ca813e7a5c
fix message formatting
2017-06-22 18:21:33 -05:00
823260cc04
fix error message
2017-06-22 18:11:07 -05:00
3cf722a45d
use correct preqrequisites
2017-06-22 18:08:20 -05:00
5e48a11e60
handle specific exceptions, update docs
2017-06-22 18:01:52 -05:00
6a261b172f
move from scanner to admin
2017-06-22 17:47:04 -05:00
125d14f81e
simplify module, add AAAA support
2017-06-22 17:44:55 -05:00
b618e5ca6f
Add more exception handling, fix tidy rules
2017-06-22 15:55:04 -05:00
ce124e6090
Add CNAME record
2017-06-22 15:55:04 -05:00
5528084e27
add Dnsruby
2017-06-22 15:55:04 -05:00
2410a3232f
Adding DNS Server Dynamic Update Record Injection module
2017-06-22 15:41:25 -05:00
4fdd77f19a
Land #8051 , Add Netgear DGN2200v1/v2/v3/v4 Command Injection Module
2017-06-22 11:46:40 -05:00
a4e8cdfa6e
msftidy fixes
2017-06-22 11:44:40 -05:00
3b248c78f3
resurrect old example modules, integrate into module tree
2017-06-22 11:36:35 -05:00
02e4edc4cb
Land #8579 , Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-22 10:56:41 -05:00
47a659f554
Land #8185 , Convert ntp modules to bindata
2017-06-22 09:37:58 -05:00
b51fc0a34e
Land #8489 , more httpClient modules use store_valid_credential
2017-06-21 17:18:34 -05:00
99fb905bbd
fix typo
2017-06-21 16:52:09 -05:00
ceba4e6d61
Add pointer to CDX API
2017-06-21 12:34:40 -05:00
c12056d242
Fix enum_wayback using CDX API
2017-06-21 12:29:15 -05:00
24404ae40f
added heredoc to tidy formatting
...
changed USER persistence method to EVENT to better describe technique
removed "auditpol.exe /set /subcategory:Logon /failure:Enable" command from subscription_event method to be more opsec safe
added CUSTOM_PS_COMMAND advanced option
updated description to reflect changes
2017-06-21 18:15:13 +01:00
24d9bec0ae
Land #8260 , OpManager Version Check
2017-06-20 17:58:10 -05:00
241786e71f
Update description with tested versions.
2017-06-20 15:32:08 -05:00
14f0409c6c
Missing regex '+', readding so we get full API key.
2017-06-20 15:28:15 -05:00
b02719e795
Attempt to appease Travis...
2017-06-20 11:36:08 -05:00
c7a55ef92f
Added exploit documentation
2017-06-20 09:03:40 +02:00
af4eb0fbe3
Corrected shellcode
2017-06-20 00:55:18 +02:00
0b04dc0584
Correct EDB Number
2017-06-20 00:52:29 +02:00
3cd28b28e2
Land #8569 , Add ability to specify API token instead of password
2017-06-19 17:42:35 -05:00
bc826cb824
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit
2017-06-20 00:36:59 +02:00
58cd432120
Added docs, minor code tweak to remove duplication.
2017-06-19 17:35:41 -05:00
722d9a278c
Land #8580 , cachedump iteration count fix
...
lands rogdham's fixes for the ms cache dump post module
2017-06-19 14:04:07 -05:00
27469f8fac
Land #8582 , Rogdham Hashdump fixes
...
Land's Rogdham's fixes to the Hashdump post module
to support Windows 10!
2017-06-19 13:40:40 -05:00
6d38dffbe1
convert conditionals to case statements
...
just a little tidying up by using case statements
2017-06-19 13:40:00 -05:00
681f9f37a6
updated check if powershell is available
2017-06-19 08:35:57 +01:00
096469a8ec
added PROCESS persistence method
2017-06-18 20:42:07 +01:00
a01796d114
Make hashdump module work on Windows 10, fix #7936
2017-06-18 16:35:17 +02:00
03116d7933
Land #8543 , add error handling to ARM linux reverse tcp stager
2017-06-18 15:38:16 +08:00
8c23769cbc
Updated module to use an instance variable for using HTTP session tokens across functions.
