William Vu
dee9adbc50
Remove deprecated psexec_psh module
2016-03-30 14:35:47 -05:00
wchen-r7
c7e63c3452
Land #6694 , Add Apache Jetspeed exploit
...
CVE-2016-0710
CVE-2016-0709
2016-03-30 11:17:21 -05:00
wchen-r7
74f25f04bd
Make sure to always print the target IP:Port
2016-03-30 11:16:41 -05:00
William Vu
2b90846268
Add Apache Jetspeed exploit
2016-03-23 19:22:32 -05:00
wchen-r7
102d28bda4
Update atutor_filemanager_traversal
2016-03-22 14:44:07 -05:00
wchen-r7
9cb43f2153
Update atutor_filemanager_traversal
2016-03-22 14:42:36 -05:00
Steven Seeley
3842009ffe
Add ATutor 2.2.1 Directory Traversal Exploit Module
2016-03-22 12:17:32 -05:00
h00die
ebc7316442
Spelling Fix
...
Fixed Thorugh to Through
2016-03-19 13:58:13 -04:00
wchen-r7
31279291c2
Resolve merge conflict for ie_unsafe_scripting.rb
2016-03-17 14:42:36 -05:00
wchen-r7
b1b68294bb
Update class name
2016-03-17 14:41:23 -05:00
wchen-r7
7b2d717280
Change ranking to manual and restore BAP2 count to 21
...
Since the exploit requires the target to be configured manually,
it feel more appropriate to be ManualRanking.
2016-03-17 14:39:28 -05:00
James Lee
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
James Lee
af642379e6
Fix some OptInts
2016-03-16 14:13:18 -05:00
Brent Cook
1769bad762
fix FORCE logic
2016-03-16 09:53:09 -05:00
Brent Cook
d70308f76e
undo logic changes in adobe_flas_otf_font
2016-03-16 09:52:21 -05:00
wchen-r7
5ef8854186
Update ATutor - Remove Login Code
2016-03-15 17:37:37 -05:00
Adam Cammack
05f585157d
Land #6646 , add SSL SNI and unify SSLVersion opts
2016-03-15 16:35:22 -05:00
l0gan
e29fc5987f
Add missing stream.raw for hp_sitescope_dns_tool
...
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
Brent Cook
a50b21238e
Land #6669 , remove debug code from apache_roller_ognl_injection that breaks Windows
2016-03-13 14:14:10 -05:00
Brent Cook
23eeb76294
update php_utility_belt_rce to use MetasploitModule
2016-03-13 13:59:47 -05:00
Brent Cook
a6316d326e
Land #6662 , update disclosure date for php_utility_belt_rce
2016-03-13 13:58:04 -05:00
Brent Cook
dabe5c8465
Land #6655 , use MetasploitModule as module class name
2016-03-13 13:48:31 -05:00
wchen-r7
b22a057165
Fix #6554 , hardcoded File.open path in apache_roller_ognl_injection
...
The hardcoded File.open path was meant for debugging purposes during
development, but apparently we forgot to remove it. This line causes
the exploit to be unusable on Windows platform.
Fix #6554
2016-03-11 18:48:17 -06:00
Jay Turla
8953952a8f
correction for the DisclosureDate based on Exploit-DB
2016-03-11 14:05:26 +08:00
James Barnett
7009682100
Landing #6659 , Fix bug in MS08-067 related to incorrect service pack identification when fingerprinting
2016-03-10 14:29:29 -06:00
William Vu
8d22358892
Land #6624 , PHP Utility Belt exploit
2016-03-09 14:12:45 -06:00
William Vu
52d12b68ae
Clean up module
2016-03-09 14:08:26 -06:00
wchen-r7
179d38b914
Fix #6658 , MS08-067 unable to find the right target for W2k3SP0
...
Fix #6658 .
When there is no service pack, the
Msf::Exploit::Remote::SMB#smb_fingerprint_windows_sp method returns
an empty string. But in the MS08-067 exploit, instead of check an
empty string, it checks for "No Service Pack", which causes it to
never detect the right target for Windows Server 2003 SP0.
2016-03-09 11:05:34 -06:00
Christian Mehlmauer
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
Brent Cook
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
.
2016-03-07 13:19:55 -06:00
Brent Cook
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
.
2016-03-07 13:19:48 -06:00
Christian Mehlmauer
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
Christian Mehlmauer
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
Brent Cook
eea8fa86dc
unify the SSLVersion fields between modules and mixins
...
