Commit Graph

22973 Commits (52f56527d80b1435c85d832f559d967417c6d007)

Author SHA1 Message Date
Ricardo Almeida 219987726f
Orientdb 2.2.x RCE - Changed the CmdStager flavor to VBS script 2017-07-18 17:18:14 +01:00
Ricardo Almeida 5ca523e2ce
Orientdb 2.2.x RCE - Add warning about windows 2017-07-18 17:11:54 +01:00
Ricardo Almeida af0a9c2f86
Orientdb 2.2.x RCE tidy stuff 2017-07-18 17:07:29 +01:00
Ricardo Almeida 99ba645034 Orientdb 2.2.x RCE 2017-07-18 16:53:44 +01:00
Brent Cook f5e76092d6 Merge branch 'master' into land-8439- 2017-07-18 08:25:18 -05:00
bwatters-r7 ba92d42b57 Updated version check per @bcoles 2017-07-17 15:52:50 -05:00
Jon Hart e93e524c3b
Merge branch 'upstream-master' into feature/rdp-scanner 2017-07-17 13:46:59 -07:00
Jon Hart 43e04c8894
Improve RDP probe packet 2017-07-17 13:14:47 -07:00
David Maloney 2a1c661c79
Land #8723, Razr Synapse local exploit
lands ZeroSteiner's Razr Synapse local priv esc module
2017-07-17 13:34:17 -05:00
tkmru 6c5d8279ca change to generate payload from metasm 2017-07-16 19:21:09 +09:00
Spencer McIntyre b4813ce2c7 Update the pre-exploit check conditions 2017-07-15 14:48:54 -04:00
Pearce Barry 9775df1f6e
Land #8586, Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit 2017-07-14 15:20:01 -05:00
David Maloney ee1c87b868
Land #8172, example modules
lands several example modules
2017-07-14 15:17:20 -05:00
Jon Hart e3e5c33b9b
WIP commit of RDP scanner 2017-07-14 13:02:43 -07:00
David Maloney 8f6cac9c37
Land #8652, rpc console write exploit
lands pr for the metasploit rpc console write exploit
2017-07-14 14:47:35 -05:00
David Maloney 0fde6c6b42
Land #8650, igss9 launch path
land pr to fix launch path in the igss9 exploit
2017-07-14 14:39:38 -05:00
Spencer McIntyre 833b2a67d4 Fix the architecture check for only x64 2017-07-14 07:06:54 -04:00
g0tmi1k 4720d1a31e OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
g0tmi1k 9309115627 OCD - Banner clean up 2017-07-14 08:19:50 +01:00
g0tmi1k fd843f364b Removed extra lines 2017-07-14 08:17:16 +01:00
g0tmi1k a79692aac1 Typo 2017-07-14 08:16:30 +01:00
tkmru 5d45680bc1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x86_retry 2017-07-14 13:53:53 +09:00
tkmru f66021c8a2 update CachedSize 2017-07-14 13:53:43 +09:00
g0tmi1k 67310fa96c print_status -> print_good. [When it is successful, show it!] 2017-07-14 00:09:35 +01:00
g0tmi1k 424522147e OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00
bwatters-r7 de230478eb
Land #8566, Add ye olde NNTP Login Utility scanner module 2017-07-13 13:19:34 -05:00
Spencer McIntyre 5470670223 Change the hook for windows 10 compatibility 2017-07-13 11:49:06 -04:00
Jon Hart e52e9c147d
First commit for Cisco Smart Install Scanner 2017-07-12 19:12:06 -07:00
Pearce Barry 59de7d3635
Land #8671, Add a module for CVE-2017-7615 2017-07-12 14:58:02 -05:00
Pearce Barry 580219695a
Oof, missed the parens... 2017-07-12 13:52:59 -05:00
Pearce Barry aa22651340
Few style/spelling tweaks, nothing to see here... 2017-07-12 13:41:20 -05:00
James Barnett e43adf0223
Land #8710, explicitly use Rex::Encoder::XDR
The previous use of XDR in these modules allowed for namespace collisions
with similar gems.
2017-07-12 12:01:24 -05:00
Brent Cook 345407b0a4 Rex::Encoder::XDR conflicts with the XDR gem 2017-07-12 11:52:10 -05:00
Pearce Barry e69460a529
Land #8683, Remove duplicate setting of suhosin.simulation in php_cgi_arg_injection 2017-07-12 09:34:35 -05:00
h00die b7d082fe06
land #8679 update to credits for rfpwnon 2017-07-11 19:36:41 -04:00
William Webb aa0fca9dd1
Land #8631, Add railgun support to Python Meterpreter for the OSX
platform
2017-07-11 16:05:16 -05:00
RageLtMan 5473b2132d Implement :request_url for Msf HttpClient mixin
To round out implementation of a simple path for users to access
HttpClient like Open or Net::HTTP, create :request_url method which
takes a single URL parameter, uses :request_opts_from_url to build
the request configuration for Rex::Proto::Http::Client, executes
a GET request with it, and disconnects the client unless keepalive
is specified as the second parameter to :request_url.

Example usage of functionality is implemented in http_pdf_authors.
2017-07-11 16:07:13 -04:00
Adam Cammack 14b37c2101
Land #8691, Improve php reverse_tcp stager logic 2017-07-11 13:50:27 -05:00
Tim db8698e82b
Land #8655, add error handling to mipsle linux reverse tcp stager 2017-07-11 22:33:54 +08:00
Matt Robinson 55cbd9b6a9
Add headers to php_eval 2017-07-10 21:25:27 -04:00
David Maloney 6d7a066477
fixes oracle_hashdump and jtr_oracle_fast modules
fixes functionality in the oracle database hashdumper
and the oracle hash cracker modules
2017-07-10 16:57:57 -05:00
wchen-r7 50b1ec4044 Fix #8675, Add Cache-Control header, also meta tag for BAP2
Hopefully that browsers will respect this.

Fix #8675
2017-07-10 16:05:09 -05:00
Spencer McIntyre 53d5060fbd Add the LPE for CVE-2017-9769 2017-07-10 16:57:23 -04:00
wchen-r7 fe360e3e2a Fix #8685, Check nil condition for #wordlist_file in jtr modules
JTR modules should never assume there is always a database
connected while using #wordlist_file, considering a database is
an optional component for Framework.

Fix #8685
2017-07-10 11:18:20 -05:00
David Maloney 2ee6df66cf
Land #8514, wmi persistence module 2017-07-10 09:53:55 -05:00
NickTyrer f4c739c190 check if running as system 2017-07-10 10:05:57 +01:00
RageLtMan df697aa23c Implement HttpClient options generation from URL
To address the complexity which comes with the flexibility offered
by Rex::Proto::Http::Client and its Msf mixin descendant, a simple
process needs to be implemented for issuing a request using only
the URL string in order to provide ease of access to users who may
not have the time to study how these clients work in detail.

Implement :request_opts_from_url in Msf's HttpClient mixin such as
to extract the options required for :send_request_* from a URL
string passed into the method. This approach reduces HTTP requests
in the mixin to `send_request_raw(request_opts_from_url(url))` when
`url` is just a string.

Implement this approach in the http_pdf_authors gather module to
further reduce infrastructure complexity around the simple need to
acquire PDF files via HTTP/S.