2017-06-18 12:59:34 +10:00
7fb36edd50
corrected msftidy warnings
2017-06-17 22:58:47 +02:00
31a5cc94b2
Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-17 22:35:21 +02:00
75fab600c5
Add iteration count to cachedump module, fix #8560
2017-06-17 22:23:41 +02:00
19ceb53304
Modified payload handling and uploaded documentation
2017-06-18 02:04:22 +10:00
6096e373cc
removed whitespace
2017-06-17 10:44:30 +01:00
85173f36f7
moved exploit method moved to top
...
added logon persistence option
fixed typo
cleaned up formatting
2017-06-17 10:30:38 +01:00
86f5f3f002
Fix AES key length in cachedump module, fix #8525
2017-06-17 11:20:29 +02:00
b82051757d
Add SurgeNews User Credentials scanner module
2017-06-17 01:49:47 +00:00
c9e000e379
add new version
2017-06-16 20:59:19 -04:00
07051d1f00
Removed whitespace
2017-06-17 09:59:46 +10:00
8eb59eac3f
Stuffed up regex.. left some random $ characters floating around and have now removed them.
2017-06-17 08:03:09 +10:00
6363a319d2
Fixed Typo
2017-06-17 07:32:17 +10:00
b34bf76fea
Adding GoAutoDial RCE module
2017-06-17 07:22:41 +10:00
652e237131
add missing .to_binary_s calls
2017-06-16 13:39:04 -05:00
f008f2aa8f
working code
2017-06-16 08:24:54 -04:00
e005e51f05
some edits finished
2017-06-16 06:48:31 -04:00
49d998f7d9
catch invalid tokens
2017-06-15 21:45:29 -04:00
53253bfa37
Land #8558 , Fix AMT scanner when parsing mangled HTML
2017-06-15 20:42:33 -05:00
f4ffade406
add ability to specify API token instead of password
2017-06-15 21:05:53 -04:00
5f74da9023
Move php_preamble before $ipaddr and $port
...
php_preamble contains a <?php tag now, so we need to move it to the top.
2017-06-15 19:50:57 -05:00
c634931f0d
Updated payload cached size after the python3 fix
2017-06-16 09:05:31 +10:00
9cf9d22bae
fix mmap return cmp
2017-06-16 06:26:40 +08:00
9d57197736
Land #8551 , Update processmaker_exec module with workspace support
2017-06-15 17:12:35 -05:00
0e38823a8f
Add NNTP Login Utility scanner module
2017-06-15 20:25:40 +00:00
49383f8f3a
Update and fix grammar to the CryptoLog module
...
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
2017-06-15 13:00:44 -05:00
46ffd250a0
module working and docs
2017-06-14 21:15:56 -04:00
549f9e74d8
Fix AMT scanner for mangled HTML (no </p>)
...
Also stores proof using the correct :info for report_vuln (not :proof).
2017-06-14 16:54:32 -05:00
c147779097
Add CVE number to the symantec-messaging-gateway-exec module
2017-06-14 23:07:58 +03:00
c1372456e2
Land #8326 , support LLMNR ANY responses
2017-06-14 14:01:44 -05:00
c35dffc648
first draft of oinkcode
2017-06-14 08:04:17 -04:00
55f0edb732
Land #8491 , fixes for service_persistence
2017-06-13 17:17:53 -05:00
0766f92013
Add option for workspace
2017-06-13 12:46:36 +00:00
cbbb57d1a5
Land #8526 , Refactor QNAP and airOS modules for creds
2017-06-12 14:46:11 -05:00
a40e7164d8
Refactor QNAP module for traditional creds
2017-06-12 14:41:58 -05:00
bb9d1a6768
Land #8507 , Riverbed SteelHead VCX file read
2017-06-12 10:39:48 -05:00
704a1218fa
Land #8498 , store more specific credential wordpress_directory_traversal_dos
2017-06-12 10:13:52 -05:00
80e91e9de2
Minor fixups.
