Brent Cook
7924667e51
appease alignists
2017-09-25 09:10:10 -05:00
Brent Cook
62ee4ed708
update modules to use inherited SSLVersion option
2017-09-25 09:03:22 -05:00
g0tmi1k
1ee590ac07
Move over to rex-powershell and version bump
...
Version bump for:
- https://github.com/rapid7/rex-powershell/pull/10
- https://github.com/rapid7/rex-powershell/pull/11
2017-09-25 13:45:06 +01:00
h00die
273d49bffd
Land #8891 login scanner for Inedo BuildMaster
2017-09-24 13:30:17 -04:00
h00die
4d1e51a0ff
Land #8906 RCE for supervisor
2017-09-24 08:03:30 -04:00
Jannis Pohl
48188e999e
post/windows/manage/persistence_exe: fix service creation
...
Fixes service creation when in post/windows/manage/persistence_exe
2017-09-23 23:48:50 +02:00
h00die
9528f279a5
cleaned up version, and docs
2017-09-23 10:51:52 -04:00
RootUp
e4f79879ba
Update and rename modules/auxiliary/dos/ibm_lotus_notes.rb to modules/auxiliary/dos/http/ibm_lotus_notes.rb
2017-09-23 18:27:50 +05:30
Pearce Barry
e8eeb784e4
Land #8960 , spelling/grammar fixes part 3
2017-09-22 18:51:31 -05:00
Pearce Barry
8de6fa79c1
Tweakz, yo.
2017-09-22 18:49:09 -05:00
Pearce Barry
d56fffcadf
Land #8974 , spelling/grammar fixes part 4. Finished.
2017-09-22 14:59:28 -05:00
Pearce Barry
f1be6b720b
Tweaky bits.
2017-09-22 13:38:06 -05:00
RootUp
669b6771e3
Update ibm_lotus_notes.rb
2017-09-22 17:16:42 +05:30
RootUp
a71edb33be
Create ibm_lotus_notes.rb
2017-09-22 17:08:05 +05:30
h00die
ddbff6ba3c
Land #8980 unauth RCE for denyAll WAF
2017-09-21 21:41:33 -04:00
Mehmet Ince
3d543b75f5
Fixing typos and replacing double quotes with single
2017-09-21 23:48:12 +03:00
Mehmet Ince
1031d7960a
Moving token extraction to the seperated function
2017-09-20 10:23:32 +03:00
bwatters-r7
5a62e779aa
Land #8954 , fix internal usage of bindata objects when generating NTP messages
2017-09-19 09:01:49 -05:00
Mehmet Ince
ee969ae8e5
Adding DenyAll RCE module
2017-09-19 14:53:37 +03:00
loftwing
c953842c96
Added docs and additional dialects
2017-09-18 15:02:38 -05:00
loftwing
7d07f7054d
Merge remote-tracking branch 'origin/master' into add_smb1_scanner
2017-09-18 13:16:06 -05:00
loftwing
d07fe2f1e7
Added reporting back, removed wfw dialect
2017-09-18 13:15:19 -05:00
h00die
08dea910e1
pbarry-r7 comments
2017-09-17 19:38:43 -04:00
h00die
c90f885938
Finished spelling issues
2017-09-17 16:00:04 -04:00
William Webb
d5362333e2
Land #8958 , Add Disk Pulse Enterprise web server buffer overflow
2017-09-15 13:34:22 -05:00
loftwing
6f5eb5a18f
update
2017-09-15 12:07:28 -05:00
Pearce Barry
e651bc1205
Land #8951 , Hwbridge auto padding fix and flowcontrol
2017-09-15 08:33:17 -05:00
james
4e81a68108
Simplify saving valid credentials by calling store_valid_credential
2017-09-15 00:18:33 -05:00
loftwing
e88b766276
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner
2017-09-14 17:00:45 -05:00
loftwing
646dda7958
Add initial smbv1 scanner code
2017-09-14 16:59:39 -05:00
Christian Mehlmauer
c77cb51d64
add newline
2017-09-14 18:26:11 +02:00
Jeffrey Martin
a992a3c427
Land #8774 , Post module for gather Docker credentials
2017-09-14 10:15:03 -05:00
Pearce Barry
200a1b400a
Remove spaces to appease msftidy.