Testing:
  Local to this module only, and in Pry of course. Seems to work...
2017-07-10 04:19:26 -04:00
RageLtMan 997150a215 Use Msf::Exploit::Remote::HttpClient
Replace Net::HTTP usage with proper Rex::Proto::Http::Client via
the Msf module mixin. Generate the request opts from the same URI
parsed URL string, execute a one shot GET request, disconencting
after reciept of results. Depending on the response code, either
pass back an empty StringIO or if its 200, a StringIO(res.body).
2017-07-10 03:37:41 -04:00
Dave Farrow 653890f9d4
fixed unit tests 2017-07-09 16:08:32 -07:00
Emanuel Bronshtein df024bb594 Remove duplicate setting of suhosin.simulation 2017-07-10 00:46:05 +03:00
jvoisin 263a42707e Fix a typo 2017-07-09 16:34:51 +02:00
jvoisin 8510cda5ae Implement @bcoles advices 2017-07-09 16:34:10 +02:00
Tim 75c571de83
Land #8653, add error handling to mipsbe linux reverse tcp stager 2017-07-09 19:36:15 +08:00
Tim cd0c2c213f pedantic tweaks 2017-07-09 19:36:03 +08:00
Corey Harding 50339289a7 Update rfpwnon.rb 2017-07-09 05:12:35 -04:00
jvoisin f10cf75ae0 Fix some stuff 2017-07-09 10:45:15 +02:00
jvoisin 5fe805aaca s/\t/ /g 2017-07-09 02:29:37 +02:00
jvoisin 968fa0c244 Add even more references 2017-07-09 02:27:54 +02:00
jvoisin ae930ae7c1 Add a module for CVE-2017-7615 2017-07-09 02:14:21 +02:00
Brendan Coles 8e2ff7a4c5 Add command stager and code cleanup 2017-07-07 16:54:56 -05:00
William Vu b3be89b508
Land #8663, typo fix for zoomeye_search 2017-07-07 16:53:48 -05:00
dmohanty-r7 8f464e17a1
Land #8658, Add Gather PDF Authors auxiliary module 2017-07-07 16:20:29 -05:00
MD5HashBrowns e5244f3113 Fixed typo 2017-07-07 15:26:37 -04:00
Brendan Coles 683ce10167 Add URL option 2017-07-07 18:42:00 +00:00
Brent Cook 3bda361544 add old hackingteam leak name 2017-07-07 00:52:11 -05:00
Brent Cook f4820d24fb add a few more AKA references 2017-07-06 22:43:46 -05:00
Brendan Coles d864ce16b1 Add Gather PDF Authors auxiliary module 2017-07-06 23:29:17 +00:00
William Vu f45facdf6e Fix HTTP verb in jboss_vulnscan print_status 2017-07-06 14:55:33 -05:00
tkmru a4a959266b update cachedSize 2017-07-06 17:43:27 +09:00
tkmru ed0b5a843d add error handling bin to reverse_tcp on mipsbe 2017-07-06 17:34:22 +09:00
tkmru 2d8a71de6f tab to space 2017-07-05 18:22:06 +09:00
tkmru 615eb53796 update cachedSize 2017-07-05 18:05:38 +09:00
tkmru d02d6826a9 fix reverse tcp stager src 2017-07-05 17:56:59 +09:00
tkmru d1f08a80bd add error handling to reverse_tcp on mipsbe 2017-07-05 17:50:49 +09:00
Brendan Coles baff473cae Add Metasploit RPC Console Command Execution module 2017-07-05 08:48:35 +00:00
syndrome5 45af651993 Fix issue generate/launch path
Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\
PoC with windows/meterpreter/reverse_tcp
2017-07-04 22:14:32 +02:00
dmohanty-r7 aa387e96a7
Land #8577, Add SurgeNews User Credentials scanner 2017-07-03 10:14:03 -05:00
Roman 38b1e56bbd negated wording regarding legacy auth
According to the docs this variable means the opposite:
https://dev.mysql.com/doc/refman/5.5/en/mysql-command-options.html#option_mysql_secure-auth
OFF     ->      insecure
ON      ->      secure
2017-07-03 14:29:07 +02:00
Brendan Coles dff96ce9a0 Re-order includes with Auxiliary::Scanner last 2017-07-01 08:30:17 +00:00
Pearce Barry a2602bf514
Land #8600, Add GoAutoDial 3.3 RCE Command Injection / SQL injection module 2017-06-30 17:32:51 -05:00
Pearce Barry dd530a2953
Minor indentation tweaks. 2017-06-30 17:29:43 -05:00
Pearce Barry 3d4d03c9b4
Land #8575, Cerberus Helpdesk hash disclosure 2017-06-30 16:02:53 -05:00
Brent Cook 40f0d36f6b
Land #8615, add @artkond's DoS module for Cisco CVE-2017-3881 2017-06-30 11:17:09 -04:00
NickTyrer 994f00622f tidy module output 2017-06-29 16:12:23 +01:00
William Vu 7e1b50ab3b
Land #8629, AKA (also known as) module reference 2017-06-28 19:15:45 -05:00
Brent Cook aa8c580aba updates 2017-06-28 20:14:38 -04:00
Brent Cook d20036e0fb revise spelling, add heartbleed and tidy checks 2017-06-28 18:50:20 -04:00
William Vu 43d8c4c5e7
Land #8519, Apache ActiveMQ file upload exploit 2017-06-28 17:19:39 -05:00
Brent Cook 461ab4501d add 'Also known as', AKA 'AKA', to module references 2017-06-28 15:53:00 -04:00
thesubtlety a87f937634 fix msftidy warning 2017-06-28 11:53:11 -04:00
William Webb 6349026134
Land #8442, Exploit module for Backup Exec Windows Agent UaF 2017-06-28 10:39:28 -05:00
thesubtlety e1ca78e6c6 add option to enable job log parsing 2017-06-27 19:01:12 -04:00
thesubtlety 29c6f41622 add longer timeout for large file systems 2017-06-27 18:38:54 -04:00
Spencer McIntyre 0da9f4d64a Refactor railgun "DLL" references to library 2017-06-27 17:34:06 -04:00
Brent Cook cb82bdc6a9
Land #8607, add error handling to x64 Linux stagers 2017-06-27 03:53:07 -05:00
Brent Cook 0d9f57ad7c add @artkond's DoS module for Cisco CVE-2017-3881
This makes a few improvements, adds module docs.
2017-06-27 01:53:23 -05:00
thesubtlety 10c663dd3e initial commit 2017-06-27 01:37:22 -04:00
William Vu 66161b10c5
Land #8455, post module for mounting VMDKs 2017-06-27 00:35:48 -05:00
William Vu 639f341b21 Clean up module 2017-06-26 15:08:37 -05:00
Brent Cook 05c72214ae
Land #8205, Add Satel SenNet Command Exec Module 2017-06-25 18:01:44 -05:00
Rob Fuller 2918b3af13
Land #8599, Dynamic DNS updater module 2017-06-25 15:08:22 -05:00
Brent Cook 07e7baebb8 sign my name 2017-06-25 14:59:01 -05:00
Brent Cook 7bc0dcea42 add ipv6 support for CHOST 2017-06-25 14:57:15 -05:00
Mzack9999 66eb89e72a Exploit now uses HTTP mixin 2017-06-25 16:38:21 +02:00
tkmru 084b211e9b add x64 stager_sock_reverse src 2017-06-25 16:31:37 +09:00
Brent Cook 269597f994 add initial CHOST support 2017-06-24 18:57:43 -05:00
Brent Cook eee1eff034 improve resolve / add / delete logic 2017-06-24 18:36:01 -05:00
Brent Cook b36d56bed3 handle RXDomain on lookup failure 2017-06-24 18:10:50 -05:00
tkmru 0685cb5ab4 update CacheSize 2017-06-25 06:25:07 +09:00
tkmru 799fcbd9e7 add error handling to x64 reverse tcp stager 2017-06-25 06:22:25 +09:00
NickTyrer bc8de0fc66 fixed issue where starting waitfor.exe would hang the module 2017-06-24 20:54:31 +01:00
NickTyrer aa18598580 updated cleanup method to remove_persistence to prevent creating rc file even if module fails 2017-06-24 19:20:02 +01:00
h00die f9493f46d7 bcole fixes 2017-06-24 14:06:11 -04:00
Brent Cook c8755a3a7a add pre-flight checks, log a lot more info 2017-06-24 12:32:15 -05:00
h00die cc9326d946 bcoles updates and table printing 2017-06-24 13:01:39 -04:00
Brent Cook 8f3c470bb3 make usage more intuitive, remove weird defaults 2017-06-24 11:52:52 -05:00
NickTyrer 655358cdf1 added missing newline in cleanup method 2017-06-23 17:58:11 +01:00
NickTyrer 916a4da182 fixed cleanup method to include all cleanup options 2017-06-23 17:38:48 +01:00
NickTyrer 412ea9432d removed whitespace 2017-06-23 17:17:07 +01:00
NickTyrer e7d6d5350f added WAITFOR persistence method 2017-06-23 17:05:39 +01:00
Mzack9999 a8865252da Added exploit documentation 2017-06-23 14:12:04 +02:00
OJ 5588d0f7b2
Update payload cached sizes 2017-06-23 13:45:04 +10:00
Brent Cook fda2e8c73d
Land #8523, Add support for session GUIDs 2017-06-22 20:10:10 -05:00
dmohanty-r7 18410d8230
Land #8540, Add Symantec Messaging Gateway RCE 2017-06-22 19:00:32 -05:00
Brent Cook 24c43b1822 reregister rhost 2017-06-22 18:33:19 -05:00
Brent Cook ca813e7a5c fix message formatting 2017-06-22 18:21:33 -05:00
Brent Cook 823260cc04 fix error message 2017-06-22 18:11:07 -05:00
Brent Cook 3cf722a45d use correct preqrequisites 2017-06-22 18:08:20 -05:00
Brent Cook 5e48a11e60 handle specific exceptions, update docs 2017-06-22 18:01:52 -05:00
Brent Cook 6a261b172f move from scanner to admin 2017-06-22 17:47:04 -05:00
Brent Cook 125d14f81e simplify module, add AAAA support 2017-06-22 17:44:55 -05:00
KINGSABRI b618e5ca6f Add more exception handling, fix tidy rules 2017-06-22 15:55:04 -05:00
KINGSABRI ce124e6090 Add CNAME record 2017-06-22 15:55:04 -05:00
KINGSABRI 5528084e27 add Dnsruby 2017-06-22 15:55:04 -05:00
KINGSABRI 2410a3232f Adding DNS Server Dynamic Update Record Injection module 2017-06-22 15:41:25 -05:00
Brent Cook 4fdd77f19a
Land #8051, Add Netgear DGN2200v1/v2/v3/v4 Command Injection Module 2017-06-22 11:46:40 -05:00
Brent Cook a4e8cdfa6e msftidy fixes 2017-06-22 11:44:40 -05:00
Brent Cook 3b248c78f3 resurrect old example modules, integrate into module tree 2017-06-22 11:36:35 -05:00
William Webb 02e4edc4cb
Land #8579, Easy File Sharing HTTP Server 7.2 - Post Overflow exploit 2017-06-22 10:56:41 -05:00
William Webb 47a659f554
Land #8185, Convert ntp modules to bindata 2017-06-22 09:37:58 -05:00
Jin Qian b51fc0a34e
Land #8489, more httpClient modules use store_valid_credential 2017-06-21 17:18:34 -05:00
Jeffrey Martin 99fb905bbd
fix typo 2017-06-21 16:52:09 -05:00
William Vu ceba4e6d61 Add pointer to CDX API 2017-06-21 12:34:40 -05:00
William Vu c12056d242 Fix enum_wayback using CDX API 2017-06-21 12:29:15 -05:00
NickTyrer 24404ae40f added heredoc to tidy formatting
changed USER persistence method to EVENT to better describe technique
removed "auditpol.exe /set /subcategory:Logon /failure:Enable" command from subscription_event method to be more opsec safe
added CUSTOM_PS_COMMAND advanced option
updated description to reflect changes
2017-06-21 18:15:13 +01:00
Pearce Barry 24d9bec0ae
Land #8260, OpManager Version Check 2017-06-20 17:58:10 -05:00
Pearce Barry 241786e71f
Update description with tested versions. 2017-06-20 15:32:08 -05:00
Pearce Barry 14f0409c6c
Missing regex '+', readding so we get full API key. 2017-06-20 15:28:15 -05:00
Pearce Barry b02719e795
Attempt to appease Travis... 2017-06-20 11:36:08 -05:00
Mzack9999 c7a55ef92f Added exploit documentation 2017-06-20 09:03:40 +02:00
Mzack9999 af4eb0fbe3 Corrected shellcode 2017-06-20 00:55:18 +02:00
Mzack9999 0b04dc0584 Correct EDB Number 2017-06-20 00:52:29 +02:00
Pearce Barry 3cd28b28e2
Land #8569, Add ability to specify API token instead of password 2017-06-19 17:42:35 -05:00
Mzack9999 bc826cb824 Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-20 00:36:59 +02:00
Pearce Barry 58cd432120
Added docs, minor code tweak to remove duplication. 2017-06-19 17:35:41 -05:00
David Maloney 722d9a278c
Land #8580, cachedump iteration count fix
lands rogdham's fixes for the ms cache dump post module
2017-06-19 14:04:07 -05:00
David Maloney 27469f8fac
Land #8582, Rogdham Hashdump fixes
Land's Rogdham's fixes to the Hashdump post module
to support Windows 10!
2017-06-19 13:40:40 -05:00
David Maloney 6d38dffbe1
convert conditionals to case statements
just a little tidying up by using case statements
2017-06-19 13:40:00 -05:00
NickTyrer 681f9f37a6 updated check if powershell is available 2017-06-19 08:35:57 +01:00
NickTyrer 096469a8ec added PROCESS persistence method 2017-06-18 20:42:07 +01:00
Rogdham a01796d114 Make hashdump module work on Windows 10, fix #7936 2017-06-18 16:35:17 +02:00
L3cr0f 23831e6df9 Upload requested changes 2017-06-18 11:34:58 +02:00
Tim 03116d7933
Land #8543, add error handling to ARM linux reverse tcp stager 2017-06-18 15:38:16 +08:00
mccurls 8c23769cbc Updated module to use an instance variable for using HTTP session tokens across functions. 2017-06-18 12:59:34 +10:00
Mzack9999 7fb36edd50 corrected msftidy warnings 2017-06-17 22:58:47 +02:00
Mzack9999 31a5cc94b2 Easy File Sharing HTTP Server 7.2 - Post Overflow exploit 2017-06-17 22:35:21 +02:00
Rogdham 75fab600c5 Add iteration count to cachedump module, fix #8560 2017-06-17 22:23:41 +02:00
mccurls 19ceb53304 Modified payload handling and uploaded documentation 2017-06-18 02:04:22 +10:00
NickTyrer 6096e373cc removed whitespace 2017-06-17 10:44:30 +01:00
NickTyrer 85173f36f7 moved exploit method moved to top
added logon persistence option