2017-06-12 09:51:30 -05:00
93c4b3fffc
update CacheSize
2017-06-12 01:39:13 +09:00
1862900aae
add error handling
2017-06-12 01:36:13 +09:00
17d7bb0c64
add label and regster value to comment
2017-06-11 20:38:47 +09:00
a349eb9a0d
fixes per peer review
2017-06-10 14:29:53 -04:00
6ae540d889
Adding Symantec messaging gateway rce
2017-06-10 12:23:12 +03:00
c4288fb35a
Update branch to include chances from upstream/master
2017-06-09 17:18:57 +10:00
a3f3dc0a70
Upload payloads/mettle gems, update cache sizes
...
Updated both the metasploit-payload and metasploit-payload-mettle gems
to the versions that match for the session GUID pull requests. Updated
the payload cached sizes to match the new payloads.
2017-06-09 17:15:52 +10:00
a968a74ae0
Update ms17_010_eternalblue description and ranking.
...
The module has been noted to cause crashes, reboots, BSOD, etc, on
some systems.
2017-06-09 11:01:48 +12:00
aa00661fd0
Land #8518 , update CVE references where modules report_vuln
2017-06-08 13:38:12 -05:00
3e20296cf5
Add service_details for SSH
2017-06-08 13:28:29 -05:00
e22334343e
Use store_valid_credential in my modules
...
I used report_note because using the creds API was a pain in the ass.
2017-06-08 00:57:51 -05:00
eef82a501d
Add support for session GUIDs in mettle
2017-06-08 11:20:48 +10:00
99fa52e660
Land #8434 , Add Windows 10 Bypassuac fodhelper module
2017-06-07 11:15:01 -05:00
834e0eba95
Land #8340 , add exception handling for rev_tcp_ssl
2017-06-06 19:09:15 -04:00
d641058f75
Added module to exploit ActiveMQ CVE-2016-3088
2017-06-06 11:33:42 -07:00
b932aae82e
reference typo fix
2017-06-06 11:50:07 -05:00
bac17a8e80
Land #8053 , Add DC/OS Marathon UI Exploit
2017-06-06 09:29:26 -05:00
09e4974b99
removed whitespace at end of lines
2017-06-06 14:44:37 +01:00
1831056010
updated disclosure date
2017-06-06 14:32:19 +01:00
3ded57e1cd
Land #8516 , add verbose debug to ntds dumper
2017-06-06 07:26:54 -05:00
0830e4aaa5
Land #8503 , Linux x86 reverse_tcp error handling
2017-06-06 06:36:55 -05:00
37b9cd07a2
Add support for the session GUID in the UI
...
The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.
2017-06-06 17:15:57 +10:00
1558db375d
update CVE reference in where modules report_vuln
2017-06-05 16:36:44 -05:00
42aa2e5acf
add some attempts at debugging to ntds
...
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
f47cc1a101
Rubocop readability changes
2017-06-05 14:32:45 -05:00
bc3b883758
Add docs, fix typo, add missing report mixin to avoid error.
2017-06-05 13:49:59 -05:00
a5805a55dc
make this a UDPScanner, rewrite
2017-06-05 12:39:48 -05:00
994995671e
added wmi_persistence module
2017-06-05 17:44:37 +01:00
8c39c92245
Add description and loop capability.
2017-06-05 11:27:13 -05:00
a571834c4d
Initial commit of rpcbomb DoS aux module.
...
This just brings the code in as-in, next step is to update to use our mixins and such.