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
Brent Cook
a2c3b05416
Land #6405 , prefer default module base class of simply 'Metasploit'
2016-03-06 17:10:55 -06:00
Brent Cook
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
William Vu
71b034a566
Land #6627 , atutor_sqli regex fix
2016-03-03 16:54:38 -06:00
wchen-r7
ba4e0d304b
Do regex \d+ instead
2016-03-03 11:05:16 -06:00
wchen-r7
22b69c8dee
Land #6588 , Add AppLocker Execution Prevention Bypass module
2016-03-01 22:30:23 -06:00
wchen-r7
a798581fa3
Update #get_dotnet_path
2016-03-01 22:25:40 -06:00
net-ninja
cda4c6b3b3
Update the regex for the number of students in ATutor
2016-03-01 09:41:17 -06:00
Jay Turla
62a611a472
Adding PHP Utility Belt Remote Code Execution
2016-03-01 09:22:25 +08:00
wchen-r7
274b9acb75
rm #push
2016-02-29 18:58:05 -06:00
wchen-r7
f55835cceb
Merge new code changes from mr_me
2016-02-29 18:39:52 -06:00
wchen-r7
638d91197e
Override print_* to always print the IP and port
2016-02-29 16:18:03 -06:00
wchen-r7
54ede19150
Use FileDropper to cleanup
2016-02-29 16:15:50 -06:00
wchen-r7
727a119e5b
Report cred
2016-02-29 16:06:31 -06:00
wchen-r7
4cc690fd8d
Let the user specify username/password
2016-02-29 15:45:33 -06:00
wchen-r7
726c1c8d1e
There is no http_send_command, so I guess the check should not work
2016-02-29 15:43:47 -06:00
net-ninja
a3fa57c8f6
Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 14:59:26 -06:00
wchen-r7
7731fbf48f
Land #6530 , NETGEAR ProSafe Network Management System 300 File Upload
2016-02-26 10:39:09 -06:00
wchen-r7
6188da054d
Remove //
2016-02-25 22:20:48 -06:00
Pedro Ribeiro
044b12d3a4
Made style changes requested by OJ and others
2016-02-23 15:14:04 +07:00
nixawk
138e48b202
Fix vuln_version?
2016-02-22 00:39:44 +08:00
nixawk
53a52fafd5
make code to be readable / rebuild / testing
2016-02-22 00:34:49 +08:00
Micheal
3e22de116f
Changes to fix peer and style as recommended by jhart-r7.
2016-02-20 13:53:32 -08:00
Brent Cook
bc7bf28872
Land #6591 , don't require username for wrt110 cmd exec module
2016-02-18 20:20:15 -06:00
joev
3b9502cb1d
Don't require username in wrt110 module.
2016-02-18 18:45:04 -06:00
OJ
6d88c26474
Change title, and remove requires
2016-02-18 14:26:38 +10:00
OJ
2ae1e6df7d
Address concerns from @wvu-r7
2016-02-18 14:21:35 +10:00
OJ
2f4ec0af31
Add module for AppLocker bypass
...
This commit includes a new module that allows for payloads to be
uploaded and executed from disk while bypassing AppLocker in the
process. This module is useful for when you're attempting to generate
new shells on the target once you've already got a session. It is also
a handy way of switching between 32 and 64 bit sessions (in the case of
the InstallUtil technique).
The code is taken from Casey Smith's AppLocker bypass research (added in
the references), and includes just one technique at this point. This
technique uses the InstallUtil feature that comes with .NET. Other
techiques can be added at any time.
The code creates a C# file and uploads it to the target. The csc.exe
compiler is used to create a .NET assembly that contains an uninstaller
that gets invoked by InstallUtil behind the scenes. This function is
what contains the payload.
This was tested on Windows 7 x64. It supports running of both 32 and 64
bit payloads out of the box, and checks to make sure that .NET is
installed on the target as well as having a payload that is valid for
the machine (ie. don't run x64 on x86 OSes).
This appears to work fine with both staged and stageless payloads.
2016-02-18 13:46:32 +10:00
Starwarsfan2099
ffce1cc321
Update easyfilesharing_seh.rb
2016-02-15 22:43:28 -05:00
Brent Cook
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
William Vu
fc491ffa3e
Land #6555 , Content-Length fix for HP modules
2016-02-10 10:39:08 -06:00
William Vu
5b3fb99231
Land #6549 , module option for X-Jenkins-CLI-Port
2016-02-10 10:34:33 -06:00
William Vu
c67360f436
Remove extraneous whitespace
2016-02-10 09:44:01 -06:00
wchen-r7
8a3bc83c4d
Resolve #6553 , remove unnecessary content-length header
...
Rex will always generate a content-length header, so the module
doesn't have to do this anymore.
Resolve #6553
2016-02-09 21:25:56 -06:00
Brent Cook
c590fdd443
Land #6501 , Added Dlink DCS Authenticated RCE Module
2016-02-09 17:19:33 -06:00
wchen-r7
1d6b782cc8
Change logic
...
I just can't deal with this "unless" syntax...
2016-02-08 18:40:48 -06:00
wchen-r7
d60dcf72f9
Resolve #6546 , support manual config for X-Jenkins-CLI-Port
...
Resolve #6546
2016-02-08 18:16:48 -06:00
wchen-r7
4cea6c0236
Update ie_unsafe_scripting to use BrowserExploitServer
...
This patch updates the ie_unsafe_scripting exploit to use the
BrowserExploitServer mixin in order to implement a JavaScript check.