fixed typo
cleaned up formatting
2017-06-17 10:30:38 +01:00
Rogdham 86f5f3f002 Fix AES key length in cachedump module, fix #8525 2017-06-17 11:20:29 +02:00
Brendan Coles b82051757d Add SurgeNews User Credentials scanner module 2017-06-17 01:49:47 +00:00
h00die c9e000e379 add new version 2017-06-16 20:59:19 -04:00
mccurls 07051d1f00 Removed whitespace 2017-06-17 09:59:46 +10:00
mccurls 8eb59eac3f Stuffed up regex.. left some random $ characters floating around and have now removed them. 2017-06-17 08:03:09 +10:00
mccurls 6363a319d2 Fixed Typo 2017-06-17 07:32:17 +10:00
mccurls b34bf76fea Adding GoAutoDial RCE module 2017-06-17 07:22:41 +10:00
William Webb 652e237131
add missing .to_binary_s calls 2017-06-16 13:39:04 -05:00
h00die f008f2aa8f working code 2017-06-16 08:24:54 -04:00
h00die e005e51f05 some edits finished 2017-06-16 06:48:31 -04:00
thesubtlety 49d998f7d9 catch invalid tokens 2017-06-15 21:45:29 -04:00
Brent Cook 53253bfa37
Land #8558, Fix AMT scanner when parsing mangled HTML 2017-06-15 20:42:33 -05:00
thesubtlety f4ffade406 add ability to specify API token instead of password 2017-06-15 21:05:53 -04:00
William Vu 5f74da9023 Move php_preamble before $ipaddr and $port
php_preamble contains a <?php tag now, so we need to move it to the top.
2017-06-15 19:50:57 -05:00
OJ c634931f0d
Updated payload cached size after the python3 fix 2017-06-16 09:05:31 +10:00
Tim 9cf9d22bae fix mmap return cmp 2017-06-16 06:26:40 +08:00
Pearce Barry 9d57197736
Land #8551, Update processmaker_exec module with workspace support 2017-06-15 17:12:35 -05:00
Brendan Coles 0e38823a8f Add NNTP Login Utility scanner module 2017-06-15 20:25:40 +00:00
Tod Beardsley 49383f8f3a Update and fix grammar to the CryptoLog module
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
2017-06-15 13:00:44 -05:00
h00die 46ffd250a0 module working and docs 2017-06-14 21:15:56 -04:00
William Vu 549f9e74d8 Fix AMT scanner for mangled HTML (no </p>)
Also stores proof using the correct :info for report_vuln (not :proof).
2017-06-14 16:54:32 -05:00
Mehmet Ince c147779097
Add CVE number to the symantec-messaging-gateway-exec module 2017-06-14 23:07:58 +03:00
James Lee c1372456e2
Land #8326, support LLMNR ANY responses 2017-06-14 14:01:44 -05:00
h00die c35dffc648 first draft of oinkcode 2017-06-14 08:04:17 -04:00
James Lee 55f0edb732
Land #8491, fixes for service_persistence 2017-06-13 17:17:53 -05:00
Brendan Coles 0766f92013 Add option for workspace 2017-06-13 12:46:36 +00:00
Jeffrey Martin cbbb57d1a5
Land #8526, Refactor QNAP and airOS modules for creds 2017-06-12 14:46:11 -05:00
William Vu a40e7164d8 Refactor QNAP module for traditional creds 2017-06-12 14:41:58 -05:00
William Vu bb9d1a6768
Land #8507, Riverbed SteelHead VCX file read 2017-06-12 10:39:48 -05:00
Pearce Barry 704a1218fa
Land #8498, store more specific credential wordpress_directory_traversal_dos 2017-06-12 10:13:52 -05:00
Pearce Barry 80e91e9de2
Minor fixups. 2017-06-12 09:51:30 -05:00
tkmru 93c4b3fffc update CacheSize 2017-06-12 01:39:13 +09:00
tkmru 1862900aae add error handling 2017-06-12 01:36:13 +09:00
tkmru 17d7bb0c64 add label and regster value to comment 2017-06-11 20:38:47 +09:00
h00die a349eb9a0d fixes per peer review 2017-06-10 14:29:53 -04:00
Mehmet Ince 6ae540d889
Adding Symantec messaging gateway rce 2017-06-10 12:23:12 +03:00
OJ c4288fb35a
Update branch to include chances from upstream/master 2017-06-09 17:18:57 +10:00
OJ a3f3dc0a70
Upload payloads/mettle gems, update cache sizes
Updated both the metasploit-payload and metasploit-payload-mettle gems
to the versions that match for the session GUID pull requests. Updated
the payload cached sizes to match the new payloads.
2017-06-09 17:15:52 +10:00
Stephen Shkardoon (ss23) a968a74ae0
Update ms17_010_eternalblue description and ranking.
The module has been noted to cause crashes, reboots, BSOD, etc, on
some systems.
2017-06-09 11:01:48 +12:00
Brent Cook aa00661fd0
Land #8518, update CVE references where modules report_vuln 2017-06-08 13:38:12 -05:00
William Vu 3e20296cf5 Add service_details for SSH 2017-06-08 13:28:29 -05:00
William Vu e22334343e Use store_valid_credential in my modules
I used report_note because using the creds API was a pain in the ass.
2017-06-08 00:57:51 -05:00
OJ eef82a501d
Add support for session GUIDs in mettle 2017-06-08 11:20:48 +10:00
Harvey Phillips 4278339869
Added multi-file support for torrc and use locate instead of find when searching 2017-06-07 20:08:23 +01:00
bwatters-r7 99fa52e660
Land #8434, Add Windows 10 Bypassuac fodhelper module 2017-06-07 11:15:01 -05:00
Spencer McIntyre 834e0eba95
Land #8340, add exception handling for rev_tcp_ssl 2017-06-06 19:09:15 -04:00
Harvey Phillips 71fde14b6c Linux post module to grab TOR hidden service hostnames and private keys 2017-06-06 22:29:14 +01:00
Harvey Phillips f557aa3c9c
Linux post module to search for and grab TOR hidden service configurations 2017-06-06 21:59:02 +01:00
Anderson d641058f75 Added module to exploit ActiveMQ CVE-2016-3088 2017-06-06 11:33:42 -07:00
Jeffrey Martin b932aae82e
reference typo fix 2017-06-06 11:50:07 -05:00
Brent Cook bac17a8e80
Land #8053, Add DC/OS Marathon UI Exploit 2017-06-06 09:29:26 -05:00
NickTyrer 09e4974b99 removed whitespace at end of lines 2017-06-06 14:44:37 +01:00
NickTyrer 1831056010 updated disclosure date 2017-06-06 14:32:19 +01:00
Brent Cook 3ded57e1cd
Land #8516, add verbose debug to ntds dumper 2017-06-06 07:26:54 -05:00
Brent Cook 0830e4aaa5
Land #8503, Linux x86 reverse_tcp error handling 2017-06-06 06:36:55 -05:00
OJ 37b9cd07a2
Add support for the session GUID in the UI
The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.
2017-06-06 17:15:57 +10:00
Jeffrey Martin 1558db375d
update CVE reference in where modules report_vuln 2017-06-05 16:36:44 -05:00
David Maloney 42aa2e5acf
add some attempts at debugging to ntds
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
bwatters-r7 f47cc1a101 Rubocop readability changes 2017-06-05 14:32:45 -05:00
Pearce Barry bc3b883758
Add docs, fix typo, add missing report mixin to avoid error. 2017-06-05 13:49:59 -05:00
Brent Cook a5805a55dc
make this a UDPScanner, rewrite 2017-06-05 12:39:48 -05:00
NickTyrer 994995671e added wmi_persistence module 2017-06-05 17:44:37 +01:00
Pearce Barry 8c39c92245
Add description and loop capability. 2017-06-05 11:27:13 -05:00
Pearce Barry a571834c4d
Initial commit of rpcbomb DoS aux module.
This just brings the code in as-in, next step is to update to use our mixins and such.
2017-06-05 10:23:39 -05:00
h00die de86c5d991 add storing creds and loot name consistency 2017-06-04 17:46:43 -04:00
tkmru 737f7452ce add my name to author 2017-06-04 04:42:45 +09:00
itsmeroy2012 39cee481c1 Making changes similar to the reverse_tcp payload 2017-06-03 22:57:59 +05:30
L3cr0f 6a3fc618a4 Add bypassuac_injection_winsxs.rb module 2017-06-03 12:59:50 +02:00
h00die ea5db9a039 working module 2017-06-02 23:09:19 -04:00
William Vu e7fa4c2d06
Land #8504, print_good for ipmi_dumphashes 2017-06-02 18:49:41 -05:00
tkmru e175bcda08 update cachedSize 2017-06-03 08:37:18 +09:00
Dylan Davis 34e9b2c04b Change ipmi_dumphashes to have non-verbose output, ever 2017-06-02 14:27:21 -06:00
Jeffrey Martin 2924318ca5
update java_rmi_server modules with CVE 2017-06-02 12:59:48 -05:00
Jeffrey Martin d68365d8df
store more specific credential wordpress_directory_traversal_dos 2017-05-31 18:55:35 -05:00
Brendan Coles 218ec96009 Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module 2017-05-31 13:00:35 +00:00
h00die 361cc2dbeb fix newline issue and service call 2017-05-30 22:37:26 -04:00
h00die f98b40d038 adds check on service writing before running it 2017-05-30 22:14:49 -04:00
Jeffrey Martin 0e145573fc
more httpClient modules use store_valid_credential 2017-05-30 14:56:05 -05:00
David Maloney d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor 2017-05-30 13:59:31 -05:00
David Maloney a5f910ea63
move trans2 conditional to case statement
this is cleaner as a case statement
2017-05-30 13:52:29 -05:00
David Maloney b65c959347
limited port of the trans2 exploit packets
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
2017-05-30 13:49:27 -05:00
William Vu 72ff4fbf48 Reword warning message, since it didn't make sense 2017-05-30 13:13:08 -05:00
William Vu 890d35cc30 Fix warning placement to be more helpful 2017-05-30 13:06:23 -05:00
David Maloney e9ac3fce5a
update credential mode for EB exploit
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
2017-05-30 10:55:28 -05:00
wolfthefallen 9c93aae412 Removed self.class from register 2017-05-30 10:07:07 -04:00
wolfthefallen bac23757a4 Updated based on busterb comments 2017-05-30 09:33:03 -04:00
Brent Cook beb1cef835 rescue connection failure for netbios, suggest how to fix it 2017-05-30 08:06:39 -05:00
Brent Cook ea6063138a
Land #8476, Implement VerifyArch for ETERNALBLUE 2017-05-30 00:31:32 -05:00
Brent Cook a01a2ead1a
Land #8467, Samba CVE-2017-7494 Improvements 2017-05-30 00:15:03 -05:00
Brent Cook 28fb5cc7da spelling 2017-05-30 00:14:33 -05:00
Brent Cook e31e3fc545 add additional architectures and targets 2017-05-30 00:07:37 -05:00
William Vu a781480e89 Add error handling to get_once
And check for specific ack result/reason for 32-bit.
2017-05-29 22:28:50 -05:00
William Vu 6e253a5be7 Use Rex::Proto::DCERPC::Response 2017-05-29 21:58:03 -05:00
h00die 5698896672
Land #8323 wordpress pre4.6 dos 2017-05-29 07:59:43 -04:00
William Vu 42b14a93b8 Add comments 2017-05-28 23:45:09 -05:00
William Vu 7a2944d113 Implement VerifyArch for ETERNALBLUE 2017-05-28 23:26:59 -05:00
h00die 8d3eebf394
Land #8473 aux admin tool to get scadabr creds from db 2017-05-28 20:09:47 -04:00
Brendan Coles c811c6a8c0 Add PASS_FILE option 2017-05-28 23:26:51 +00:00
root 72a5142e37 Update directory traversal DoS module and docs 2017-05-29 00:30:23 +02:00
HD Moore 66f06cd4e3 Fix small typos in comments 2017-05-28 14:40:33 -05:00
Spencer McIntyre 4e29b6e5fd
Land #8275, add retry opts for py rev_tcp stager 2017-05-28 13:02:35 -04:00
itsmeroy2012 e02d726213 Setting default values to the added options 2017-05-28 14:30:30 +05:30
HD Moore 965915eb19 Fix typo, thanks! 2017-05-27 22:22:34 -05:00
Brendan Coles 8fce94b3cd Add ScadaBR Credentials Dumper module 2017-05-28 01:24:53 +00:00
HD Moore 38491fd7ba Rename payloads with os+libc, shrink array inits 2017-05-27 19:50:31 -05:00
HD Moore f9ecdf2b4d Add some bonus archs for interact mode 2017-05-27 17:26:50 -05:00
HD Moore 41253ab32b Make msftidy happy 2017-05-27 17:17:20 -05:00
HD Moore 184c8f50f1 Rework the Samba exploit & payload model to be magic. 2017-05-27 17:03:01 -05:00
Brendan Coles 018e544295 Add VICIdial user_authorization Unauthenticated Command Execution module 2017-05-27 05:09:38 +00:00
HD Moore 78d649232b Remove obsolete module options 2017-05-26 21:21:05 -05:00
HD Moore 123a03fd21 Detect server-side path, work on Samba 3.x and 4.x 2017-05-26 17:02:18 -05:00
HD Moore eebfd9b7f2 Switch to the mixin-provided SMB share enumeration methods 2017-05-26 17:02:06 -05:00
David Maloney ee5f37d2f7
remove nt trans raw sock op
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
2017-05-26 15:50:18 -05:00
William Webb d4ba28a20b
Land #8457, Update multi/fileformat/office_word_macro to allow custom templates 2017-05-26 15:09:23 -05:00
David Maloney f0f99ad479
nttrans packet setup correctly,everything broken
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
root 9b9d2f2345 Final version of configurable depth 2017-05-26 16:23:22 +02:00
root 33ddef9303 Add documentation, add configurable depth path 2017-05-26 16:14:03 +02:00
wchen-r7 162a660d45 Remove the old windows/fileformat/office_word_macro
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.

