07:00
Brent Cook
8c8dbc6d38
Land #8692 , Fix #8685 , Check nil condition for #wordlist_file in jtr modules
2017-07-23 07:12:21 -07:00
Brent Cook
2c3712479d
Land #8750 , openssl_heartbleed fix, use ruby 2.4 OpenSSL::PKey::RSA API
2017-07-23 06:58:40 -07:00
Brent Cook
b75530b978
Fix an issue where 'sleep' with Python Meterpreter appears to fail.
2017-07-23 05:38:06 -07:00
Brent Cook
399557124f
update payload cached sizes
2017-07-23 05:28:32 -07:00
Brendan Coles
109fd8b6d3
Add Asterisk Gather Credentials auxiliary module
2017-07-23 09:55:12 +00:00
Christian Mehlmauer
b4bb384577
add @pbarry-r7 's feedback
2017-07-22 18:54:36 +02:00
g0tmi1k
e710701416
Made msftidy.rb happy
...
...untested with the set-cookie 'fix'
2017-07-21 19:55:26 -07:00
Pearce Barry
6bb745744b
Land #8471 , Add VICIdial user_authorization Unauthenticated Command Execution module
2017-07-21 15:57:08 -05:00
Evgeny Naumov
5d04775f5e
use 2.4 OpenSSL::PKey::RSA api
2017-07-21 16:28:07 -04:00
g0tmi1k
524373bb48
OCD - Removed un-needed full stop
2017-07-21 07:41:51 -07:00
g0tmi1k
772bec23a1
Fix various typos
2017-07-21 07:40:08 -07:00
M4P0
c187f709dc
Update geutebrueck_gcore_x64_rce_bo.rb
...
Review changes with msftidy.
2017-07-21 11:37:12 +02:00
Brent Cook
510ff888fd
Land #8439 , native OSX meterpreter support
2017-07-20 22:01:49 -05:00
thesubtlety
7d033688ce
clean up formatting
2017-07-19 17:27:44 -04:00
bwatters-r7
ffad0d1bbf
Land #8559 , Ipfire oinkcode exec
2017-07-19 14:31:18 -05:00
bwatters-r7
116a838cb0
Version check update and stylistic fix
2017-07-19 13:26:40 -05:00
g0tmi1k
3f6925196b
OCD - store_loot & print_good
2017-07-19 13:02:49 +01:00
g0tmi1k
ef826b3f2c
OCD - print_good & print_error
2017-07-19 12:48:52 +01:00
g0tmi1k
0f453c602e
Even more print_status -> print_good
2017-07-19 11:46:39 +01:00
g0tmi1k
df9b642746
More print_status -> print_good
2017-07-19 11:39:15 +01:00
g0tmi1k
b8d80d87f1
Remove last newline after class - Make @wvu-r7 happy
2017-07-19 11:19:49 +01:00
g0tmi1k
3d4feffc62
OCD - Spaces & headings
2017-07-19 11:04:15 +01:00
Ricardo Almeida
f3f96babb9
Orientdb 2.2.x RCE - Changed the java_craft_runtime_exec function; Tested the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success
2017-07-19 10:46:10 +01:00
g0tmi1k
a008f8e795
BruteForce - > Brute Force
2017-07-19 10:39:58 +01:00
thesubtlety
5d4105db33
minor fixes per rubocop
2017-07-18 22:36:45 -04:00
Christian Mehlmauer
0d3f5ae220
cleanup windows_autologin
2017-07-18 22:50:34 +02:00
Jon Hart
45f81f3c98
Squash some style issues
2017-07-18 12:45:02 -07:00
Brent Cook
cc3168933f
update mettle payloads, template generator
2017-07-18 13:13:38 -05:00
Ricardo Almeida
219987726f
Orientdb 2.2.x RCE - Changed the CmdStager flavor to VBS script
2017-07-18 17:18:14 +01:00
Ricardo Almeida
5ca523e2ce
Orientdb 2.2.x RCE - Add warning about windows
2017-07-18 17:11:54 +01:00
Ricardo Almeida
af0a9c2f86
Orientdb 2.2.x RCE tidy stuff
2017-07-18 17:07:29 +01:00
Ricardo Almeida
99ba645034
Orientdb 2.2.x RCE
2017-07-18 16:53:44 +01:00
Brent Cook
f5e76092d6
Merge branch 'master' into land-8439-
2017-07-18 08:25:18 -05:00
bwatters-r7
ba92d42b57
Updated version check per @bcoles
2017-07-17 15:52:50 -05:00
Jon Hart
e93e524c3b
Merge branch 'upstream-master' into feature/rdp-scanner
2017-07-17 13:46:59 -07:00
Jon Hart
43e04c8894
Improve RDP probe packet
2017-07-17 13:14:47 -07:00
David Maloney
2a1c661c79
Land #8723 , Razr Synapse local exploit
...
lands ZeroSteiner's Razr Synapse local priv esc module
2017-07-17 13:34:17 -05:00
tkmru
6c5d8279ca
change to generate payload from metasm
2017-07-16 19:21:09 +09:00
Spencer McIntyre
b4813ce2c7
Update the pre-exploit check conditions
2017-07-15 14:48:54 -04:00
Pearce Barry
9775df1f6e
Land #8586 , Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit
2017-07-14 15:20:01 -05:00
David Maloney
ee1c87b868
Land #8172 , example modules
...
lands several example modules
2017-07-14 15:17:20 -05:00
Jon Hart
e3e5c33b9b
WIP commit of RDP scanner
2017-07-14 13:02:43 -07:00
David Maloney
8f6cac9c37
Land #8652 , rpc console write exploit
...
lands pr for the metasploit rpc console write exploit
2017-07-14 14:47:35 -05:00
David Maloney
0fde6c6b42
Land #8650 , igss9 launch path
...
land pr to fix launch path in the igss9 exploit
2017-07-14 14:39:38 -05:00
Spencer McIntyre
833b2a67d4
Fix the architecture check for only x64
2017-07-14 07:06:54 -04:00
g0tmi1k
4720d1a31e
OCD fixes - Spaces
2017-07-14 08:46:59 +01:00
g0tmi1k
9309115627
OCD - Banner clean up
2017-07-14 08:19:50 +01:00
g0tmi1k
fd843f364b
Removed extra lines
2017-07-14 08:17:16 +01:00
g0tmi1k
a79692aac1
Typo
2017-07-14 08:16:30 +01:00
tkmru
5d45680bc1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x86_retry
2017-07-14 13:53:53 +09:00
tkmru
f66021c8a2
update CachedSize
2017-07-14 13:53:43 +09:00
g0tmi1k
67310fa96c
print_status -> print_good. [When it is successful, show it!]