2017-09-14 09:28:38 -05:00
h00die
30f833f684
80 pages left
2017-09-13 22:03:34 -04:00
loftwing
52385f4d9e
fix formatting to fit rubocop
2017-09-13 11:46:57 -05:00
loftwing
b8c40a9d95
Clean up formatting
2017-09-13 11:13:33 -05:00
loftwing
3c204f91ef
Correct module title
2017-09-13 11:02:13 -05:00
loftwing
65f2ee9109
added generate_seh_record
2017-09-13 10:56:32 -05:00
loftwing
7db506887b
Add exploit code
2017-09-13 10:36:36 -05:00
loftwing
eb0d174987
Add disk_pulse_enterprise_get module
2017-09-13 10:19:24 -05:00
William Webb
a07f7c9f42
Land #8520 , Linux post module to find and collect TOR hidden service configurations
2017-09-12 13:39:18 -05:00
Erik Lenoir
27a517e0f6
Fix #8060 , cf #8061
2017-09-12 18:41:51 +02:00
Brent Cook
a7a17c677c
fix internal usage of bindata objects when generating NTP messages
2017-09-12 09:54:09 -04:00
Anant Shrivastava
86726978ed
payload size updated
2017-09-12 19:23:31 +05:30
Craig Smith
e4465c9350
Fixed a bug where flowcontrol caused the first packet to get lost
2017-09-11 19:00:53 -07:00
Craig Smith
b218cc3c7f
Merge branch 'master' into hw_auto_padding_fix
2017-09-11 18:30:34 -07:00
Craig Smith
ad9329993d
Added better padding and flowcontrol support.
2017-09-11 18:20:57 -07:00
Pearce Barry
7b87915e1f
Land #8923 , Add additional error checking to mssql_clr_payload module
2017-09-11 17:39:33 -05:00
Jeffrey Martin
a58552daad
Land #8825 , Handle missing util.pump in nodejs shell payloads
2017-09-11 15:32:21 -05:00
Tod Beardsley
5f66b7eb1a
Land #8940 , @h00die's second round of desc fixes
...
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
Tod Beardsley
cfbd3c1615
Fix spelling of Honeywell
2017-09-11 13:02:18 -05:00
james
ba880d1a85
Changes to mssql_clr_payload error handling based on code review
2017-09-10 14:15:39 -05:00
Patrick Thomas
2966fb7c8c
Accept @shawizard suggestion for formatting msg_body
2017-09-10 11:23:52 -07:00
james
861f4a6201
Changes to buildmaster_login from code review
...
Use peer property in messages instead of rhost rport combination for consistency.
Documentation updated accordingly.
2017-09-09 18:00:04 -05:00
james
47adfb9956
Fixes from code review to buildmaster_login
...
Per bcoles, the most important fixes are:
- Removing `self.class` from call to `register_options`
- Adding rescue to login_succeeded to handle bad json
2017-09-09 16:26:01 -05:00
h00die
7339658ba9
224 pages of spelling issues left
2017-09-09 09:52:08 -04:00
h00die
6289cc0b70
Merge branch 'spellin' of https://github.com/h00die/metasploit-framework into spellin
2017-09-08 22:20:39 -04:00
h00die
0910c482a9
35 pages of spelling done
2017-09-08 22:19:55 -04:00
Brent Cook
8f864c27e3
Land #8924 , Add Apache Struts 2 REST Plugin XStream RCE
2017-09-08 13:59:52 -05:00
Brent Cook
54a62976f8
update versions and add quick module docs
2017-09-08 13:59:29 -05:00
William Vu
978fdb07b0
Comment out PSH target and explain why
...
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
2017-09-08 13:41:06 -05:00
dmohanty-r7
c91ef1f092
Land #8768 , Add Docker Daemon TCP exploit module
2017-09-08 12:50:00 -05:00
Pearce Barry
2ebf53b647
Minor tweaks...
2017-09-08 10:04:47 -05:00
h00die
00c593e0a2
55 pages of spelling done
2017-09-07 21:18:50 -04:00
William Vu
a9a307540f
Assign cmd to entire case and use encode for XML
...
Hat tip @acammack-r7. Forgot about that first syntax!
2017-09-07 19:36:08 -05:00
William Vu
8f1e353b6e
Add Apache Struts 2 REST Plugin XStream RCE
2017-09-07 19:30:48 -05:00
Brent Cook
a0181a4d54
Land #8831 , Add Maven post-exploitation credential extraction module
...
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
2017-09-08 00:37:03 +02:00
James Barnett
7e9d0b3e9b
Fix permissions in docker priv_esc module
...