2017-06-05 10:23:39 -05:00
de86c5d991
add storing creds and loot name consistency
2017-06-04 17:46:43 -04:00
737f7452ce
add my name to author
2017-06-04 04:42:45 +09:00
39cee481c1
Making changes similar to the reverse_tcp payload
2017-06-03 22:57:59 +05:30
ea5db9a039
working module
2017-06-02 23:09:19 -04:00
e7fa4c2d06
Land #8504 , print_good for ipmi_dumphashes
2017-06-02 18:49:41 -05:00
e175bcda08
update cachedSize
2017-06-03 08:37:18 +09:00
34e9b2c04b
Change ipmi_dumphashes to have non-verbose output, ever
2017-06-02 14:27:21 -06:00
2924318ca5
update java_rmi_server modules with CVE
2017-06-02 12:59:48 -05:00
d68365d8df
store more specific credential wordpress_directory_traversal_dos
2017-05-31 18:55:35 -05:00
361cc2dbeb
fix newline issue and service call
2017-05-30 22:37:26 -04:00
f98b40d038
adds check on service writing before running it
2017-05-30 22:14:49 -04:00
0e145573fc
more httpClient modules use store_valid_credential
2017-05-30 14:56:05 -05:00
d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor
2017-05-30 13:59:31 -05:00
a5f910ea63
move trans2 conditional to case statement
...
this is cleaner as a case statement
2017-05-30 13:52:29 -05:00
b65c959347
limited port of the trans2 exploit packets
...
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
2017-05-30 13:49:27 -05:00
72ff4fbf48
Reword warning message, since it didn't make sense
2017-05-30 13:13:08 -05:00
890d35cc30
Fix warning placement to be more helpful
2017-05-30 13:06:23 -05:00
e9ac3fce5a
update credential mode for EB exploit
...
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
2017-05-30 10:55:28 -05:00
9c93aae412
Removed self.class from register
2017-05-30 10:07:07 -04:00
bac23757a4
Updated based on busterb comments
2017-05-30 09:33:03 -04:00
beb1cef835
rescue connection failure for netbios, suggest how to fix it
2017-05-30 08:06:39 -05:00
ea6063138a
Land #8476 , Implement VerifyArch for ETERNALBLUE
2017-05-30 00:31:32 -05:00
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
28fb5cc7da
spelling
2017-05-30 00:14:33 -05:00
e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
a781480e89
Add error handling to get_once
...
And check for specific ack result/reason for 32-bit.
2017-05-29 22:28:50 -05:00
6e253a5be7
Use Rex::Proto::DCERPC::Response
2017-05-29 21:58:03 -05:00
5698896672
Land #8323 wordpress pre4.6 dos
2017-05-29 07:59:43 -04:00
42b14a93b8
Add comments
2017-05-28 23:45:09 -05:00
7a2944d113
Implement VerifyArch for ETERNALBLUE
2017-05-28 23:26:59 -05:00
8d3eebf394
Land #8473 aux admin tool to get scadabr creds from db
2017-05-28 20:09:47 -04:00
c811c6a8c0
Add PASS_FILE option
2017-05-28 23:26:51 +00:00
72a5142e37
Update directory traversal DoS module and docs
2017-05-29 00:30:23 +02:00
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
4e29b6e5fd
Land #8275 , add retry opts for py rev_tcp stager
2017-05-28 13:02:35 -04:00
e02d726213
Setting default values to the added options
2017-05-28 14:30:30 +05:30
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
8fce94b3cd
Add ScadaBR Credentials Dumper module
2017-05-28 01:24:53 +00:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
018e544295
Add VICIdial user_authorization Unauthenticated Command Execution module
2017-05-27 05:09:38 +00:00
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
eebfd9b7f2
Switch to the mixin-provided SMB share enumeration methods
2017-05-26 17:02:06 -05:00
ee5f37d2f7
remove nt trans raw sock op
...
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
2017-05-26 15:50:18 -05:00
d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
f0f99ad479
nttrans packet setup correctly,everything broken
...