If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
wchen-r7 04a701dba5 Check template file extension name 2017-05-26 07:31:34 -05:00
HD Moore 072ab7291c Add /tank (from ryan-c) to search path 2017-05-26 06:56:41 -05:00
Tim 1582d3a902 support i386 2017-05-26 15:55:42 +08:00
wchen-r7 2835c165d7 Land #8390, Add module to execute powershell on Octopus Deploy server 2017-05-25 17:33:07 -05:00
wchen-r7 330526af72 Update check method 2017-05-25 17:30:58 -05:00
William Vu ae22b4ccf4
Land #8450, Samba is_known_pipename() exploit 2017-05-25 16:36:28 -05:00
HD Moore 1474faf909 Remove ARMLE for now, will re-PR once functional 2017-05-25 16:14:35 -05:00
HD Moore 2ad386948f Small cosmetic typo 2017-05-25 16:10:37 -05:00
HD Moore 18a871d6a4 Delete the .so, add PID bruteforce option, cleanup 2017-05-25 16:03:14 -05:00
wchen-r7 ee13195760 Update office_word_macro exploit to support template injection 2017-05-25 15:53:45 -05:00
David Maloney 0b0e2f64ca
update SMB1 "Freehole" packet
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
nks 1a8961b5e3 fied typo 2017-05-25 19:14:59 +02:00
David Maloney bc8ad811aa
remove old anonymous login packet
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
David Maloney 238052a18b
use RubySMB client echo
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
HD Moore cf7cfa9b2c Add check() implementation based on bcoles notes 2017-05-25 09:49:45 -05:00
Borja Merino 7077ac0523 Meterpreter Post-exploitation module to mount vmdk files 2017-05-25 11:47:04 +02:00
itsmeroy2012 92a1a3ecf7 Adding for loop instead of while, removing 'counter' 2017-05-25 15:09:34 +05:30
HD Moore 0520d7cf76 First crack at Samba CVE-2017-7494 2017-05-24 19:42:04 -05:00
David Maloney 4ffe666b52
improve the cred fallback
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
David Maloney 4c02b7b13a
added credentialed fallback
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
David Maloney dc67fcd5a8
use RubySMB for anonymous login
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
juushya af4eafdf70 Updated module and doc 2017-05-24 06:33:08 +05:30
William Vu e4ea618edf
Land #8419, ETERNALBLUE fixes (round two)
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
William Vu 46eb6bdf62
Land #8399, ETERNALBLUE fixes (round one) 2017-05-23 16:51:19 -05:00
William Vu f80c3aa3f4 Correct absolute path 2017-05-23 16:50:25 -05:00
bwatters-r7 461649ed34
Land #8378, Add check in archmigrate to prevent privdesc 2017-05-23 14:37:29 -05:00
Carter c73e7673b1 Please the rubocop god 2017-05-23 15:13:55 -04:00
Carter e945773576 Update archmigrate.rb 2017-05-23 14:40:42 -04:00
Matthew Daley 52363aec13 Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.

Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
Tim d333077308 osx meterpreter 2017-05-23 14:23:22 +08:00
Jeffrey Martin b7b1995238
Land #8274, Wordpress admin upload `check` 2017-05-22 22:08:32 -05:00
Jeffrey Martin 5395d8f17c
update python stageless payload sizes 2017-05-22 18:21:13 -05:00
Jeffrey Martin d69bfd509f
store the credential using the new store_valid_credential 2017-05-22 15:08:03 -05:00
amaloteaux 93bb47d546 msftidy fix 2017-05-22 19:27:15 +01:00
amaloteaux 092e7b96b8 typo 2017-05-22 17:27:50 +01:00
amaloteaux 74c08cebee Add bypassuac fodhelper module for Windows 10 2017-05-22 17:25:17 +01:00
William Webb 467f1ce0ca
Land #8411, Buffer overflow in VXSearch Enterprise v9.5.12 2017-05-22 07:37:31 -05:00
Christian Mehlmauer b5caeb29dd
only support for 32bit so far 2017-05-22 12:30:52 +02:00
HD Moore 036f063988 Fix a stack trace when no SMB response is received 2017-05-19 16:24:41 -05:00
Pearce Barry a6f416e8df
Land #8290, Hwbridge Automotive Fix and Extension Enhancements 2017-05-19 13:46:54 -05:00
lincoln b76229b5f7 removed unessessary line 2017-05-18 19:15:49 -07:00
lincoln 7ca0fe5a68 Added make_junk function 2017-05-18 19:06:09 -07:00
James Lee 4def7ce6cc
Land #8327, Simplify storing credentials 2017-05-18 16:49:01 -05:00
Daniel Teixeira c1624d0967 VX Search Enterprise GET Buffer Overflow 2017-05-18 17:12:47 +01:00
zerosum0x0 bdf121e1c0 x86 kernels will safely ret instead of BSOD 2017-05-17 23:48:14 -06:00
zerosum0x0 d944bdfab0 expect 0xC00000D 2017-05-17 23:05:20 -06:00
zerosum0x0 646ca14375 basic OS verification, ghetto socket read code 2017-05-17 22:48:45 -06:00
wchen-r7 c0bf2cc6e7 Land #8401, Buffer Overflow on Sync Breeze Enterprise 9.4.28 2017-05-17 23:39:50 -05:00
wchen-r7 3360171977 Land #8319, Add exploit module for Mediawiki SyntaxHighlight extension 2017-05-17 23:23:50 -05:00
James Lee b78749bc1b
Land #8221, move autoroute 2017-05-17 15:17:45 -05:00
Daniel Teixeira ad8788cc74 Update syncbreeze_bof.rb 2017-05-17 11:33:24 +01:00
Daniel Teixeira 5329ce56c4 Sync Breeze Enterprise GET Buffer Overflow 2017-05-17 10:53:28 +01:00
lincoln 2f39daafc5 Updated module removing hardcoded binary payload strings
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
William Webb 7e2dab4ddc
Land #8303, Buffer Overflow on Dupscout Enterprise v9.5.14 2017-05-17 01:04:59 -05:00
zerosum0x0 6fb4040d11 add core buffer dump for OS version 2017-05-16 23:18:39 -06:00
William Vu 1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
wchen-r7 11da7c7c81 Land #8394, Add Moxa Credential Recovery Module 2017-05-16 16:45:22 -05:00
wchen-r7 8025eb573a Enforce check
Because we are not able to get our hands on the hardware for testing,
and that this module may trigger a backtrace if the UDP server isn't
Moxa, we force check to make sure that doesn't happen.
2017-05-16 16:43:22 -05:00
wchen-r7 77a9676efb Land #8347, Add Serviio Media Server checkStreamUrl Command Execution 2017-05-16 16:20:39 -05:00
William Vu 6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue 2017-05-16 15:53:34 -05:00
William Vu e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue 2017-05-16 15:41:16 -05:00
James Lee e3f4cc0dfd
Land #8345, WordPress PHPMailer Exim injection
CVE-2016-10033
2017-05-16 15:07:21 -05:00
wchen-r7 2d7f7f9aec Pass msftidy 2017-05-16 15:05:12 -05:00
William Vu 29b7aa5b9b Update fail_with for 200 (bad user?) 2017-05-16 15:03:42 -05:00
wchen-r7 e62fc3e93c Land #8376, Add BuilderEngine 3.5 Arbitrary file upload & exec exploit 2017-05-16 14:53:32 -05:00
wchen-r7 631267480d Update module description 2017-05-16 14:48:46 -05:00
wchen-r7 2ed8ae11b4 Add doc and make minor changes 2017-05-16 14:47:19 -05:00
William Vu 7c1dea2f02 Refactor prestager to work with newer Exim
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
William Vu eff4914240
Land #8381, ETERNALBLUE exploit (to be continued) 2017-05-16 12:19:45 -05:00
zerosum0x0 53bb5a8440 Update ms17_010_eternalblue.rb 2017-05-16 10:43:43 -06:00
William Vu 7c2fb9acc1 Fix nil bug in Server header check 2017-05-16 10:43:04 -05:00
wchen-r7 20b682b2e4 Land #8391, fix a typo in vmware_enum_permissions module description
orts
2017-05-16 09:33:26 -05:00
Patrick DeSantis 4a0535c2d0 add moxa credential recovery module 2017-05-16 10:21:44 -04:00
William Vu 5fd6cb0890 Remove nil case, since response might be nil
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
William Vu b41427412b Improve fail_with granularity for 400 error
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
h00die b2f69e9018 spelling 2017-05-15 21:11:19 -04:00
William Vu 1a644cadc4 Add print_good to on_request_uri override
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
james-otten 3c4dfee4f5 Module to execute powershell on Octopus Deploy server
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.