The previous command didn't give the original user enough permissions
to execute the payload. This was resulting in permission denied
and preventing me from getting a root shell.
Fixes #8937
2017-09-07 16:48:02 -05:00
Brent Cook
c67e407c9c
Land #8880 , added Cisco Smart Install (SMI) scanner
2017-09-07 08:06:03 -05:00
g0tmi1k
accb77d268
Add PSH (Binary) as a target to web_delivery
2017-09-07 10:55:29 +01:00
Brent Cook
9877a61eff
bump payloads
2017-09-07 01:36:25 -05:00
OJ
816e78b6f6
First pass of named pipe code for pivots
2017-09-07 01:33:53 -05:00
Patrick Thomas
5d009c8d0b
remove dead code
2017-09-06 23:21:56 -07:00
Patrick Thomas
048316864c
remove redundant return
2017-09-06 23:01:13 -07:00
Patrick Thomas
97d08e0da4
fix reviewer comments
2017-09-06 22:53:02 -07:00
Patrick Thomas
d71f7876b8
initial commit of nodejs debugger eval exploit
2017-09-06 22:29:24 -07:00
g0tmi1k
96f7012fe7
Code clean up (URLs, ordering and printing)
2017-09-06 13:17:28 +01:00
g0tmi1k
b884705a93
regsvr32_applocker_bypass_server -> web_delivery
2017-09-06 12:35:52 +01:00
g0tmi1k
e7b4cb71b1
Add PSH-Proxy to multi/script/web_delivery
2017-09-06 12:27:04 +01:00
h00die
be66ed8af3
Land #8788 exploits for Gh0st and PlugX malware controllers
2017-09-05 20:42:07 -04:00
james
44fb059cea
Add error checking to mssql_clr_payload
...
Additional error checking had been added to exploits/windows/mssql/mssql_clr_payload
If an error is encountered when changing the trustworthy or clr setting, the exploit fails with a message.
2017-09-05 18:48:22 -05:00
Adam Cammack
b0dc44fb86
Land #8909 , Avoid saving some invalid creds
2017-09-05 12:43:03 -05:00
h00die
d05c401866
modules cleanup and add docs
2017-09-04 20:57:23 -04:00
Pearce Barry
6051a1a1c1
Land #8910 , Use meta redirect instead of JS redirect in 2 modules
2017-09-01 13:50:02 -05:00
Tod Beardsley
86db2a5771
Land #8888 from @h00die, with two extra fixes
...
Fixes spelling and grammar in a bunch of modules. More to come!
2017-08-31 14:37:02 -05:00
Tod Beardsley
8a045e65aa
Spaces between commas
2017-08-31 14:29:23 -05:00
Tod Beardsley
642a13e820
Out out damn tick
2017-08-31 14:29:05 -05:00
Tim
86ee77ffb0
add aarch64 nops and fix aarch64 cmdstager
2017-08-31 18:48:58 +08:00
Adam Cammack
195c1e041f
Update payload specs and sizes
...
Adds the new Aarch64 and R payloads
fix merge
2017-08-31 18:48:56 +08:00
Tim
7b71f60ea1
fix the stack
2017-08-31 18:35:18 +08:00
Tim
26f4fa3b09
setup stack
2017-08-31 18:35:17 +08:00
Tim
a2396991f0
stager not setting up stack
2017-08-31 18:35:17 +08:00
Tim
6dbe00158f
fix stager
2017-08-31 18:35:17 +08:00
james
49173818fd
Addresses #8674
...
This type of redirection will work without javascript being enabled.
Modules:
multi/browser/firefox_xpi_bootstrapped_addon
multi/browser/itms_overflow
More info on the meta element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
2017-08-30 23:16:46 -05:00
Pearce Barry
2bbba9c500
Avoid some ActiveRecord validation errors.
...
Per discussion with @bcoles in [PR 8759](https://github.com/rapid7/metasploit-framework/pull/8759#issuecomment-325028479 ), setting a login data's last_attempted_at value while also setting the status to UNTRIED will cause a validation error when there's a running+connected MSF DB.
This PR removes the handful of existing cases we're doing this (thx, @bcoles!).
2017-08-30 15:31:36 -05:00
Jon Hart
eec5d2ada9
Update description and add link to SIET
2017-08-30 11:52:11 -07:00
Calum Hutton
3b745bd17c
Rework the bash, redirect stdout/err to /dev/null
...