2017-07-14 00:09:35 +01:00
g0tmi1k
424522147e
OCD fixes - Start of *.rb files
2017-07-13 23:53:59 +01:00
bwatters-r7
de230478eb
Land #8566 , Add ye olde NNTP Login Utility scanner module
2017-07-13 13:19:34 -05:00
Spencer McIntyre
5470670223
Change the hook for windows 10 compatibility
2017-07-13 11:49:06 -04:00
Jon Hart
e52e9c147d
First commit for Cisco Smart Install Scanner
2017-07-12 19:12:06 -07:00
Pearce Barry
59de7d3635
Land #8671 , Add a module for CVE-2017-7615
2017-07-12 14:58:02 -05:00
Pearce Barry
580219695a
Oof, missed the parens...
2017-07-12 13:52:59 -05:00
Pearce Barry
aa22651340
Few style/spelling tweaks, nothing to see here...
2017-07-12 13:41:20 -05:00
James Barnett
e43adf0223
Land #8710 , explicitly use Rex::Encoder::XDR
...
The previous use of XDR in these modules allowed for namespace collisions
with similar gems.
2017-07-12 12:01:24 -05:00
Brent Cook
345407b0a4
Rex::Encoder::XDR conflicts with the XDR gem
2017-07-12 11:52:10 -05:00
Pearce Barry
e69460a529
Land #8683 , Remove duplicate setting of suhosin.simulation in php_cgi_arg_injection
2017-07-12 09:34:35 -05:00
h00die
b7d082fe06
land #8679 update to credits for rfpwnon
2017-07-11 19:36:41 -04:00
William Webb
aa0fca9dd1
Land #8631 , Add railgun support to Python Meterpreter for the OSX
...
platform
2017-07-11 16:05:16 -05:00
RageLtMan
5473b2132d
Implement :request_url for Msf HttpClient mixin
...
To round out implementation of a simple path for users to access
HttpClient like Open or Net::HTTP, create :request_url method which
takes a single URL parameter, uses :request_opts_from_url to build
the request configuration for Rex::Proto::Http::Client, executes
a GET request with it, and disconnects the client unless keepalive
is specified as the second parameter to :request_url.
Example usage of functionality is implemented in http_pdf_authors.
2017-07-11 16:07:13 -04:00
Adam Cammack
14b37c2101
Land #8691 , Improve php reverse_tcp stager logic
2017-07-11 13:50:27 -05:00
Tim
db8698e82b
Land #8655 , add error handling to mipsle linux reverse tcp stager
2017-07-11 22:33:54 +08:00
Matt Robinson
55cbd9b6a9
Add headers to php_eval
2017-07-10 21:25:27 -04:00
David Maloney
6d7a066477
fixes oracle_hashdump and jtr_oracle_fast modules
...
fixes functionality in the oracle database hashdumper
and the oracle hash cracker modules
2017-07-10 16:57:57 -05:00
wchen-r7
50b1ec4044
Fix #8675 , Add Cache-Control header, also meta tag for BAP2
...
Hopefully that browsers will respect this.
Fix #8675
2017-07-10 16:05:09 -05:00
Spencer McIntyre
53d5060fbd
Add the LPE for CVE-2017-9769
2017-07-10 16:57:23 -04:00
wchen-r7
fe360e3e2a
Fix #8685 , Check nil condition for #wordlist_file in jtr modules
...
JTR modules should never assume there is always a database
connected while using #wordlist_file, considering a database is
an optional component for Framework.
Fix #8685
2017-07-10 11:18:20 -05:00
David Maloney
2ee6df66cf
Land #8514 , wmi persistence module
2017-07-10 09:53:55 -05:00
NickTyrer
f4c739c190
check if running as system
2017-07-10 10:05:57 +01:00
RageLtMan
df697aa23c
Implement HttpClient options generation from URL
...
To address the complexity which comes with the flexibility offered
by Rex::Proto::Http::Client and its Msf mixin descendant, a simple
process needs to be implemented for issuing a request using only
the URL string in order to provide ease of access to users who may
not have the time to study how these clients work in detail.
Implement :request_opts_from_url in Msf's HttpClient mixin such as
to extract the options required for :send_request_* from a URL
string passed into the method. This approach reduces HTTP requests
in the mixin to `send_request_raw(request_opts_from_url(url))` when
`url` is just a string.
Implement this approach in the http_pdf_authors gather module to
further reduce infrastructure complexity around the simple need to
acquire PDF files via HTTP/S.
Testing:
Local to this module only, and in Pry of course. Seems to work...
2017-07-10 04:19:26 -04:00
RageLtMan
997150a215
Use Msf::Exploit::Remote::HttpClient
...
Replace Net::HTTP usage with proper Rex::Proto::Http::Client via
the Msf module mixin. Generate the request opts from the same URI
parsed URL string, execute a one shot GET request, disconencting
after reciept of results. Depending on the response code, either
pass back an empty StringIO or if its 200, a StringIO(res.body).
2017-07-10 03:37:41 -04:00
Dave Farrow
653890f9d4
fixed unit tests
2017-07-09 16:08:32 -07:00
Emanuel Bronshtein
df024bb594
Remove duplicate setting of suhosin.simulation
2017-07-10 00:46:05 +03:00
jvoisin
263a42707e
Fix a typo
2017-07-09 16:34:51 +02:00
jvoisin
8510cda5ae
Implement @bcoles advices
2017-07-09 16:34:10 +02:00
Tim
75c571de83
Land #8653 , add error handling to mipsbe linux reverse tcp stager
2017-07-09 19:36:15 +08:00
Tim
cd0c2c213f
pedantic tweaks
2017-07-09 19:36:03 +08:00
Corey Harding
50339289a7
Update rfpwnon.rb
2017-07-09 05:12:35 -04:00
jvoisin
f10cf75ae0
Fix some stuff
2017-07-09 10:45:15 +02:00
jvoisin
5fe805aaca
s/\t/ /g
2017-07-09 02:29:37 +02:00
jvoisin
968fa0c244
Add even more references
2017-07-09 02:27:54 +02:00
jvoisin
ae930ae7c1
Add a module for CVE-2017-7615
2017-07-09 02:14:21 +02:00
Brendan Coles
8e2ff7a4c5
Add command stager and code cleanup
2017-07-07 16:54:56 -05:00
William Vu
b3be89b508
Land #8663 , typo fix for zoomeye_search
2017-07-07 16:53:48 -05:00
dmohanty-r7
8f464e17a1
Land #8658 , Add Gather PDF Authors auxiliary module
2017-07-07 16:20:29 -05:00
MD5HashBrowns
e5244f3113
Fixed typo
2017-07-07 15:26:37 -04:00
Brendan Coles
683ce10167
Add URL option
2017-07-07 18:42:00 +00:00
Brent Cook
3bda361544
add old hackingteam leak name
2017-07-07 00:52:11 -05:00
Brent Cook
f4820d24fb
add a few more AKA references
2017-07-06 22:43:46 -05:00
Brendan Coles
d864ce16b1
Add Gather PDF Authors auxiliary module
2017-07-06 23:29:17 +00:00
William Vu
f45facdf6e
Fix HTTP verb in jboss_vulnscan print_status
2017-07-06 14:55:33 -05:00
tkmru
a4a959266b
update cachedSize
2017-07-06 17:43:27 +09:00
tkmru
ed0b5a843d
add error handling bin to reverse_tcp on mipsbe
2017-07-06 17:34:22 +09:00
tkmru
2d8a71de6f
tab to space
2017-07-05 18:22:06 +09:00
tkmru
615eb53796
update cachedSize
2017-07-05 18:05:38 +09:00
tkmru
d02d6826a9
fix reverse tcp stager src
2017-07-05 17:56:59 +09:00
tkmru
d1f08a80bd
add error handling to reverse_tcp on mipsbe
2017-07-05 17:50:49 +09:00
Brendan Coles
baff473cae
Add Metasploit RPC Console Command Execution module
2017-07-05 08:48:35 +00:00
syndrome5
45af651993
Fix issue generate/launch path
...
Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\
PoC with windows/meterpreter/reverse_tcp
2017-07-04 22:14:32 +02:00
dmohanty-r7
aa387e96a7
Land #8577 , Add SurgeNews User Credentials scanner
2017-07-03 10:14:03 -05:00
Roman
38b1e56bbd
negated wording regarding legacy auth
...
According to the docs this variable means the opposite:
https://dev.mysql.com/doc/refman/5.5/en/mysql-command-options.html#option_mysql_secure-auth
OFF -> insecure
ON -> secure
2017-07-03 14:29:07 +02:00
Brendan Coles
dff96ce9a0
Re-order includes with Auxiliary::Scanner last
2017-07-01 08:30:17 +00:00
Pearce Barry
a2602bf514
Land #8600 , Add GoAutoDial 3.3 RCE Command Injection / SQL injection module
2017-06-30 17:32:51 -05:00
Pearce Barry
dd530a2953
Minor indentation tweaks.
2017-06-30 17:29:43 -05:00
Pearce Barry
3d4d03c9b4
Land #8575 , Cerberus Helpdesk hash disclosure
2017-06-30 16:02:53 -05:00
Brent Cook
40f0d36f6b
Land #8615 , add @artkond's DoS module for Cisco CVE-2017-3881
2017-06-30 11:17:09 -04:00
NickTyrer
994f00622f
tidy module output
2017-06-29 16:12:23 +01:00
William Vu
7e1b50ab3b
Land #8629 , AKA (also known as) module reference
2017-06-28 19:15:45 -05:00
Brent Cook
aa8c580aba
updates
2017-06-28 20:14:38 -04:00
Brent Cook
d20036e0fb
revise spelling, add heartbleed and tidy checks
2017-06-28 18:50:20 -04:00
William Vu
43d8c4c5e7
Land #8519 , Apache ActiveMQ file upload exploit
2017-06-28 17:19:39 -05:00
Brent Cook
461ab4501d
add 'Also known as', AKA 'AKA', to module references
2017-06-28 15:53:00 -04:00
thesubtlety
a87f937634
fix msftidy warning
2017-06-28 11:53:11 -04:00
William Webb
6349026134
Land #8442 , Exploit module for Backup Exec Windows Agent UaF
2017-06-28 10:39:28 -05:00
thesubtlety
e1ca78e6c6
add option to enable job log parsing
2017-06-27 19:01:12 -04:00
thesubtlety
29c6f41622
add longer timeout for large file systems
2017-06-27 18:38:54 -04:00
Spencer McIntyre
0da9f4d64a
Refactor railgun "DLL" references to library
2017-06-27 17:34:06 -04:00
Brent Cook
cb82bdc6a9
Land #8607 , add error handling to x64 Linux stagers
2017-06-27 03:53:07 -05:00
Brent Cook
0d9f57ad7c
add @artkond's DoS module for Cisco CVE-2017-3881
...
This makes a few improvements, adds module docs.
2017-06-27 01:53:23 -05:00
thesubtlety
10c663dd3e
initial commit
2017-06-27 01:37:22 -04:00
William Vu
66161b10c5
Land #8455 , post module for mounting VMDKs
2017-06-27 00:35:48 -05:00
William Vu
639f341b21
Clean up module
2017-06-26 15:08:37 -05:00
Brent Cook
05c72214ae
Land #8205 , Add Satel SenNet Command Exec Module
2017-06-25 18:01:44 -05:00
Rob Fuller
2918b3af13
Land #8599 , Dynamic DNS updater module
2017-06-25 15:08:22 -05:00
Brent Cook
07e7baebb8
sign my name
2017-06-25 14:59:01 -05:00
Brent Cook
7bc0dcea42
add ipv6 support for CHOST
2017-06-25 14:57:15 -05:00
Mzack9999
66eb89e72a
Exploit now uses HTTP mixin
2017-06-25 16:38:21 +02:00
tkmru
084b211e9b
add x64 stager_sock_reverse src
2017-06-25 16:31:37 +09:00
Brent Cook
269597f994
add initial CHOST support
2017-06-24 18:57:43 -05:00
Brent Cook
eee1eff034
improve resolve / add / delete logic
2017-06-24 18:36:01 -05:00
Brent Cook
b36d56bed3
handle RXDomain on lookup failure
2017-06-24 18:10:50 -05:00
tkmru
0685cb5ab4
update CacheSize
2017-06-25 06:25:07 +09:00
tkmru
799fcbd9e7
add error handling to x64 reverse tcp stager
2017-06-25 06:22:25 +09:00
NickTyrer
bc8de0fc66
fixed issue where starting waitfor.exe would hang the module
2017-06-24 20:54:31 +01:00
NickTyrer
aa18598580
updated cleanup method to remove_persistence to prevent creating rc file even if module fails
2017-06-24 19:20:02 +01:00
h00die
f9493f46d7
bcole fixes
2017-06-24 14:06:11 -04:00
Brent Cook
c8755a3a7a
add pre-flight checks, log a lot more info
2017-06-24 12:32:15 -05:00
h00die
cc9326d946
bcoles updates and table printing
2017-06-24 13:01:39 -04:00
Brent Cook
8f3c470bb3
make usage more intuitive, remove weird defaults
2017-06-24 11:52:52 -05:00
NickTyrer
655358cdf1
added missing newline in cleanup method
2017-06-23 17:58:11 +01:00
NickTyrer
916a4da182
fixed cleanup method to include all cleanup options
2017-06-23 17:38:48 +01:00
NickTyrer
412ea9432d
removed whitespace
2017-06-23 17:17:07 +01:00
NickTyrer
e7d6d5350f
added WAITFOR persistence method
2017-06-23 17:05:39 +01:00
Mzack9999
a8865252da
Added exploit documentation
2017-06-23 14:12:04 +02:00
OJ
5588d0f7b2
Update payload cached sizes
2017-06-23 13:45:04 +10:00
Brent Cook
fda2e8c73d
Land #8523 , Add support for session GUIDs
2017-06-22 20:10:10 -05:00
dmohanty-r7
18410d8230
Land #8540 , Add Symantec Messaging Gateway RCE
2017-06-22 19:00:32 -05:00
Brent Cook
24c43b1822
reregister rhost
2017-06-22 18:33:19 -05:00
Brent Cook
ca813e7a5c
fix message formatting
2017-06-22 18:21:33 -05:00
Brent Cook
823260cc04
fix error message
2017-06-22 18:11:07 -05:00