During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).

Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.

More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
William Vu c4c55be444 Clarify why we're getting 400 and add fail_with 2017-05-15 18:53:36 -05:00
William Vu 489d9a6032 Drop module to AverageRanking and note 400 error 2017-05-15 17:35:40 -05:00
William Vu 2055bf8f65 Add note about PHPMailer being bundled 2017-05-15 14:29:11 -05:00
William Vu 35670713ff Remove budding anti-patterns to avoid copypasta
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
Carter 5ee570bb9c Fix non-uniform spelling and capitalization 2017-05-15 08:31:01 -04:00
zerosum0x0 cb4c700e62 fix typo 2017-05-14 21:52:36 -06:00
zerosum0x0 865a36068e sleep fix and new shellcode 2017-05-14 21:45:19 -06:00
zerosum0x0 e3dcf0ab2d added docs 2017-05-14 19:22:26 -06:00
zerosum0x0 9634f974dd fix msftidy 2017-05-14 18:14:02 -06:00
zerosum0x0 fa79339432 eternalblue module 2017-05-14 18:11:41 -06:00
Spencer McIntyre f39e378496
Land #8330, fix ps_wmi_exec and psh staging 2017-05-13 14:26:47 -04:00
Carter ce7b967a13 Update archmigrate.rb 2017-05-13 13:35:48 -04:00
Carter 78b0fb00da I committed to the wrong branch 2017-05-13 13:35:13 -04:00
Carter 0bd11062e4 Ass SYSTEM check to archmigrate 2017-05-13 13:28:28 -04:00
itsmeroy2012 3a1ed19a42 Making use of StagerRetryConnect 2017-05-13 17:49:53 +05:30
William Vu c622e3fc22 Deregister URIPATH because it's overridden by Path 2017-05-12 11:56:38 -05:00
William Vu 84af5d071d Deregister VHOST because it's overridden by Host 2017-05-12 11:44:10 -05:00
Mzack9999 27e1de14b0 BuilderEngine 3.5 Arbitrary file upload and execution exploit 2017-05-12 18:37:08 +02:00
Brent Cook 7bcaaf33c7
Land #8294, gnome keyring post exploit credential dumper 2017-05-12 10:08:53 -05:00
Brent Cook e9fcc3c291 msftidy fixes 2017-05-12 10:08:26 -05:00
Brent Cook 7355817329
Land #8371, Fix msftidy warnings for the WNR2000 module 2017-05-11 22:51:11 -05:00
Brent Cook 123462bdca
Land #8293, add initial multi-platform railgun support 2017-05-11 22:32:23 -05:00
h00die af4505a9de
land #8009 post module for jboss creds gather 2017-05-11 22:39:54 -04:00
h00die 285857c23f remove req msfcore 2017-05-11 22:39:41 -04:00
h00die 6fa51aee8f moving docs to correct folder 2017-05-11 22:33:00 -04:00
William Vu 231510051c Fix uri_str for exploit 2017-05-11 16:30:10 -05:00
William Vu bee36ca90f Fix edge case 2017-05-11 16:22:21 -05:00
William Vu 68f13808e7 Fix msftidy warnings for the WNR2000 module 2017-05-11 16:16:10 -05:00
William Vu 2ae943d981 Use payload common case instead of general case
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
Brent Cook e414bdb876 don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules 2017-05-11 15:19:11 -05:00
Brent Cook 30c48deeab msftidy and misc. fixups for Quest BoF module 2017-05-11 08:07:39 -05:00
William Webb e8aed42ecd
Land #8223, Quest Privilege Manager pmmasterd Buffer Overflow 2017-05-11 00:44:19 -05:00
Josh Hale 843f148e62 One more yard doc function 2017-05-10 23:01:03 -05:00
Josh Hale e84765c1c6 All functions have yard doc like comments 2017-05-10 23:01:03 -05:00
Josh Hale c5391c2a64 Update cmd print to match core.rb 2017-05-10 23:01:03 -05:00
Josh Hale 10c7c3893a Add subnet check for Android payloads 2017-05-10 23:01:03 -05:00
Josh Hale c49bd9ee4e Add session ready check 2017-05-10 23:01:03 -05:00
Josh Hale 97eaa83114 Update delete all routes 2017-05-10 23:01:03 -05:00
Josh Hale f670fcddcb Initial code cleanup and multi compatibility work 2017-05-10 23:01:02 -05:00
Brent Cook 099fc0176a move autoroute to a more sensible location 2017-05-10 23:01:02 -05:00
Adam Cammack 18d95b6625
Land #8346, Templatize shims for external modules 2017-05-10 18:15:54 -05:00
William Vu 09f6c21f94 Add note about Host header limitations 2017-05-10 15:17:20 -05:00
William Vu b446cbcfce Add reference to Exim string expansions 2017-05-10 15:17:20 -05:00
William Vu 8842764d95 Add some comments about badchars 2017-05-10 15:17:20 -05:00
William Vu ecb79f2f85 Use reduce instead of extracting twice 2017-05-10 15:17:20 -05:00
William Vu b5f25ab7ca Use extract instead of doubling /bin/echo 2017-05-10 15:17:20 -05:00
William Vu 9a64ecc9b0 Create a pure-Exim, one-shot HTTP client 2017-05-10 15:17:20 -05:00
William Vu 0ce475dea3 Add WordPress 4.6 PHPMailer exploit 2017-05-10 15:17:20 -05:00
James Lee d00685a802
Don't run a DoS during wmap scans 2017-05-10 14:41:24 -05:00
Brendan Coles 42c7d64b28 Update style 2017-05-10 06:37:09 +00:00
Brent Cook faf01ed5ef
Land #8353, add aux scanner for Intel AMT digest bypass 2017-05-09 18:45:21 -05:00
James Lee 72388a957f
Land #8355, IIS ScStoragePathFromUrl
See #8162
2017-05-09 11:06:01 -05:00
Christian Mehlmauer 2b4ace9960
convert to "screaming snake" 2017-05-09 09:30:45 +02:00
Brent Cook cf487cc90c reverse_ncat_ssl is stable 2017-05-08 17:43:34 -05:00
Brendan Coles 32dafb06af Replace NoTarget with NotVulnerable 2017-05-08 22:29:44 +00:00
Christian Mehlmauer f70b402dd9
add comment 2017-05-09 00:17:00 +02:00
Brent Cook 86365c89d1
Land #8352, style updates for lotus_domino_hashes 2017-05-08 17:11:44 -05:00
Christian Mehlmauer 806963359f
fix fail with condition 2017-05-08 23:47:48 +02:00
Christian Mehlmauer f62ac6327d
add @rwhitcroft 2017-05-08 23:20:12 +02:00
Christian Mehlmauer 26373798fa
change rank 2017-05-08 23:07:12 +02:00
Christian Mehlmauer 962a31f879
change minimum length 2017-05-08 23:01:17 +02:00
Christian Mehlmauer 7dccb17834
auto extract values and implement brute forcing 2017-05-08 22:47:29 +02:00
Brent Cook 841f63ad20 make office_word_hta backward compat with older Rubies 2017-05-08 15:10:48 -05:00
Christian Mehlmauer 406a7f1ae2
Merge remote-tracking branch 'dmchell/dmchell-cve-2017-7269' into iis2 2017-05-08 21:51:51 +02:00
Brent Cook fede672a81 further revise templates 2017-05-08 14:26:24 -05:00
HD Moore f7ff840ef0 Add missing return, thanks bperry! 2017-05-08 14:08:59 -05:00
HD Moore 9392e48b72 Add a scanner for Intel AMT auth bypass (CVE-2017-5689) 2017-05-08 13:24:00 -05:00
Jeffrey Martin a1efa30fa2
comments adjustments & enum better 2017-05-08 11:57:06 -05:00
William Vu b794bfe5db
Land #8335, rank fixes for the msftidy god 2017-05-07 21:20:33 -05:00
Bryan Chu 88bef00f61 Add more ranks, remove module warnings
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables

../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability

../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability

../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart

../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability

../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability

../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability

../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability

../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
Pearce Barry af3f1fbc37
Land #8332, Canprobe Module 2017-05-07 12:20:27 -05:00
Pearce Barry c05e7b3b58
Minor corrections and a tweak to appease msftidy. 2017-05-07 11:55:20 -05:00
Pearce Barry e3d3fa8e45
Tweak internal description formatting. 2017-05-07 11:31:36 -05:00
Pearce Barry b965bdcdae
Appease msftidy and Travis. 2017-05-07 11:19:32 -05:00
m0t ab245b5042 added note to description 2017-05-07 13:56:50 +01:00
m0t 4f12a1e271 added note to description 2017-05-07 13:54:28 +01:00
Brendan Coles 635a7a42e6 Update style lotus_domino_hashes 2017-05-07 16:37:48 +10:00
Jeffrey Martin 05bf16e91e
Land #8331, Adding module CryptoLog Remote Code Execution 2017-05-05 18:24:14 -05:00
Jeffrey Martin e2fe70d531
convert store_valid_credential to named params 2017-05-05 18:23:15 -05:00
Mehmet Ince 720a02f5e2
Addressing Spaces at EOL issue reported by Travis 2017-05-05 11:05:17 +03:00
Brendan Coles 0eacf64324 Add Serviio Media Server checkStreamUrl Command Execution 2017-05-05 07:54:00 +00:00
Mehmet Ince 58d2e818b1
Merging multiple sqli area as a func 2017-05-05 10:49:05 +03:00
Jeffrey Martin 63b6ab5355
simplify valid credential storage 2017-05-04 22:51:40 -05:00
Gabriel Follon a8983c831d Updated links and authors 2017-05-04 18:25:45 -04:00
darkbushido 81bcf2ca70 updating all LHOST to use the new opt type 2017-05-04 12:57:50 -05:00
Gabriel Follon afe801b9e8 Updated target to 'universal' 2017-05-04 16:25:41 +02:00
Gabriel Follon 073cd59cd3 Added qmail_bash_env_exec exploit module, which exploit the ShellShock flaw via Qmail. 2017-05-04 15:44:18 +02:00
Brent Cook 97095ab311
Land #8338, Fix msf/core and self.class msftidy warnings 2017-05-03 21:55:52 -05:00
Brent Cook 2d93c8e2d6 merge, don't overwrite 2017-05-03 18:17:58 -05:00
Brent Cook 0798923901 set the correct schema for linux meterpreter reverse_tcp stages 2017-05-03 16:12:45 -05:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
Mehmet Ince d04e7cba10
Rename the module as well as title 2017-05-03 19:18:46 +03:00
Mehmet Ince ae8035a30f
Fixing typo and using shorter sqli payload 2017-05-03 16:45:17 +03:00
Joe Testa cf74cb81a7 Removed unnecessary 'msf/core' include. 2017-05-03 09:02:05 -04:00
Craig Smith 9877aa9ef9 Added documentation and cleand up how STOPID worked 2017-05-02 18:57:32 -07:00
Mehmet Ince db2a2ed289
Removing space at eof and self.class from register_options 2017-05-03 01:31:13 +03:00
Mehmet Ince 77acbb8200
Adding cryptolog rce 2017-05-03 01:05:40 +03:00
Craig Smith 3519adbaef A basic CAN fuzzer. It probes the data regions of different CAN IDs.
The default is to use a set value but can iterate the full range.  It can
also add padding if necessary.  Not checks on returns or results of fuzzing.
2017-05-02 14:19:29 -07:00
Adam Cammack 494711ee65
Land #8307, Add lib for writing Python modules 2017-05-02 15:53:13 -05:00
Yorick Koster 6870a48c48 Code suggestion from @jvoisin 2017-05-02 16:41:06 +02:00
Joe Testa 012081eed2 Added support for ANY queries. Silently ignore unsupported queries instead of spamming stdout. 2017-05-01 17:28:56 -04:00
William Vu 03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory 2017-05-01 16:23:14 -05:00
William Vu 41ef1a4e90
Land #8325, cmd/unix/reverse_ncat_ssl payload 2017-05-01 14:54:52 -05:00
C_Sto 772a16f4cd fix style 2017-05-02 00:55:57 +08:00
C_Sto 9e06c3f07e fix argument arrangement 2017-05-02 00:39:00 +08:00
C_Sto 5a2afbc364 Tidy payload 2017-05-01 21:38:34 +08:00
Yorick Koster 006ed42248 Added fix information
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/0002
09.html
2017-05-01 09:01:14 +02:00
C_Sto cfa204b8e8 add reverse ncat ssl 2017-05-01 06:57:28 +08:00
reanar 0b62a6478a Modification for Travis (remove require msf/core, and self.class in register) 2017-04-30 17:05:11 +02:00
reanar 3f348150c6 Modification of description 2017-04-30 16:38:39 +02:00
reanar 52ec448511 Add WordPress Directory Traversal DoS Module 2017-04-30 15:03:48 +02:00
Yorick Koster 673dbdc4b9 Code review feedback from h00die 2017-04-29 20:37:39 +02:00
Yorick Koster fcf14212b4 Fixed disclosure date 2017-04-29 16:25:25 +02:00
Yorick Koster f9e7715adb Fixed formatting 2017-04-29 16:07:45 +02:00
Yorick Koster 1569d2cf8e MediaWiki SyntaxHighlight extension exploit module
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
2017-04-29 14:29:56 +02:00
Brandon Knight c4b3ba0d14 Actually removing msf/core this time... ><
Helps to actually remove the bits that were failing. Now with even more
removal of msf/core!
2017-04-28 21:42:06 -04:00
Brandon Knight ff263812fc Fix msftidy warnings
Remove explicitly loading msf/core and self.class from the register_
functions.
2017-04-28 21:26:53 -04:00
HD Moore afc804fa03 Quick Ghostscript module based on the public PoC 2017-04-28 09:56:52 -05:00
Brandon Knight f8fb03682a Fix issue in ps_wmi_exec and powershell staging
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.

Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
Sara Perez 18fa411189 Updated with Egypt's suggestion, also changed the target name to include other versions 2017-04-27 13:19:44 +01:00
itsmeroy2012 cd73bd137a Making use of while loop and solving StagerRetryWait issue 2017-04-27 11:50:13 +05:30
William Vu 1a402ed1d8 Add arch to smb_ms17_010 DOUBLEPULSAR detection 2017-04-26 20:59:13 -05:00
Brent Cook 037fdf854e move common json-rpc bits to a library 2017-04-26 18:08:08 -05:00
Brent Cook 480a0b4273 update payload sizes 2017-04-26 18:02:14 -05:00
Brent Cook a60e5789ed update mettle->meterpreter references in modules 2017-04-26 17:55:10 -05:00
Brent Cook 078ba66e5f remove unneeded msf/core requires 2017-04-26 17:17:20 -05:00
Brent Cook 353191992f move mettle payloads to meterpreter, add reverse_http/s stageless 2017-04-26 17:06:34 -05:00
Brent Cook f8792956ee fix one module for testing 2017-04-26 16:21:13 -05:00
Daniel Teixeira a3a4ba7605 Buffer Overflow on Dup Scout Enterprise v9.5.14 2017-04-26 15:19:00 +01:00
Spencer McIntyre da6c03d13f Fix function names to always be snake_case 2017-04-26 09:30:29 -04:00
William Vu bbee7f86b5
Land #8263, Mercurial SSH exec module 2017-04-26 01:38:01 -05:00
William Vu f60807113b Clean up module 2017-04-26 01:37:49 -05:00
anhilo 56685bbfaa Update office_word_hta.rb 2017-04-26 11:05:21 +08:00
Spencer McIntyre a3bcd20b26 Minor cleanups for multi-platform railgun 2017-04-25 17:45:07 -04:00
William Vu 5476f6066c
Land #8271, DOUBLEPULSAR detection for MS17-010 2017-04-25 16:31:39 -05:00
Craig Smith 4019a14865 The local HWBridge now does not print out status for each URI request per default. This can be enabled by setting verbose to true.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 5537348e28 Addes Statistics support from the API. When typing status in a hardware bridge it will also print packet statistics.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
wchen-r7 320898697a
Land #8266, Add Buffer Overflow Exploit on Disk Sorter Enterprise 2017-04-24 17:17:30 -05:00
wchen-r7 1d86905fca
Land #8288, Minor changes to WiPG-1000 module 2017-04-24 17:09:25 -05:00
wchen-r7 e333cb65e5 Restore require 'msf/core' 2017-04-24 17:09:02 -05:00
wchen-r7 c573628e10 Fix header 2017-04-24 17:01:35 -05:00
wchen-r7 e775f9ccbd
Land #8259, Add post module to upload and execute a file 2017-04-24 17:00:55 -05:00
Matthias Brun d3aba846b9 Make minor changes 2017-04-24 23:35:36 +02:00
wchen-r7 5bbb4d755a
Land #8254, Add CVE-2017-0199 - Office Word HTA Module 2017-04-24 16:05:00 -05:00
wchen-r7 6029a9ee2b Use a built-in HTA server and update doc 2017-04-24 16:04:27 -05:00
zerosum0x0 55f01d3fc7 made the plugin less spammy with more vprintf 2017-04-24 13:33:05 -06:00
zerosum0x0 453ca6e3bf added OS printing on vulnerable systems 2017-04-24 13:20:44 -06:00
Daniel Teixeira 47898717c9 Minor documentation improvements
Space after ,
2017-04-24 14:47:25 +01:00
itsmeroy2012 bd2379784e Improved error handling for the python reverse_tcp payload
Handling all kinds of errors

Removing 'e'

Updating payload cached sizes

Updating payload cached sizes 2.0

Adding option to set retry time
2017-04-23 20:43:57 +05:30
zerosum0x0 a69aba0eab added XOR Key calculation 2017-04-22 23:54:30 -06:00
h00die 8e4c093a22 added version numbers 2017-04-22 09:45:55 -04:00
Spencer McIntyre ffe6d35b4d Add a module to dump network passwords from gnome 2017-04-21 16:17:18 -04:00
zerosum0x0 8a77bf7b60 removed wrong comments 2017-04-21 08:27:13 -06:00
Matthias Brun 714ada2b66 Inline execute_cmd function 2017-04-21 15:32:15 +02:00
zerosum0x0 9fab64c60e added references 2017-04-20 15:22:37 -06:00
zerosum0x0 dd12afd717
added DoublePulsar detection 2017-04-20 15:03:29 -06:00
Matthias Brun 8218f024e0 Add WiPG-1000 Command Injection module 2017-04-20 16:32:23 +02:00
Koen Riepe 55ab800f13
Minor code fixes. 2017-04-19 14:41:11 +02:00
DanielRTeixeira f1c51447c1 Add files via upload
Buffer Overflow on Disk Sorter Enterprise
2017-04-19 10:57:41 +01:00
Jonathan Claudius f5430e5c47
Revert Msf::Exploit::Remote::Tcp 2017-04-18 19:27:35 -04:00
Jonathan Claudius 9a870a623d
Make use of Msf::Exploit::Remote::Tcp 2017-04-18 19:17:48 -04:00
Jonathan Claudius 03e3065706
Fix MSF tidy issues 2017-04-18 18:56:42 -04:00
Jonathan Claudius 32f0b57091
Fix new line issues 2017-04-18 18:52:53 -04:00
James Lee bdeeb8ee1d
Add a check 2017-04-18 16:32:06 -05:00
William Vu 3b38d0d900
Land #8262, PR ref for huawei_hg532n_cmdinject 2017-04-18 16:29:13 -05:00
Jonathan Claudius bfca4da9b0
Add mercurial ssh exec 2017-04-18 16:33:23 -04:00
Tod Beardsley 1fcc1f7417
Trailing comma. Why isn't this Lua? 2017-04-18 14:27:44 -05:00
wchen-r7 0428e12b10
Land #8216, Add CVE-2016-7552/CVE-2016-7547 exploit 2017-04-18 14:26:55 -05:00
Tod Beardsley 4ec71f9272
Add a reference to the original PR
This was the source of first public disclosure, so may as well include
it.
2017-04-18 14:20:25 -05:00
Sara Perez 178d68003e version check, as the name for the api key call changes on 11.0. Line 130 2017-04-18 10:32:28 +01:00
James Lee 84dd5cd01a
Add a simple upload exec module 2017-04-17 19:34:21 -05:00
Nate Caroe 92e7183a74 Small typo fix
Running msfconsole would generate an Ubuntu crash report (?). This seems to be the culprit.
2017-04-17 11:14:51 -06:00
William Vu 942959f7e8
Land #8255, fixes for smb_ms17_010 2017-04-17 11:38:34 -05:00
Brent Cook 7b936b0012
Land #8184, convert IPMI protocol and modules to bindata 2017-04-17 07:40:15 -05:00
Brent Cook 6f70efcfa1 add module documentation 2017-04-17 07:39:43 -05:00
William Vu b1c7f1302b Fix report_vuln and prefer vprint_error 2017-04-17 02:48:56 -05:00
Ahmed S. Darwish e21504b22d huawei_hg532n_cmdinject: Use send_request_cgi() 'vars_get' key
Instead of rolling our own GET parameters implementation.

Thanks @wvu-r7!
2017-04-17 09:11:50 +02:00
nixawk 3d082814cb Fix default options 2017-04-17 01:09:48 -05:00
Ahmed S. Darwish 7daec53106 huawei_hg532n_cmdinject: Improve overall documentation
- Add section on compiling custom binaries for the device
- Add documentation for Huawei's wget flavor (thanks @h00die)
- Abridge the module's info hash contents (thanks @wwebb-r7)
- Abridge the module's comments; reference documentation (@h00die)
2017-04-17 08:00:51 +02:00
Ahmed S. Darwish 8a302463ab huawei_hg532n_cmdinject: Use minimum permissions for staged binary
Use u+rwx permissions only, instead of full 777, while staging the
wget binary to target. As suggested by @wvu-r7 and @busterb.
2017-04-17 03:27:57 +02:00
Ahmed S. Darwish 7ca7528cba huawei_hg532n_cmdinject: Spelling fixes suggested by @wvu-r7 2017-04-17 03:23:20 +02:00
Ahmed S. Darwish 7b8e5e5016 Add Huawei HG532n command injection exploit 2017-04-15 21:01:47 +02:00
Brent Cook 7950087804 Merge branch 'upstream-master' into land-8237- 2017-04-14 21:53:26 -05:00
nixawk fb001180c4 Fix generate_uri 2017-04-14 21:52:31 -05:00