Commit Graph

4634 Commits (5955397882e4ceaa951fa12ee793f49c007bf58a)

Author SHA1 Message Date
sinn3r 49aac302e6 normalize_uri() breaks URI parsing
Please see: http://dev.metasploit.com/redmine/issues/7727
2013-01-26 22:57:01 -06:00
jvazquez-r7 3faf4b3aca adding sinn3r as author 2013-01-24 18:13:30 +01:00
jvazquez-r7 f1f8782a5d Merge branch 'payload_inject.rb' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-payload_inject.rb 2013-01-24 18:13:00 +01:00
sinn3r 2cedcad810 Check PID 2013-01-24 10:46:23 -06:00
jvazquez-r7 1bccc410a3 Merge branch 'module-movabletype_upgrade_exec' of https://github.com/kacpern/metasploit-framework into kacpern-module-movabletype_upgrade_exec 2013-01-24 15:02:48 +01:00
Kacper Nowak ba41ee9c83 - applied all the changes from #1363
- some extra escaping for the sake of it
- removed the timeout in http_send_raw
2013-01-24 13:15:42 +00:00
jvazquez-r7 96d0b13de2 Merge branch 'excellentrankings' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-excellentrankings 2013-01-24 13:00:01 +01:00
sinn3r 3146b7ce77 Change default target
ExcellentRanking requires the module to auto-target. If the payload
is universal, that works too.
2013-01-23 23:40:47 -06:00
sinn3r 0c0f4a3e66 Lower ranking because they cannot auto-target
In order to be qualified as ExcellentRanking, auto-target is a must,
or the module has to default to a payload that's universal for
multiple platforms.  Otherwise you're wasting time in Pro.
2013-01-23 23:35:31 -06:00
sinn3r 75f3a62ac4 Explain why we need this empty on_new_session 2013-01-23 16:43:36 -06:00
sinn3r 9c3e9f798f Lower the ranking, because it cannot auto-target.
When it's excellent, Pro will fire this first, and that will only
generate more traffic than actually popping a shell.
2013-01-23 16:39:24 -06:00
sinn3r 53599e4c45 It's better to have a version # in the title, easier to find 2013-01-23 16:32:57 -06:00
sinn3r d1736b8880 Merge branch 'sonicwall_upload' of github.com:julianvilas/metasploit-framework into julianvilas-sonicwall_upload 2013-01-23 16:32:06 -06:00
sinn3r ad108900d5 Why yes I know it's a module 2013-01-23 16:23:41 -06:00
sinn3r 22f7619892 Improve Carlos' payload injection module - See #1201
Lots of changes, mainly:
* Description update
* Avoid accessing protected methods
* More careful exception & return value handling
2013-01-23 16:15:14 -06:00
sinn3r e93b7ffcaf Add Carlos Perez's payload injection module
See #1201
2013-01-23 14:07:48 -06:00
sinn3r f50c7ea551 A version number helps deciding which exploit to use 2013-01-23 11:43:39 -06:00
sinn3r a1f8da9ff6 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-01-23 11:41:35 -06:00
sinn3r ca144b9e84 msftidy fix 2013-01-23 11:40:12 -06:00
jvazquez-r7 dd0fdac73c fix indent 2013-01-23 18:19:14 +01:00
Kacper Nowak c47392f5d1 normalize_uri and path fix 2013-01-23 16:57:30 +00:00
Kacper Nowak ff875d04e0 - RPATH changed to TARGETURI
- both CVE numbers referenced
- sightly changed exception handling
2013-01-23 16:50:35 +00:00
booboule 8bcf4a86ef Update modules/exploits/multi/browser/java_jre17_method_handle.rb
Wrong reference type (URL instead of OSVDB)
2013-01-23 17:14:53 +01:00
Kacper Nowak a3fa7cc6bc adjusted disclosure date 2013-01-23 12:49:08 +00:00
jvazquez-r7 e78174297e assuring stdapi loads on meterpreter 2013-01-23 12:44:55 +01:00
Kacper Nowak 5d6ca30422 removed spaces at EOL 2013-01-23 10:33:55 +00:00
Kacper Nowak 17d1c9f996 - expanded description