Dont need the -
2017-08-30 03:49:30 +01:00
Calum Hutton
9387a765e5
Fix msftidy warns/errs
2017-08-30 03:10:46 +01:00
Calum Hutton
4934023fa5
Use alternate system() payload, dont worry about restarts
...
Use nohup and & to background the meterpreter process
2017-08-30 03:10:46 +01:00
Calum Hutton
d53f10554d
Configurable restart command
2017-08-30 03:10:46 +01:00
Calum Hutton
d0ff2694b3
Restart after payload process ends
2017-08-30 03:10:46 +01:00
Calum Hutton
aee44e3bd2
Working meterpreter exploit
...
No service restart
2017-08-30 03:10:46 +01:00
Calum Hutton
7cfb5fcc97
Rename
2017-08-30 03:10:46 +01:00
Calum Hutton
8b67b710fa
Add template
2017-08-30 03:10:46 +01:00
Brent Cook
202c936868
Land #8826 , git submodule remote command execution
2017-08-29 18:11:32 -05:00
Brent Cook
46eeb1bee0
update style
2017-08-29 17:44:39 -05:00
Pearce Barry
d5124fdc94
Land #8759 , Add TeamTalk Gather Credentials auxiliary module
2017-08-29 13:17:28 -05:00
Tim
39299c0fb8
randomize submodule path
2017-08-29 16:54:08 +08:00
Brendan Coles
c9e32fbb18
Remove last_attempted_at
2017-08-29 05:05:04 +00:00
h00die
a40429158f
40% done
2017-08-28 20:17:58 -04:00
Brent Cook
1e8edb377f
Land #8873 , cleanup enable_rdp, add error handling
2017-08-28 05:50:42 -05:00
Brent Cook
582b2e238e
update mettle payload to 0.2.2, add background and single-thread http comms
2017-08-28 05:31:44 -05:00
Brent Cook
15ec40f5c6
update R cached sizes
2017-08-28 05:31:42 -05:00
h00die
bd7ea1f90d
more updates, 465 more pages to go
2017-08-26 21:01:10 -04:00
james
7dfde651ea
Add login scanner module for Inedo BuildMaster
...
This module attempts to log into BuildMaster. BuildMaster is an application release automation tool.
More information about BuildMaster:
http://inedo.com/
2017-08-26 17:56:53 -05:00
Erik Lenoir
a8067070f2
Fix typo
2017-08-26 17:52:11 +02:00
William Vu
924c3de9f3
Land #7382 , BIND TSIG DoS
2017-08-26 10:42:35 -05:00
William Vu
f9a2c3406f
Clean up module
2017-08-26 10:41:10 -05:00
h00die
3420633f29
@NickTyrer corrected my correction
2017-08-26 08:43:10 -04:00
Erik Lenoir
801e3e2d68
Replace REXML with Nokogiri and try to cross id with mirror/repository tag
2017-08-25 18:28:09 +02:00
Jon P
abaf80f3df
jmartin improvements (iter on keys + save as credentials)
2017-08-25 18:15:24 +02:00
h00die
32a4436ecd
first round of spelling/grammar fixes
2017-08-24 21:38:44 -04:00
n00py
8f17d536a7
Update phpmailer_arg_injection.rb
...
Removed second parameter as it was not necessary. Only changed needed was to change "send_request_cgi" to "send_request_cgi!"
2017-08-24 00:29:28 -06:00
n00py
c49b72a470
Follow 301 re-direct
...
I found that in some cases, the trigger URL cannot be accessed directly. For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example". It isn't until hitting "/example" that the php is executed. This small change will just allow the trigger to follow one 301 redirect.