Brent Cook
3cf722a45d
use correct preqrequisites
2017-06-22 18:08:20 -05:00
Brent Cook
5e48a11e60
handle specific exceptions, update docs
2017-06-22 18:01:52 -05:00
Brent Cook
6a261b172f
move from scanner to admin
2017-06-22 17:47:04 -05:00
Brent Cook
125d14f81e
simplify module, add AAAA support
2017-06-22 17:44:55 -05:00
KINGSABRI
b618e5ca6f
Add more exception handling, fix tidy rules
2017-06-22 15:55:04 -05:00
KINGSABRI
ce124e6090
Add CNAME record
2017-06-22 15:55:04 -05:00
KINGSABRI
5528084e27
add Dnsruby
2017-06-22 15:55:04 -05:00
KINGSABRI
2410a3232f
Adding DNS Server Dynamic Update Record Injection module
2017-06-22 15:41:25 -05:00
Brent Cook
4fdd77f19a
Land #8051 , Add Netgear DGN2200v1/v2/v3/v4 Command Injection Module
2017-06-22 11:46:40 -05:00
Brent Cook
a4e8cdfa6e
msftidy fixes
2017-06-22 11:44:40 -05:00
Brent Cook
3b248c78f3
resurrect old example modules, integrate into module tree
2017-06-22 11:36:35 -05:00
William Webb
02e4edc4cb
Land #8579 , Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-22 10:56:41 -05:00
William Webb
47a659f554
Land #8185 , Convert ntp modules to bindata
2017-06-22 09:37:58 -05:00
Jin Qian
b51fc0a34e
Land #8489 , more httpClient modules use store_valid_credential
2017-06-21 17:18:34 -05:00
Jeffrey Martin
99fb905bbd
fix typo
2017-06-21 16:52:09 -05:00
William Vu
ceba4e6d61
Add pointer to CDX API
2017-06-21 12:34:40 -05:00
William Vu
c12056d242
Fix enum_wayback using CDX API
2017-06-21 12:29:15 -05:00
NickTyrer
24404ae40f
added heredoc to tidy formatting
...
changed USER persistence method to EVENT to better describe technique
removed "auditpol.exe /set /subcategory:Logon /failure:Enable" command from subscription_event method to be more opsec safe
added CUSTOM_PS_COMMAND advanced option
updated description to reflect changes
2017-06-21 18:15:13 +01:00
Pearce Barry
24d9bec0ae
Land #8260 , OpManager Version Check
2017-06-20 17:58:10 -05:00
Pearce Barry
241786e71f
Update description with tested versions.
2017-06-20 15:32:08 -05:00
Pearce Barry
14f0409c6c
Missing regex '+', readding so we get full API key.
2017-06-20 15:28:15 -05:00
Pearce Barry
b02719e795
Attempt to appease Travis...
2017-06-20 11:36:08 -05:00
Mzack9999
c7a55ef92f
Added exploit documentation
2017-06-20 09:03:40 +02:00
Mzack9999
af4eb0fbe3
Corrected shellcode
2017-06-20 00:55:18 +02:00
Mzack9999
0b04dc0584
Correct EDB Number
2017-06-20 00:52:29 +02:00
Pearce Barry
3cd28b28e2
Land #8569 , Add ability to specify API token instead of password
2017-06-19 17:42:35 -05:00
Mzack9999
bc826cb824
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit
2017-06-20 00:36:59 +02:00
Pearce Barry
58cd432120
Added docs, minor code tweak to remove duplication.
2017-06-19 17:35:41 -05:00
David Maloney
722d9a278c
Land #8580 , cachedump iteration count fix
...
lands rogdham's fixes for the ms cache dump post module
2017-06-19 14:04:07 -05:00
David Maloney
27469f8fac
Land #8582 , Rogdham Hashdump fixes
...
Land's Rogdham's fixes to the Hashdump post module
to support Windows 10!
2017-06-19 13:40:40 -05:00
David Maloney
6d38dffbe1
convert conditionals to case statements
...
just a little tidying up by using case statements
2017-06-19 13:40:00 -05:00
NickTyrer
681f9f37a6
updated check if powershell is available
2017-06-19 08:35:57 +01:00
NickTyrer
096469a8ec
added PROCESS persistence method
2017-06-18 20:42:07 +01:00
Rogdham
a01796d114
Make hashdump module work on Windows 10, fix #7936
2017-06-18 16:35:17 +02:00
L3cr0f
23831e6df9
Upload requested changes
2017-06-18 11:34:58 +02:00
Tim
03116d7933
Land #8543 , add error handling to ARM linux reverse tcp stager
2017-06-18 15:38:16 +08:00
mccurls
8c23769cbc
Updated module to use an instance variable for using HTTP session tokens across functions.
2017-06-18 12:59:34 +10:00
Mzack9999
7fb36edd50
corrected msftidy warnings
2017-06-17 22:58:47 +02:00
Mzack9999
31a5cc94b2
Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-17 22:35:21 +02:00
Rogdham
75fab600c5
Add iteration count to cachedump module, fix #8560
2017-06-17 22:23:41 +02:00
mccurls
19ceb53304
Modified payload handling and uploaded documentation
2017-06-18 02:04:22 +10:00
NickTyrer
6096e373cc
removed whitespace
2017-06-17 10:44:30 +01:00
NickTyrer
85173f36f7
moved exploit method moved to top
...
added logon persistence option
fixed typo
cleaned up formatting
2017-06-17 10:30:38 +01:00
Rogdham
86f5f3f002
Fix AES key length in cachedump module, fix #8525
2017-06-17 11:20:29 +02:00
Brendan Coles
b82051757d
Add SurgeNews User Credentials scanner module
2017-06-17 01:49:47 +00:00
h00die
c9e000e379
add new version
2017-06-16 20:59:19 -04:00
mccurls
07051d1f00
Removed whitespace
2017-06-17 09:59:46 +10:00
mccurls
8eb59eac3f
Stuffed up regex.. left some random $ characters floating around and have now removed them.