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
9b9d2f2345
Final version of configurable depth
2017-05-26 16:23:22 +02:00
33ddef9303
Add documentation, add configurable depth path
2017-05-26 16:14:03 +02:00
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
04a701dba5
Check template file extension name
2017-05-26 07:31:34 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
1582d3a902
support i386
2017-05-26 15:55:42 +08:00
2835c165d7
Land #8390 , Add module to execute powershell on Octopus Deploy server
2017-05-25 17:33:07 -05:00
330526af72
Update check method
2017-05-25 17:30:58 -05:00
ae22b4ccf4
Land #8450 , Samba is_known_pipename() exploit
2017-05-25 16:36:28 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
0b0e2f64ca
update SMB1 "Freehole" packet
...
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
bc8ad811aa
remove old anonymous login packet
...
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
238052a18b
use RubySMB client echo
...
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
7077ac0523
Meterpreter Post-exploitation module to mount vmdk files
2017-05-25 11:47:04 +02:00
92a1a3ecf7
Adding for loop instead of while, removing 'counter'
2017-05-25 15:09:34 +05:30
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
4ffe666b52
improve the cred fallback
...
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
4c02b7b13a
added credentialed fallback
...
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
dc67fcd5a8
use RubySMB for anonymous login
...
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
af4eafdf70
Updated module and doc
2017-05-24 06:33:08 +05:30
e4ea618edf
Land #8419 , ETERNALBLUE fixes (round two)
...
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
46eb6bdf62
Land #8399 , ETERNALBLUE fixes (round one)
2017-05-23 16:51:19 -05:00
f80c3aa3f4
Correct absolute path
2017-05-23 16:50:25 -05:00
461649ed34
Land #8378 , Add check in archmigrate to prevent privdesc
2017-05-23 14:37:29 -05:00
c73e7673b1
Please the rubocop god
2017-05-23 15:13:55 -04:00
e945773576
Update archmigrate.rb
2017-05-23 14:40:42 -04:00
52363aec13
Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
...
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.
Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
d333077308
osx meterpreter
2017-05-23 14:23:22 +08:00
b7b1995238
Land #8274 , Wordpress admin upload `check`
2017-05-22 22:08:32 -05:00
5395d8f17c
update python stageless payload sizes
2017-05-22 18:21:13 -05:00
d69bfd509f
store the credential using the new store_valid_credential
2017-05-22 15:08:03 -05:00
93bb47d546
msftidy fix
2017-05-22 19:27:15 +01:00
092e7b96b8
typo
2017-05-22 17:27:50 +01:00
74c08cebee
Add bypassuac fodhelper module for Windows 10
2017-05-22 17:25:17 +01:00
467f1ce0ca
Land #8411 , Buffer overflow in VXSearch Enterprise v9.5.12
2017-05-22 07:37:31 -05:00
b5caeb29dd
only support for 32bit so far
2017-05-22 12:30:52 +02:00
036f063988
Fix a stack trace when no SMB response is received
2017-05-19 16:24:41 -05:00
a6f416e8df
Land #8290 , Hwbridge Automotive Fix and Extension Enhancements
2017-05-19 13:46:54 -05:00
b76229b5f7
removed unessessary line
2017-05-18 19:15:49 -07:00
7ca0fe5a68
Added make_junk function
2017-05-18 19:06:09 -07:00
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
c1624d0967
VX Search Enterprise GET Buffer Overflow
2017-05-18 17:12:47 +01:00
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
d944bdfab0
expect 0xC00000D
2017-05-17 23:05:20 -06:00
646ca14375
basic OS verification, ghetto socket read code
2017-05-17 22:48:45 -06:00
c0bf2cc6e7
Land #8401 , Buffer Overflow on Sync Breeze Enterprise 9.4.28
2017-05-17 23:39:50 -05:00
3360171977
Land #8319 , Add exploit module for Mediawiki SyntaxHighlight extension
2017-05-17 23:23:50 -05:00
b78749bc1b
Land #8221 , move autoroute
2017-05-17 15:17:45 -05:00
ad8788cc74
Update syncbreeze_bof.rb
2017-05-17 11:33:24 +01:00
5329ce56c4
Sync Breeze Enterprise GET Buffer Overflow
2017-05-17 10:53:28 +01:00
2f39daafc5
Updated module removing hardcoded binary payload strings
...