2017-08-23 18:53:54 -06:00
Brent Cook
821121d40b
Land #8871 , improve compatibility and speed of JDWP exploit
2017-08-23 18:53:47 -05:00
Jeffrey Martin
cba4d36df2
provide missing bits for R platform
2017-08-23 16:58:48 -05:00
William Vu
4c285c0129
Land #8827 , QNAP Transcode Server RCE
2017-08-22 23:07:01 -05:00
Jon Hart
7b18c17445
Appease rubocop
2017-08-22 14:53:21 -07:00
Brent Cook
128949217e
more osx
2017-08-22 16:48:09 -05:00
Jon Hart
2969da3d70
Merge branch 'upstream-master' into feature/cisco-smi-scanner
2017-08-22 14:39:44 -07:00
Brent Cook
bb120962aa
more osx support
2017-08-22 14:01:48 -05:00
Brent Cook
7263c7a66e
add 64-bit, osx support
2017-08-22 13:51:28 -05:00
Erik Lenoir
be2739d335
Transform loots into creds
2017-08-22 11:57:51 +02:00
Brent Cook
33f2ebc2aa
code cleanup
2017-08-21 22:46:30 -05:00
Brent Cook
58e332cc7c
only fail if the group sids fail to resolve and we actually have to add a user
2017-08-21 22:36:40 -05:00
Louis Sato
e01caac9ed
removing slice operators from jdwp_debugger
2017-08-21 16:36:54 -05:00
Brent Cook
031f48725f
add missing quotes
2017-08-21 16:16:03 -05:00
Brent Cook
edbe8d73c2
Revert "Revert passive stance for multi/handler"
...
This reverts commit 66a4ea4f0b
.
2017-08-21 16:14:23 -05:00
Brent Cook
c14daf3fcc
Land #8857 , Reverse and bind shells in R
2017-08-21 15:49:24 -05:00
Brent Cook
605330faf6
Land #8842 , add linux/aarch64/shell_reverse_tcp
2017-08-21 15:44:28 -05:00
Brent Cook
430251b8f6
fix compatibility with php meterpreter
2017-08-21 15:37:31 -05:00
RageLtMan
2873a899db
Address msftidy complaint
2017-08-21 03:39:03 -04:00
Tim
d6d6c67f33
add stage_shell.s and cleanup
2017-08-21 14:42:30 +08:00
Tim
e1a7494724
linux payloads should default to /bin/sh
2017-08-21 12:25:27 +08:00
Tim
9768a89bcd
aarch64 staged shell
2017-08-21 11:14:42 +08:00
RageLtMan
7ab097a784
Unix cmd versions of R payloads
...
Use R to connect back from a unix shell.
Notes:
We need to DRY this up - tons of copy pasta here, when we should
really be instantiating the language specific payloads and just
wrapping them with CLI execution strings.
Testing:
None, yet, just did the quick port to wrap this and push to CI
now that rex-arch #4 is in.
2017-08-20 21:25:57 -04:00
Brent Cook
f961495860
Land #8625 , Remove OpenSSL from Windows Meterp, packet header changes, and TLV packet encryption
2017-08-20 19:13:51 -05:00
Brent Cook
b864083cbd
update payload sizes
2017-08-20 19:03:53 -05:00
Brent Cook
eabe4001c2
Land #8492 , Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module
2017-08-20 18:48:22 -05:00
Brent Cook
cbd7790e95
Land #8751 , Add Asterisk Gather Credentials auxiliary module
2017-08-20 18:34:27 -05:00
Brent Cook
07ee33578d
Land 8804, tidy up mdaemon credential extraction module
2017-08-20 18:26:56 -05:00
Brent Cook
85df247c84
DRY up module, fix remaining style violations
2017-08-20 18:24:41 -05:00
Brent Cook
367c760927
window move is now directly in the template
2017-08-20 17:48:59 -05:00
Brent Cook
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
Brent Cook
1225555125
remove unnecessary require
2017-08-20 17:37:42 -05:00
Brent Cook
840c0d5f56
Land #7808 , add exploit for VMware VDP with known ssh private key (CVE-2016-7456)
2017-08-20 17:36:45 -05:00
Brent Cook
88f39d924b
Land #8816 , added Jenkins v2 cookie support
2017-08-20 14:58:38 -05:00
Brent Cook
f7dc831e9a
Land #8799 , Add module to detect Docker, LXC, and systemd-nspawn containers
2017-08-20 14:45:57 -05:00
Brent Cook
aa797588e8
Land #8847 , Look for sp_execute_external_script in mssql_enum
2017-08-20 14:32:35 -05:00
Brent Cook
2eba188166
Land #8789 , Add COM class ID hijack method for bypassing UAC
2017-08-20 13:57:17 -05:00
Brent Cook
e8ab518d76
Land #8853 , Revert passive stance for multi/handler
2017-08-19 22:04:26 -05:00
RageLtMan
d76616e8e8
Reverse and bind shells in R
...
Initial implementation of bind and reverse TCP shells in R.
Supports IPv4 and 6, provides stateless sessions which wont change
the cwd when cd is invoked since each command invocation actually
spawns a pipe to execute that specific line's invocation.