2017-06-17 08:03:09 +10:00
mccurls
6363a319d2
Fixed Typo
2017-06-17 07:32:17 +10:00
mccurls
b34bf76fea
Adding GoAutoDial RCE module
2017-06-17 07:22:41 +10:00
William Webb
652e237131
add missing .to_binary_s calls
2017-06-16 13:39:04 -05:00
h00die
f008f2aa8f
working code
2017-06-16 08:24:54 -04:00
h00die
e005e51f05
some edits finished
2017-06-16 06:48:31 -04:00
thesubtlety
49d998f7d9
catch invalid tokens
2017-06-15 21:45:29 -04:00
Brent Cook
53253bfa37
Land #8558 , Fix AMT scanner when parsing mangled HTML
2017-06-15 20:42:33 -05:00
thesubtlety
f4ffade406
add ability to specify API token instead of password
2017-06-15 21:05:53 -04:00
William Vu
5f74da9023
Move php_preamble before $ipaddr and $port
...
php_preamble contains a <?php tag now, so we need to move it to the top.
2017-06-15 19:50:57 -05:00
OJ
c634931f0d
Updated payload cached size after the python3 fix
2017-06-16 09:05:31 +10:00
Tim
9cf9d22bae
fix mmap return cmp
2017-06-16 06:26:40 +08:00
Pearce Barry
9d57197736
Land #8551 , Update processmaker_exec module with workspace support
2017-06-15 17:12:35 -05:00
Brendan Coles
0e38823a8f
Add NNTP Login Utility scanner module
2017-06-15 20:25:40 +00:00
Tod Beardsley
49383f8f3a
Update and fix grammar to the CryptoLog module
...
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
2017-06-15 13:00:44 -05:00
h00die
46ffd250a0
module working and docs
2017-06-14 21:15:56 -04:00
William Vu
549f9e74d8
Fix AMT scanner for mangled HTML (no </p>)
...
Also stores proof using the correct :info for report_vuln (not :proof).
2017-06-14 16:54:32 -05:00
Mehmet Ince
c147779097
Add CVE number to the symantec-messaging-gateway-exec module
2017-06-14 23:07:58 +03:00
James Lee
c1372456e2
Land #8326 , support LLMNR ANY responses
2017-06-14 14:01:44 -05:00
h00die
c35dffc648
first draft of oinkcode
2017-06-14 08:04:17 -04:00
James Lee
55f0edb732
Land #8491 , fixes for service_persistence
2017-06-13 17:17:53 -05:00
Brendan Coles
0766f92013
Add option for workspace
2017-06-13 12:46:36 +00:00
Jeffrey Martin
cbbb57d1a5
Land #8526 , Refactor QNAP and airOS modules for creds
2017-06-12 14:46:11 -05:00
William Vu
a40e7164d8
Refactor QNAP module for traditional creds
2017-06-12 14:41:58 -05:00
William Vu
bb9d1a6768
Land #8507 , Riverbed SteelHead VCX file read
2017-06-12 10:39:48 -05:00
Pearce Barry
704a1218fa
Land #8498 , store more specific credential wordpress_directory_traversal_dos
2017-06-12 10:13:52 -05:00
Pearce Barry
80e91e9de2
Minor fixups.
2017-06-12 09:51:30 -05:00
tkmru
93c4b3fffc
update CacheSize
2017-06-12 01:39:13 +09:00
tkmru
1862900aae
add error handling
2017-06-12 01:36:13 +09:00
tkmru
17d7bb0c64
add label and regster value to comment
2017-06-11 20:38:47 +09:00
h00die
a349eb9a0d
fixes per peer review
2017-06-10 14:29:53 -04:00
Mehmet Ince
6ae540d889
Adding Symantec messaging gateway rce
2017-06-10 12:23:12 +03:00
OJ
c4288fb35a
Update branch to include chances from upstream/master
2017-06-09 17:18:57 +10:00
OJ
a3f3dc0a70
Upload payloads/mettle gems, update cache sizes
...
Updated both the metasploit-payload and metasploit-payload-mettle gems
to the versions that match for the session GUID pull requests. Updated
the payload cached sizes to match the new payloads.
2017-06-09 17:15:52 +10:00
Stephen Shkardoon (ss23)
a968a74ae0
Update ms17_010_eternalblue description and ranking.
...
The module has been noted to cause crashes, reboots, BSOD, etc, on
some systems.
2017-06-09 11:01:48 +12:00
Brent Cook
aa00661fd0
Land #8518 , update CVE references where modules report_vuln
2017-06-08 13:38:12 -05:00
William Vu
3e20296cf5
Add service_details for SSH
2017-06-08 13:28:29 -05:00
William Vu
e22334343e
Use store_valid_credential in my modules
...
I used report_note because using the creds API was a pain in the ass.
2017-06-08 00:57:51 -05:00
OJ
eef82a501d
Add support for session GUIDs in mettle
2017-06-08 11:20:48 +10:00
Harvey Phillips
4278339869
Added multi-file support for torrc and use locate instead of find when searching
2017-06-07 20:08:23 +01:00
bwatters-r7
99fa52e660
Land #8434 , Add Windows 10 Bypassuac fodhelper module
2017-06-07 11:15:01 -05:00
Spencer McIntyre
834e0eba95
Land #8340 , add exception handling for rev_tcp_ssl
2017-06-06 19:09:15 -04:00
Harvey Phillips
71fde14b6c
Linux post module to grab TOR hidden service hostnames and private keys
2017-06-06 22:29:14 +01:00
Harvey Phillips
f557aa3c9c
Linux post module to search for and grab TOR hidden service configurations
2017-06-06 21:59:02 +01:00
Anderson
d641058f75
Added module to exploit ActiveMQ CVE-2016-3088
2017-06-06 11:33:42 -07:00
Jeffrey Martin
b932aae82e
reference typo fix
2017-06-06 11:50:07 -05:00
Brent Cook
bac17a8e80
Land #8053 , Add DC/OS Marathon UI Exploit
2017-06-06 09:29:26 -05:00
NickTyrer
09e4974b99
removed whitespace at end of lines
2017-06-06 14:44:37 +01:00
NickTyrer
1831056010
updated disclosure date
2017-06-06 14:32:19 +01:00
Brent Cook
3ded57e1cd
Land #8516 , add verbose debug to ntds dumper
2017-06-06 07:26:54 -05:00
Brent Cook
0830e4aaa5
Land #8503 , Linux x86 reverse_tcp error handling
2017-06-06 06:36:55 -05:00
OJ
37b9cd07a2
Add support for the session GUID in the UI
...
The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.
2017-06-06 17:15:57 +10:00
Jeffrey Martin
1558db375d
update CVE reference in where modules report_vuln
2017-06-05 16:36:44 -05:00
David Maloney
42aa2e5acf
add some attempts at debugging to ntds
...
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
bwatters-r7
f47cc1a101
Rubocop readability changes
2017-06-05 14:32:45 -05:00
Pearce Barry
bc3b883758
Add docs, fix typo, add missing report mixin to avoid error.
2017-06-05 13:49:59 -05:00
Brent Cook
a5805a55dc
make this a UDPScanner, rewrite
2017-06-05 12:39:48 -05:00
NickTyrer
994995671e
added wmi_persistence module
2017-06-05 17:44:37 +01:00
Pearce Barry
8c39c92245
Add description and loop capability.