- updated references
2013-01-23 10:29:11 +00:00
jvazquez-r7 9c9a0d1664 Added module for cve-2012-0432 2013-01-23 10:51:29 +01:00
sinn3r 8819059499 Merge branch 'zoneminder_packagecontrol_exec' of github.com:bcoles/metasploit-framework into bcoles-zoneminder_packagecontrol_exec 2013-01-22 14:41:40 -06:00
jvazquez-r7 807bd6e88a Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl 2013-01-22 15:33:39 +01:00
jvazquez-r7 c498930644 Merge branch 'java_jre17_method_handle' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_method_handle 2013-01-22 15:33:07 +01:00
Kacper Nowak 8a59c7b8fb removed extra print_status() calls 2013-01-22 12:31:40 +00:00
bcoles 970591a85f Add ZoneMinder arbitrary command execution exploit 2013-01-22 22:56:50 +10:30
Kacper Nowak 08a5f467b1 added URL for developer site 2013-01-22 12:14:38 +00:00
Kacper Nowak cd29a88c18 added Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution 2013-01-22 11:58:24 +00:00
Julian Vilas eb92070df8 added module for CVE-2013-1359 2013-01-22 01:54:41 +01:00
jvazquez-r7 967c04e727 finally it doesn't use FileDropper atm 2013-01-20 19:54:24 +01:00
jvazquez-r7 76edbb9e1c Merge branch 'module-jenkins-script-console' of https://github.com/zeroSteiner/metasploit-framework into zeroSteiner-module-jenkins-script-console 2013-01-20 19:53:44 +01:00
jvazquez-r7 9769efbf01 references and date updated 2013-01-20 17:38:37 +01:00
bcoles dc318c5aed update php_charts_exec metadata 2013-01-21 02:12:42 +10:30
bcoles f975a42571 move and update php_charts_exec metadata 2013-01-21 02:10:48 +10:30
bcoles 6ae72e4d63 Add PHP-Charts v1.0 PHP Code Execution Exploit 2013-01-20 23:51:17 +10:30
jvazquez-r7 aed71f8446 linux stager plus little cleanup 2013-01-20 13:42:02 +01:00
Spencer McIntyre 6b40011a6f use target_uri and normalize_uri as well as fix a cookie problem 2013-01-19 19:10:56 -05:00
Spencer McIntyre 9f7aafccdf add module to execute commands via Jenkins Script Console 2013-01-18 14:56:52 -05:00
jvazquez-r7 3465aa00bd title updated 2013-01-18 18:42:27 +01:00
jvazquez-r7 ef16a7fd24 cleanup 2013-01-17 21:45:13 +01:00
jvazquez-r7 670b4e8e06 cleanup 2013-01-17 21:39:41 +01:00
jvazquez-r7 78279a0397 Added new module for cve-2012-5076 2013-01-17 21:27:47 +01:00
jvazquez-r7 d0b9808fc7 Added module for CVE-2012-5088 2013-01-17 21:14:49 +01:00
jvazquez-r7 51ba500b9f msftidy compliant 2013-01-16 12:28:09 +01:00
jvazquez-r7 49b36710c4 Merge branch 'freesshd_authbypass_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-freesshd_authbypass_update 2013-01-16 12:27:42 +01:00
jvazquez-r7 f6d34b52a5 Merge branch 'verb_auth_bypass_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-verb_auth_bypass_update 2013-01-16 12:19:49 +01:00
jvazquez-r7 2348a0b066 final cleanup and testing 2013-01-16 11:55:14 +01:00
jvazquez-r7 b43242d131 Merge branch 'module-nagios3_history_cgi' of https://github.com/jselvi/metasploit-framework into jselvi-module-nagios3_history_cgi 2013-01-16 11:54:51 +01:00
sinn3r 0f24671cf7 Changes how the usernames are loaded.
Allows usernames to be loaded as a file (wordlist), that way the
it's much easier to manage.  It defaults to unix_users.txt,
because these usernames are common in any SSH hosts out there.
If the user only wants to try a specific user (which is better,
because you reduce traffic noise that way), then he/she can set
the USERNAME option, and that should be the only one tried --
similar to how AuthBrute behaves.