R injections are common in academic software written in a hurry by
students or lab administrators. The language runtimes are also
commonly found adjacent to valuable data, and often used by teams
which are not directly responsible for information security.
Testing:
Local testing with netcat bind and rev handlers.
TODO:
Add the appropriate platform/language library definitions
2017-08-19 06:12:05 -04:00
William Webb
6ecdb8f2cc
Land #8852 , convert quest_pmmasterd_bof to cmd_interact/find
2017-08-18 13:20:17 -05:00
William Vu
66a4ea4f0b
Revert passive stance for multi/handler
...
It's gotten to be a bit annoying. ExitOnSession=false was good, but this
was too much. Typing run -j isn't difficult.
2017-08-18 13:16:12 -05:00
Erik Lenoir
cde319a5ec
Optim module and add doc
2017-08-18 19:30:41 +02:00
Erik Lenoir
b529c3551c
Remove unused variable
2017-08-18 19:00:32 +02:00
h00die
dc358dd087
unknow to unknown
2017-08-18 11:33:48 -04:00
William Vu
d659cdc8f6
Convert quest_pmmasterd_bof to cmd_interact/find
2017-08-18 00:19:09 -05:00
Brent Cook
ea5370486f
minor unused variable fixes
2017-08-17 16:46:51 -04:00
Brent Cook
9c196041ce
update youtube urls in post exploit module
2017-08-17 16:44:35 -04:00
Tim
8b4ccc66c7
add linux/aarch64/shell_reverse_tcp
2017-08-17 18:55:37 +08:00
james
e642789674
Look for sp_execute_external_script in mssql_enum
...
sp_execute_external_script can be used to execute code in MSSQL.
MSSQL 2016+ can be configured to execute R code. MSSQL 2017 can
be configured to execute Python code.
Documentation:
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql
https://docs.microsoft.com/en-us/sql/advanced-analytics/tutorials/rtsql-using-r-code-in-transact-sql-quickstart
Interesting uses of sp_execute_external_script:
R - https://pastebin.com/zBDnzELT
Python - https://gist.github.com/james-otten/63389189ee73376268c5eb676946ada5
2017-08-16 21:40:03 -05:00
Richard Claus
f07318c976
Fix post/linux/gather/hashdump NoMethodError
2017-08-16 00:56:32 -07:00
Brent Cook
70a82b5c67
Land #8834 , add resiliency to x64 linux reverse_tcp stagers
2017-08-15 08:04:32 -04:00
Brent Cook
df98c2a3dd
update cached sizes again
2017-08-15 08:02:51 -04:00
Brent Cook
debbc31142
use separate module names for x86 and x64 generators
2017-08-15 08:02:01 -04:00
tkmru
4dbf94556e
update CacheSize
2017-08-15 12:54:30 +09:00
Brendan Coles
ac976eee8e
Add author
2017-08-15 03:27:40 +00:00
Brent Cook
e3265c4b1b
Land #8697 , fix oracle_hashdump and jtr_oracle_fast modules
2017-08-14 17:36:18 -04:00
Brent Cook
69c4ae99a7
Land #8811 , fix peer printing with bruteforce modules
2017-08-14 17:31:48 -04:00
Erik Lenoir
b4055a8071
Rename command
2017-08-14 23:26:18 +02:00
Erik Lenoir
55db70ec3e
Handle case when locate is not here by using enum_directories_map
2017-08-14 23:25:01 +02:00
William Vu
1a4db844c0
Refactor build_brute_message for legacy printing
2017-08-14 11:17:34 -05:00
Brent Cook
b8f56d14e0
Land #8698 , Add HEADERS to php_eval module
2017-08-14 09:54:22 -04:00
Erik Lenoir
27822c2ccf
Add Maven creds module
2017-08-14 14:59:59 +02:00
Brent Cook
9fdf2ca1f4
Land #8830 , Cleanup auxiliary/scanner/msf/msf_rpc_login
2017-08-14 02:47:08 -04:00
Brendan Coles
fa4fae3436
Cleanup auxiliary/scanner/msf/msf_rpc_login
2017-08-14 06:34:04 +00:00
Brent Cook
59086af261
Land #8771 , rewrite linux x64 stagers with Metasm
2017-08-14 02:32:29 -04:00
Brent Cook
26193216d1
Land #8686 , add 'download' and simplified URI request methods to http client mixin
...