2017-06-05 11:27:13 -05:00
Pearce Barry
a571834c4d
Initial commit of rpcbomb DoS aux module.
...
This just brings the code in as-in, next step is to update to use our mixins and such.
2017-06-05 10:23:39 -05:00
h00die
de86c5d991
add storing creds and loot name consistency
2017-06-04 17:46:43 -04:00
tkmru
737f7452ce
add my name to author
2017-06-04 04:42:45 +09:00
itsmeroy2012
39cee481c1
Making changes similar to the reverse_tcp payload
2017-06-03 22:57:59 +05:30
L3cr0f
6a3fc618a4
Add bypassuac_injection_winsxs.rb module
2017-06-03 12:59:50 +02:00
h00die
ea5db9a039
working module
2017-06-02 23:09:19 -04:00
William Vu
e7fa4c2d06
Land #8504 , print_good for ipmi_dumphashes
2017-06-02 18:49:41 -05:00
tkmru
e175bcda08
update cachedSize
2017-06-03 08:37:18 +09:00
Dylan Davis
34e9b2c04b
Change ipmi_dumphashes to have non-verbose output, ever
2017-06-02 14:27:21 -06:00
Jeffrey Martin
2924318ca5
update java_rmi_server modules with CVE
2017-06-02 12:59:48 -05:00
Jeffrey Martin
d68365d8df
store more specific credential wordpress_directory_traversal_dos
2017-05-31 18:55:35 -05:00
Brendan Coles
218ec96009
Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module
2017-05-31 13:00:35 +00:00
h00die
361cc2dbeb
fix newline issue and service call
2017-05-30 22:37:26 -04:00
h00die
f98b40d038
adds check on service writing before running it
2017-05-30 22:14:49 -04:00
Jeffrey Martin
0e145573fc
more httpClient modules use store_valid_credential
2017-05-30 14:56:05 -05:00
David Maloney
d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor
2017-05-30 13:59:31 -05:00
David Maloney
a5f910ea63
move trans2 conditional to case statement
...
this is cleaner as a case statement
2017-05-30 13:52:29 -05:00
David Maloney
b65c959347
limited port of the trans2 exploit packets
...
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
2017-05-30 13:49:27 -05:00
William Vu
72ff4fbf48
Reword warning message, since it didn't make sense
2017-05-30 13:13:08 -05:00
William Vu
890d35cc30
Fix warning placement to be more helpful
2017-05-30 13:06:23 -05:00
David Maloney
e9ac3fce5a
update credential mode for EB exploit
...
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
2017-05-30 10:55:28 -05:00
wolfthefallen
9c93aae412
Removed self.class from register
2017-05-30 10:07:07 -04:00
wolfthefallen
bac23757a4
Updated based on busterb comments
2017-05-30 09:33:03 -04:00
Brent Cook
beb1cef835
rescue connection failure for netbios, suggest how to fix it
2017-05-30 08:06:39 -05:00
Brent Cook
ea6063138a
Land #8476 , Implement VerifyArch for ETERNALBLUE
2017-05-30 00:31:32 -05:00
Brent Cook
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
Brent Cook
28fb5cc7da
spelling
2017-05-30 00:14:33 -05:00
Brent Cook
e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
William Vu
a781480e89
Add error handling to get_once
...
And check for specific ack result/reason for 32-bit.
2017-05-29 22:28:50 -05:00
William Vu
6e253a5be7
Use Rex::Proto::DCERPC::Response
2017-05-29 21:58:03 -05:00
h00die
5698896672
Land #8323 wordpress pre4.6 dos
2017-05-29 07:59:43 -04:00
William Vu
42b14a93b8
Add comments
2017-05-28 23:45:09 -05:00
William Vu
7a2944d113
Implement VerifyArch for ETERNALBLUE
2017-05-28 23:26:59 -05:00
h00die
8d3eebf394
Land #8473 aux admin tool to get scadabr creds from db
2017-05-28 20:09:47 -04:00
Brendan Coles
c811c6a8c0
Add PASS_FILE option
2017-05-28 23:26:51 +00:00
root
72a5142e37
Update directory traversal DoS module and docs
2017-05-29 00:30:23 +02:00
HD Moore
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
Spencer McIntyre
4e29b6e5fd
Land #8275 , add retry opts for py rev_tcp stager
2017-05-28 13:02:35 -04:00
itsmeroy2012
e02d726213
Setting default values to the added options
2017-05-28 14:30:30 +05:30
HD Moore
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
Brendan Coles
8fce94b3cd
Add ScadaBR Credentials Dumper module
2017-05-28 01:24:53 +00:00
HD Moore
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
HD Moore
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
HD Moore
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
HD Moore
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
Brendan Coles
018e544295
Add VICIdial user_authorization Unauthenticated Command Execution module
2017-05-27 05:09:38 +00:00
HD Moore
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
HD Moore
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
HD Moore
eebfd9b7f2
Switch to the mixin-provided SMB share enumeration methods
2017-05-26 17:02:06 -05:00
David Maloney
ee5f37d2f7
remove nt trans raw sock op
...
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
2017-05-26 15:50:18 -05:00
William Webb
d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
David Maloney
f0f99ad479
nttrans packet setup correctly,everything broken
...
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
root
9b9d2f2345
Final version of configurable depth
2017-05-26 16:23:22 +02:00
root
33ddef9303
Add documentation, add configurable depth path
2017-05-26 16:14:03 +02:00
wchen-r7
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
wchen-r7
04a701dba5
Check template file extension name
2017-05-26 07:31:34 -05:00
HD Moore
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
Tim
1582d3a902
support i386
2017-05-26 15:55:42 +08:00
wchen-r7
2835c165d7
Land #8390 , Add module to execute powershell on Octopus Deploy server
2017-05-25 17:33:07 -05:00
wchen-r7
330526af72
Update check method
2017-05-25 17:30:58 -05:00
William Vu
ae22b4ccf4
Land #8450 , Samba is_known_pipename() exploit
2017-05-25 16:36:28 -05:00
HD Moore
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
HD Moore
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
HD Moore
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
wchen-r7
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
David Maloney
0b0e2f64ca
update SMB1 "Freehole" packet
...
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
nks
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
David Maloney
bc8ad811aa
remove old anonymous login packet
...
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
David Maloney
238052a18b
use RubySMB client echo
...
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
HD Moore
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
Borja Merino
7077ac0523
Meterpreter Post-exploitation module to mount vmdk files
2017-05-25 11:47:04 +02:00
itsmeroy2012
92a1a3ecf7
Adding for loop instead of while, removing 'counter'
2017-05-25 15:09:34 +05:30
HD Moore
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
David Maloney
4ffe666b52
improve the cred fallback
...
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
David Maloney
4c02b7b13a
added credentialed fallback
...
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
David Maloney
dc67fcd5a8
use RubySMB for anonymous login
...