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
7e2dab4ddc
Land #8303 , Buffer Overflow on Dupscout Enterprise v9.5.14
2017-05-17 01:04:59 -05:00
6fb4040d11
add core buffer dump for OS version
2017-05-16 23:18:39 -06:00
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
11da7c7c81
Land #8394 , Add Moxa Credential Recovery Module
2017-05-16 16:45:22 -05:00
8025eb573a
Enforce check
...
Because we are not able to get our hands on the hardware for testing,
and that this module may trigger a backtrace if the UDP server isn't
Moxa, we force check to make sure that doesn't happen.
2017-05-16 16:43:22 -05:00
77a9676efb
Land #8347 , Add Serviio Media Server checkStreamUrl Command Execution
2017-05-16 16:20:39 -05:00
6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue
2017-05-16 15:53:34 -05:00
e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue
2017-05-16 15:41:16 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
2d7f7f9aec
Pass msftidy
2017-05-16 15:05:12 -05:00
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
e62fc3e93c
Land #8376 , Add BuilderEngine 3.5 Arbitrary file upload & exec exploit
2017-05-16 14:53:32 -05:00
631267480d
Update module description
2017-05-16 14:48:46 -05:00
2ed8ae11b4
Add doc and make minor changes
2017-05-16 14:47:19 -05:00
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
eff4914240
Land #8381 , ETERNALBLUE exploit (to be continued)
2017-05-16 12:19:45 -05:00
53bb5a8440
Update ms17_010_eternalblue.rb
2017-05-16 10:43:43 -06:00
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
20b682b2e4
Land #8391 , fix a typo in vmware_enum_permissions module description
...
orts
2017-05-16 09:33:26 -05:00
4a0535c2d0
add moxa credential recovery module
2017-05-16 10:21:44 -04:00
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
b2f69e9018
spelling
2017-05-15 21:11:19 -04:00
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
3c4dfee4f5
Module to execute powershell on Octopus Deploy server
...
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.
During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).
Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.
More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
5ee570bb9c
Fix non-uniform spelling and capitalization
2017-05-15 08:31:01 -04:00
cb4c700e62
fix typo
2017-05-14 21:52:36 -06:00
865a36068e
sleep fix and new shellcode
2017-05-14 21:45:19 -06:00
e3dcf0ab2d
added docs
2017-05-14 19:22:26 -06:00
9634f974dd
fix msftidy
2017-05-14 18:14:02 -06:00
fa79339432
eternalblue module
2017-05-14 18:11:41 -06:00
f39e378496
Land #8330 , fix ps_wmi_exec and psh staging
2017-05-13 14:26:47 -04:00
ce7b967a13
Update archmigrate.rb
2017-05-13 13:35:48 -04:00
78b0fb00da
I committed to the wrong branch
2017-05-13 13:35:13 -04:00
0bd11062e4
Ass SYSTEM check to archmigrate
2017-05-13 13:28:28 -04:00
3a1ed19a42
Making use of StagerRetryConnect
2017-05-13 17:49:53 +05:30
Brent Cook
KINGSABRI
William Webb
Jin Qian
Jeffrey Martin
William Vu
NickTyrer
Pearce Barry
Mzack9999
David Maloney
Rogdham
Tim
mccurls
Brendan Coles
h00die
thesubtlety
OJ
Tod Beardsley
Mehmet Ince
James Lee
tkmru
Stephen Shkardoon (ss23)
bwatters-r7
Spencer McIntyre
Anderson
itsmeroy2012
Dylan Davis
wolfthefallen
Brent Cook
root
HD Moore
wchen-r7
nks
Borja Merino
juushya
Carter
Matthew Daley
amaloteaux
Christian Mehlmauer
lincoln
Daniel Teixeira
zerosum0x0
zerosum0x0
Patrick DeSantis
james-otten