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
Brent Cook
7d4561e0fd
rename to download_log to avoid conflicting with the mixin
2017-08-14 01:10:37 -04:00
Brent Cook
5d05ca154a
added http client 'download' method and updates to pdf author module from @bcoles
2017-08-14 01:08:53 -04:00
Brendan Coles
0a374b1a88
Add QNAP Transcode Server Command Execution exploit module
2017-08-13 09:13:56 +00:00
Patrick Thomas
25764397ba
Update CachedSizes for changed nodejs payloads
...
Fixes test failures
2017-08-12 23:21:54 -07:00
Tim
7881a7ddc4
git submodule command exec
2017-08-13 11:47:44 +08:00
zerosum0x0
ecfe3d0235
added optional DoublePulsar check
2017-08-11 11:36:59 -06:00
Pearce Barry
bb5fffebc4
Land #8796 , SMBLoris Denial of Service Module.
2017-08-09 16:24:55 -05:00
Pearce Barry
901a1fdd1b
Minor tweaks.
2017-08-09 15:44:32 -05:00
Jon Hart
1b6acd768e
Land #8817 , fixing @jhart-r7's ruby 2.2 blunder
2017-08-09 13:19:20 -07:00
Christian Mehlmauer
1b6b29c22b
fix error with rdp scanníng
2017-08-09 21:32:15 +02:00
thesubtlety
7e860571ae
fix bug where api_token auth was being used without token being set
2017-08-09 12:30:26 -04:00
thesubtlety
9bb102d72d
add jenkins v2 cookie support
2017-08-09 12:29:31 -04:00
bwatters-r7
dd79aa3afb
Land #8627 , Add post module multi/gather/jenkins
2017-08-09 10:43:21 -05:00
Brent Cook
0ac19087cd
Land #8720 , add resiliency (retries + sleep) to linux x86 stagers
2017-08-08 19:36:47 -05:00
William Vu
3396afb41a
Add IP and port (peer) to print_brute messages
2017-08-08 15:46:40 -05:00
William Vu
39e59805f9
Fix annoying print_brute messages in ssh_login
2017-08-08 15:15:23 -05:00
David Maloney
67e86da50b
make SMBLoris run continuously as requested
...
as per ZeroSum's request the module now runs
continuously, refreshing the connections on every pass
until manually killed
2017-08-08 10:16:16 -05:00
Agora Security
2fab8f5d2a
Fix Spaces at EOL
2017-08-07 16:39:16 -04:00
Agora Security
663824de85
Fix indentation, fix how locations adds values and remove unnecesary code
2017-08-07 13:16:27 -04:00
Pearce Barry
cfd377fbd4
Support padding on the CAN bus.
...
Also use a hash for passing options around instead of individual params.
2017-08-06 18:05:59 -05:00
james
b8d794cc37
Identify systemd-nspawn containers in checkcontainer
...
Check the value of the "container" environment variable:
- "lxc" indicates a LXC container
- "systemd-nspawn" indicates a systemd nspawn container
2017-08-06 00:46:09 -05:00
james
9858147dae
Add module to detect Docker and LXC containers
...
Detect Docker by:
- Presence of .dockerenv file.
- Finding "docker" in /proc/1/cgroup
Detect LXC by:
- Finding "lxc" in /proc/1/cgroup
2017-08-05 18:59:36 -05:00
Martin Pizala
2383afd8dc
Fix improved error handling
2017-08-04 23:42:44 +02:00
David Maloney
289f03241b
add module documentation
...
add module docs for the new smbloris DoS
2017-08-04 16:10:44 -05:00
David Maloney
15cc2a9dc0
removedthreading stuff, tried keepalives
...
still seem to be topping out at
about 1.3GB allocated
2017-08-04 15:28:01 -05:00
Brent Cook
7ce813ae6e
Land #8767 , Add exploit module for CVE-2017-8464
...