The JS check allows the exploit to determine whether or not it is
in the poorly configured zone before firing.
It also adds another datastore option to carefully avoid IEs that
come with Protected Mode enabled by default. This is even though
IE allows unsafe ActiveX, PM could still block the malicious VBS or
Powershell execution by showing a security prompt. This is not ideal
during BrowserAutopwn.
And finally, since BAP2 can automatically load this exploit, we
bump the MaxExploitCount to 22 to continue favoring the
adobe_flash_uncompress_zlib_uninitialized module to be on the
default list.
Resolves #6341 for the purpose of better user experience.
2016-02-04 15:12:57 -06:00
Pedro Ribeiro
1f4324f686
Create file for CERT VU 777024
2016-02-04 07:54:16 +08:00
Chris Higgins
b979128a2e
Added OSVBD ID thanks to @shipcod3
2016-02-01 17:11:46 -06:00
James Lee
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
wchen-r7
110a4840e9
Land #6491 , Shrink the size of ms08_067 so that it again works w/ bind_tcp
2016-01-29 11:03:03 -06:00
Micheal
b049debef0
Fixes as recommended in the PR discussion.
2016-01-28 23:29:01 -08:00
Nicholas Starke
d51be6e3da
Fixing typo
...
This commit fixes a typo in the word "service"
2016-01-28 16:44:42 -06:00
Nicholas Starke
1ef7aef996
Fixing User : Pass delimiter
...
As per the PR comments, this commit replaces the user and
pass delimiter from "/" to ":"
2016-01-27 17:20:58 -06:00
Louis Sato
f6f2e1403b
Land #6496 , specify scripting language - elastic search
2016-01-27 15:42:47 -06:00
wchen-r7
51efb2daee
Land #6422 , Add support for native target in Android webview exploit
2016-01-27 14:27:41 -06:00
Chris Higgins
2df458c359
Few updates per OJ and wvu
2016-01-26 23:19:18 -06:00
Chris Higgins
3cab27086f
Added PCMan FTP PUT Buffer Overflow Exploit
2016-01-26 17:09:31 -06:00
Nicholas Starke
4560d553b5
Fixing more issues from comments
...
This commit includes more minor fixes from the github
comments for this PR.
2016-01-24 19:43:02 -06:00
Nicholas Starke
d877522ea5
Fixing various issues from comments
...
This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer". Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
2016-01-23 13:43:09 -06:00
Nicholas Starke
a5a2e7c06b
Fixing Disclosure Date
...
Disclosure date was in incorrect format, this commit
fixes the issue
2016-01-23 11:41:05 -06:00
Nicholas Starke
8c8cdd9912
Adding Dlink DCS Authenticated RCE Module
...
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
2016-01-23 11:15:23 -06:00
William Vu
d6facbe339
Land #6421 , ADB protocol and exploit
2016-01-22 20:45:44 -06:00
William Vu
1b386fa7f1
Add targets to avoid ARCH_ALL payload confusion
2016-01-22 16:45:10 -06:00
Christian Mehlmauer
51eb79adc7
first try in changing class names
2016-01-22 23:36:37 +01:00
Starwarsfan2099
ad93d11868
Delete easyfilesharing_seh.rb
2016-01-22 13:04:14 -05:00
Starwarsfan2099
45c88d3189
Create easyfilesharing_seh.rb
2016-01-22 13:04:03 -05:00
Starwarsfan2099
76a8899d59
Delete EasyFileSharing_SEH.rb
2016-01-22 12:39:44 -05:00
wchen-r7
b02c762b93
Grab zeroSteiner's module/jenkins-cmd branch
2016-01-22 10:17:32 -06:00
Lutz Wolf
99de466a4d
Bugfix: specify scripting language
2016-01-22 15:00:10 +01:00
Brent Cook
dc6dd55fe4
Shrink the size of ms08_067 so that it again works with bind_tcp
...
In #6283 , we discovered that ms08_067 was busted with reverse_tcp. The
solution was to bump the amount of space needed to help with encoding.
However, we flew a little too close to the sun, and introduced a
regression with bind_tcp on Windows XP SP2 EN where the payload stages
but does not run.
This shrinks the payload just enough to make bind_tcp work again, but
reverse_tcp also continues to work as expected.
2016-01-21 19:37:09 -06:00
Starwarsfan2099
1a80878054
Create easyfilesharing_seh.rb
2016-01-21 13:46:43 -05:00
Starwarsfan2099
9b43876270
Create EasyFileSharing_SEH.rb
2016-01-20 18:18:00 -05:00
rastating
a7cd5991ac
Add encoding of the upload path into the module
2016-01-17 22:44:41 +00:00
rastating
5660c1238b
Fix problem causing upload to fail on versions 1.2 and 1.3 of theme
2016-01-17 18:44:00 +00:00
William Vu
fec75c1daa
Land #6457 , FileDropper for axis2_deployer
2016-01-14 15:10:05 -06:00