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
juushya
af4eafdf70
Updated module and doc
2017-05-24 06:33:08 +05:30
William Vu
e4ea618edf
Land #8419 , ETERNALBLUE fixes (round two)
...
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
William Vu
46eb6bdf62
Land #8399 , ETERNALBLUE fixes (round one)
2017-05-23 16:51:19 -05:00
William Vu
f80c3aa3f4
Correct absolute path
2017-05-23 16:50:25 -05:00
bwatters-r7
461649ed34
Land #8378 , Add check in archmigrate to prevent privdesc
2017-05-23 14:37:29 -05:00
Carter
c73e7673b1
Please the rubocop god
2017-05-23 15:13:55 -04:00
Carter
e945773576
Update archmigrate.rb
2017-05-23 14:40:42 -04:00
Matthew Daley
52363aec13
Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
...
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.
Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
Tim
d333077308
osx meterpreter
2017-05-23 14:23:22 +08:00
Jeffrey Martin
b7b1995238
Land #8274 , Wordpress admin upload `check`
2017-05-22 22:08:32 -05:00
Jeffrey Martin
5395d8f17c
update python stageless payload sizes
2017-05-22 18:21:13 -05:00
Jeffrey Martin
d69bfd509f
store the credential using the new store_valid_credential
2017-05-22 15:08:03 -05:00
amaloteaux
93bb47d546
msftidy fix
2017-05-22 19:27:15 +01:00
amaloteaux
092e7b96b8
typo
2017-05-22 17:27:50 +01:00
amaloteaux
74c08cebee
Add bypassuac fodhelper module for Windows 10
2017-05-22 17:25:17 +01:00
William Webb
467f1ce0ca
Land #8411 , Buffer overflow in VXSearch Enterprise v9.5.12
2017-05-22 07:37:31 -05:00
Christian Mehlmauer
b5caeb29dd
only support for 32bit so far
2017-05-22 12:30:52 +02:00
HD Moore
036f063988
Fix a stack trace when no SMB response is received
2017-05-19 16:24:41 -05:00
Pearce Barry
a6f416e8df
Land #8290 , Hwbridge Automotive Fix and Extension Enhancements
2017-05-19 13:46:54 -05:00
lincoln
b76229b5f7
removed unessessary line
2017-05-18 19:15:49 -07:00
lincoln
7ca0fe5a68
Added make_junk function
2017-05-18 19:06:09 -07:00
James Lee
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
Daniel Teixeira
c1624d0967
VX Search Enterprise GET Buffer Overflow
2017-05-18 17:12:47 +01:00
zerosum0x0
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
zerosum0x0
d944bdfab0
expect 0xC00000D
2017-05-17 23:05:20 -06:00
zerosum0x0
646ca14375
basic OS verification, ghetto socket read code
2017-05-17 22:48:45 -06:00
wchen-r7
c0bf2cc6e7
Land #8401 , Buffer Overflow on Sync Breeze Enterprise 9.4.28
2017-05-17 23:39:50 -05:00
wchen-r7
3360171977
Land #8319 , Add exploit module for Mediawiki SyntaxHighlight extension
2017-05-17 23:23:50 -05:00
James Lee
b78749bc1b
Land #8221 , move autoroute
2017-05-17 15:17:45 -05:00
Daniel Teixeira
ad8788cc74
Update syncbreeze_bof.rb
2017-05-17 11:33:24 +01:00
Daniel Teixeira
5329ce56c4
Sync Breeze Enterprise GET Buffer Overflow
2017-05-17 10:53:28 +01:00
lincoln
2f39daafc5
Updated module removing hardcoded binary payload strings
...
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
William Webb
7e2dab4ddc
Land #8303 , Buffer Overflow on Dupscout Enterprise v9.5.14
2017-05-17 01:04:59 -05:00
zerosum0x0
6fb4040d11
add core buffer dump for OS version
2017-05-16 23:18:39 -06:00
William Vu
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
wchen-r7
11da7c7c81
Land #8394 , Add Moxa Credential Recovery Module
2017-05-16 16:45:22 -05:00
wchen-r7
8025eb573a
Enforce check
...
Because we are not able to get our hands on the hardware for testing,
and that this module may trigger a backtrace if the UDP server isn't
Moxa, we force check to make sure that doesn't happen.
2017-05-16 16:43:22 -05:00
wchen-r7
77a9676efb
Land #8347 , Add Serviio Media Server checkStreamUrl Command Execution
2017-05-16 16:20:39 -05:00
William Vu
6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue
2017-05-16 15:53:34 -05:00
William Vu
e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue
2017-05-16 15:41:16 -05:00
James Lee
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
wchen-r7
2d7f7f9aec
Pass msftidy
2017-05-16 15:05:12 -05:00
William Vu
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
wchen-r7
e62fc3e93c
Land #8376 , Add BuilderEngine 3.5 Arbitrary file upload & exec exploit
2017-05-16 14:53:32 -05:00
wchen-r7
631267480d
Update module description
2017-05-16 14:48:46 -05:00
wchen-r7
2ed8ae11b4
Add doc and make minor changes
2017-05-16 14:47:19 -05:00
William Vu
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
William Vu
eff4914240
Land #8381 , ETERNALBLUE exploit (to be continued)
2017-05-16 12:19:45 -05:00
zerosum0x0
53bb5a8440
Update ms17_010_eternalblue.rb
2017-05-16 10:43:43 -06:00
William Vu
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
wchen-r7
20b682b2e4
Land #8391 , fix a typo in vmware_enum_permissions module description
...
orts
2017-05-16 09:33:26 -05:00
Patrick DeSantis
4a0535c2d0
add moxa credential recovery module
2017-05-16 10:21:44 -04:00
William Vu
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
William Vu
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
h00die
b2f69e9018
spelling
2017-05-15 21:11:19 -04:00
William Vu
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
james-otten
3c4dfee4f5
Module to execute powershell on Octopus Deploy server
...
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.
During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).
Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.