LNK Code Execution Vulnerability
2017-08-03 17:10:16 -05:00
Brent Cook
da3ca9eb90
update some documentation
2017-08-03 17:09:44 -05:00
David Maloney
e73ffe648e
tried adding supervisor model to smbloris
...
tried to overcome issues with slowdown
around the 4500 connection mark by using the
supervisor pattern to terminate the threads on
the backend. this seems to get us further, but we still
hit a slowdown and the allocations die out before
we hit any serious usage
2017-08-03 14:19:35 -05:00
David Maloney
c9da2d56b9
first pass at SMBLoris DoS module
...
the first pass on the DoS module for SMBLoris
running into issues with it topping out around 600MB
2017-08-03 11:32:57 -05:00
Brent Cook
ddd841c0a8
code style cleanup + add automatic targeting based on payload
2017-08-03 00:27:54 -05:00
Brent Cook
b62429f6fa
handle drive letters specified like E: nicely
2017-08-03 00:27:22 -05:00
Yorick Koster
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
Yorick Koster
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
Yorick Koster
3229320ba9
Code review feedback from @nixawk
2017-08-02 15:46:51 -05:00
Yorick Koster
565a3355be
CVE-2017-8464 LNK Remote Code Execution Vulnerability
...
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
2017-08-02 15:46:30 -05:00
Martin Pizala
b78cb12546
Ruby 2.2 support. See #8792
2017-08-02 18:06:48 +02:00
Jon P
adbeab81da
Avoid exceptions
2017-08-02 15:03:36 +02:00
Brent Cook
6f97e45b35
enable Ruby 2.2 compat checks in Rubocop, correct multi/handler compat
2017-08-02 06:18:02 -05:00
OJ
54ded4300e
Land #8791 - Update Accuvant refs to point to Optiv
2017-08-02 13:26:52 +10:00
TC Johnson
8989d6dff2
Modified Accuvant bog posts to the new Optive urls
2017-08-02 13:25:17 +10:00
Brent Cook
bb2304a2d1
Land #8769 , improve style, compatibility, for ssh modules
2017-08-01 21:43:32 -05:00
Brent Cook
1d75a30936
update style for other ssh exploits
2017-08-01 16:05:25 -05:00
Brent Cook
8c9fb1d529
remove unneeded netssh checks in modules
2017-08-01 14:46:10 -05:00
Brent Cook
4395f194b1
fixup style warnings in f5 bigip privkey exploit
2017-08-01 14:45:05 -05:00
Brent Cook
e61cccda0b
Land #8779 , Adding error handler for ms17-010 exploit where SMBv1 is disabled
2017-08-01 14:00:12 -05:00
OJ
6ee5d83a15
Add the COM hijack method for bypassing UAC
2017-07-31 14:26:39 +10:00
Professor-plum
055d64d32b
Fixed to modules as suggested from upstream
...
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
2017-07-30 10:14:05 -06:00
Martin Pizala
60c3882b84
Improved error handling
2017-07-30 09:07:52 +02:00
Professor-plum
99546330f1
Added PlugX Controller Stack Overflow Module
...
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.
- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target
Sample output:
```
msf> use exploit/windows/misc/plugx
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check
[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
2017-07-29 10:36:42 -06:00
Professor-plum
c336daec8d
Added Gh0st Controller Buffer Overflow Module
...
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution
## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.
- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit
Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit
[*] Started reverse TCP handler on 192.168.161.1:4444
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
2017-07-29 10:21:05 -06:00
tkmru
14507747d0
update CachedSize
2017-07-29 23:42:43 +09:00
tkmru
b1e26dd17e
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x86_retry
2017-07-29 17:24:59 +09:00
wchen-r7
c5021bf665
Land #8761 , Add CVE-2017-7442: Nitro Pro PDF Reader JS API Code X
2017-07-28 17:02:59 -05:00
Jon P
85f48b96bb
Fix syntax
2017-07-28 10:16:59 +02:00
Martin Pizala
6a20e1ac7d
Add module Rancher Server - Docker Exploit
2017-07-28 08:04:21 +02:00
multiplex3r
b2ecaa489d
Rescue only RubySMB::Error::CommunicationError
2017-07-27 19:19:45 +10:00
multiplex3r
f2091928ec
Adding no SMBv1 error handler for ms17-010 exploit
2017-07-27 16:21:09 +10:00
Ricardo Almeida
4845b4b1fa
Orientdb 2.2.x RCE - Fix regular expression for version detection
2017-07-26 14:35:05 +01:00
Jon P
2e87a3d3f8
Multi Gather Docker Credentials Collection
2017-07-26 15:14:16 +02:00
Ricardo Almeida
30664924c8
Orientdb 2.2.x RCE - Reverted to send_request_raw due to issues exploiting windows boxes
2017-07-26 13:59:14 +01:00
tkmru
eb536ba67c
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x64_retry
2017-07-26 09:48:17 +09:00