More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
William Vu
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
William Vu
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
William Vu
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
William Vu
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
Carter
5ee570bb9c
Fix non-uniform spelling and capitalization
2017-05-15 08:31:01 -04:00
zerosum0x0
cb4c700e62
fix typo
2017-05-14 21:52:36 -06:00
zerosum0x0
865a36068e
sleep fix and new shellcode
2017-05-14 21:45:19 -06:00
zerosum0x0
e3dcf0ab2d
added docs
2017-05-14 19:22:26 -06:00
zerosum0x0
9634f974dd
fix msftidy
2017-05-14 18:14:02 -06:00
zerosum0x0
fa79339432
eternalblue module
2017-05-14 18:11:41 -06:00
Spencer McIntyre
f39e378496
Land #8330 , fix ps_wmi_exec and psh staging
2017-05-13 14:26:47 -04:00
Carter
ce7b967a13
Update archmigrate.rb
2017-05-13 13:35:48 -04:00
Carter
78b0fb00da
I committed to the wrong branch
2017-05-13 13:35:13 -04:00
Carter
0bd11062e4
Ass SYSTEM check to archmigrate
2017-05-13 13:28:28 -04:00
itsmeroy2012
3a1ed19a42
Making use of StagerRetryConnect
2017-05-13 17:49:53 +05:30
William Vu
c622e3fc22
Deregister URIPATH because it's overridden by Path
2017-05-12 11:56:38 -05:00
William Vu
84af5d071d
Deregister VHOST because it's overridden by Host
2017-05-12 11:44:10 -05:00
Mzack9999
27e1de14b0
BuilderEngine 3.5 Arbitrary file upload and execution exploit
2017-05-12 18:37:08 +02:00
Brent Cook
7bcaaf33c7
Land #8294 , gnome keyring post exploit credential dumper
2017-05-12 10:08:53 -05:00
Brent Cook
e9fcc3c291
msftidy fixes
2017-05-12 10:08:26 -05:00
Brent Cook
7355817329
Land #8371 , Fix msftidy warnings for the WNR2000 module
2017-05-11 22:51:11 -05:00
Brent Cook
123462bdca
Land #8293 , add initial multi-platform railgun support
2017-05-11 22:32:23 -05:00
h00die
af4505a9de
land #8009 post module for jboss creds gather
2017-05-11 22:39:54 -04:00
h00die
285857c23f
remove req msfcore
2017-05-11 22:39:41 -04:00
h00die
6fa51aee8f
moving docs to correct folder
2017-05-11 22:33:00 -04:00
William Vu
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
William Vu
bee36ca90f
Fix edge case
2017-05-11 16:22:21 -05:00
William Vu
68f13808e7
Fix msftidy warnings for the WNR2000 module
2017-05-11 16:16:10 -05:00
William Vu
2ae943d981
Use payload common case instead of general case
...
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
Brent Cook
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
Brent Cook
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
William Webb
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
Josh Hale
843f148e62
One more yard doc function
2017-05-10 23:01:03 -05:00
Josh Hale
e84765c1c6
All functions have yard doc like comments
2017-05-10 23:01:03 -05:00
Josh Hale
c5391c2a64
Update cmd print to match core.rb
2017-05-10 23:01:03 -05:00
Josh Hale
10c7c3893a
Add subnet check for Android payloads
2017-05-10 23:01:03 -05:00
Josh Hale
c49bd9ee4e
Add session ready check
2017-05-10 23:01:03 -05:00
Josh Hale
97eaa83114
Update delete all routes
2017-05-10 23:01:03 -05:00
Josh Hale
f670fcddcb
Initial code cleanup and multi compatibility work
2017-05-10 23:01:02 -05:00
Brent Cook
099fc0176a
move autoroute to a more sensible location
2017-05-10 23:01:02 -05:00
Adam Cammack
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
William Vu
09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
William Vu
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
William Vu
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
William Vu
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
William Vu
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
William Vu
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
William Vu
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
James Lee
d00685a802
Don't run a DoS during wmap scans
2017-05-10 14:41:24 -05:00
Brendan Coles
42c7d64b28
Update style
2017-05-10 06:37:09 +00:00
Brent Cook
faf01ed5ef
Land #8353 , add aux scanner for Intel AMT digest bypass
2017-05-09 18:45:21 -05:00
James Lee
72388a957f
Land #8355 , IIS ScStoragePathFromUrl
...
See #8162
2017-05-09 11:06:01 -05:00
Christian Mehlmauer
2b4ace9960
convert to "screaming snake"
2017-05-09 09:30:45 +02:00
Brent Cook
cf487cc90c
reverse_ncat_ssl is stable
2017-05-08 17:43:34 -05:00
Brendan Coles
32dafb06af
Replace NoTarget with NotVulnerable
2017-05-08 22:29:44 +00:00
Christian Mehlmauer
f70b402dd9
add comment
2017-05-09 00:17:00 +02:00
Brent Cook
86365c89d1
Land #8352 , style updates for lotus_domino_hashes
2017-05-08 17:11:44 -05:00
Christian Mehlmauer
806963359f
fix fail with condition
2017-05-08 23:47:48 +02:00
Christian Mehlmauer
f62ac6327d
add @rwhitcroft
2017-05-08 23:20:12 +02:00
Christian Mehlmauer
26373798fa
change rank
2017-05-08 23:07:12 +02:00
Christian Mehlmauer
962a31f879
change minimum length
2017-05-08 23:01:17 +02:00
Christian Mehlmauer
7dccb17834
auto extract values and implement brute forcing
2017-05-08 22:47:29 +02:00
Brent Cook
841f63ad20
make office_word_hta backward compat with older Rubies
2017-05-08 15:10:48 -05:00
Christian Mehlmauer
406a7f1ae2
Merge remote-tracking branch 'dmchell/dmchell-cve-2017-7269' into iis2
2017-05-08 21:51:51 +02:00
Brent Cook
fede672a81
further revise templates
2017-05-08 14:26:24 -05:00
HD Moore
f7ff840ef0
Add missing return, thanks bperry!
2017-05-08 14:08:59 -05:00
HD Moore
9392e48b72
Add a scanner for Intel AMT auth bypass (CVE-2017-5689)
2017-05-08 13:24:00 -05:00
Jeffrey Martin
a1efa30fa2
comments adjustments & enum better
2017-05-08 11:57:06 -05:00
William Vu
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
Bryan Chu
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
Pearce Barry
af3f1fbc37
Land #8332 , Canprobe Module
2017-05-07 12:20:27 -05:00
Pearce Barry
c05e7b3b58
Minor corrections and a tweak to appease msftidy.
2017-05-07 11:55:20 -05:00
Pearce Barry
e3d3fa8e45
Tweak internal description formatting.
2017-05-07 11:31:36 -05:00
Pearce Barry
b965bdcdae
Appease msftidy and Travis.
2017-05-07 11:19:32 -05:00
m0t
ab245b5042
added note to description
2017-05-07 13:56:50 +01:00
m0t
4f12a1e271
added note to description
2017-05-07 13:54:28 +01:00
Brendan Coles
635a7a42e6
Update style lotus_domino_hashes
2017-05-07 16:37:48 +10:00
Jeffrey Martin
05bf16e91e
Land #8331 , Adding module CryptoLog Remote Code Execution
2017-05-05 18:24:14 -05:00
Jeffrey Martin
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
Mehmet Ince
720a02f5e2
Addressing Spaces at EOL issue reported by Travis
2017-05-05 11:05:17 +03:00
Brendan Coles
0eacf64324
Add Serviio Media Server checkStreamUrl Command Execution
2017-05-05 07:54:00 +00:00
Mehmet Ince
58d2e818b1
Merging multiple sqli area as a func
2017-05-05 10:49:05 +03:00
Jeffrey Martin
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
Gabriel Follon
a8983c831d
Updated links and authors
2017-05-04 18:25:45 -04:00