I also fixed the regex in check().
2013-01-16 02:14:52 -06:00
Jose Selvi 064ea63a72 Fixes 2013-01-16 05:22:43 +01:00
sinn3r b3291c0329 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2013-01-15 14:10:47 -06:00
sinn3r b5167e7695 Merge branch 'add_bap_to_itms_overflow' of github.com:jvennix-r7/metasploit-framework into jvennix-r7-add_bap_to_itms_overflow 2013-01-15 12:25:07 -06:00
Jose Selvi 18f81fd6f4 Nagios3 history.cgi exploit 2013-01-15 15:32:32 +01:00
sinn3r 04b35a38ff Update MSB ref 2013-01-14 14:59:32 -06:00
jvazquez-r7 c6c59ace46 final cleanup 2013-01-14 20:53:19 +01:00
jvazquez-r7 5ecb0701ea Merge branch 'freesshd_authbypass' of https://github.com/danielemartini/metasploit-framework into danielemartini-freesshd_authbypass 2013-01-14 20:52:45 +01:00
joe 771fc07264 Change :vuln_test to :os_name for checking OS. 2013-01-14 02:17:40 -06:00
joe efcdb1097c Add BAP options to itms_overflow module. 2013-01-14 01:42:58 -06:00
Daniele Martini 04fe1dae11 Added module for Freesshd Authentication Bypass (CVE-2012-6066)
This module works against FreeSSHD <= 1.2.6. Tested against
password and public key authentication methods. It will generate
a random key and password.

To use it you need to know a valid username. The module contains
a basic bruteforce methods, so you can specify more than one to try.
2013-01-13 17:08:04 +01:00
Spencer McIntyre b178ce1895 allow the mixin to auto detect an available decoder binary 2013-01-12 17:31:11 -05:00
kernelsmith 0b130e49e7 Squashed commit of the following:
commit 1beebe758c32a277e0a77f7d1011a56fda707732
Author: kernelsmith <kernelsmith@kernelsmith>
Date:   Fri Jan 11 17:55:27 2013 -0600

    fixes missing word in descript. of rails exploit

    simple omission fix in description

[Closes #1295]
2013-01-11 19:02:06 -06:00
sinn3r 4adf429c31 Adds one more ref 2013-01-11 01:33:26 -06:00
sinn3r 23ef8280be Merge branch 'java_0day_refs' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-java_0day_refs
Conflicts:
	modules/exploits/multi/browser/java_jre17_jmxbean.rb
2013-01-11 01:33:11 -06:00
HD Moore 6471a70053 Pass the X-HTTP-Method-Override parameter for compat 2013-01-10 20:27:13 -06:00
sinn3r e709811c5a CVE update 2013-01-10 19:51:04 -06:00
jvazquez-r7 2c05af721c module also updated with refs 2013-01-11 00:57:05 +01:00
HD Moore 9c652d1d55 Add a note about ruby 1.9 requirements 2013-01-10 17:10:03 -06:00
jvazquez-r7 ea000d6ee0 updated authors 2013-01-10 20:48:54 +01:00
jvazquez-r7 876d889d82 added exploit for j7u10 0day 2013-01-10 20:30:43 +01:00
Bouke van der Bijl 3b491ab998 Change charlisome in the list of authors to charliesome 2013-01-10 16:12:07 +01:00
HD Moore 42ea64c21b Merge in Rails2 support now that its in master 2013-01-10 02:14:08 -06:00
HD Moore 0b74f98946 Rescue errors and update credits 2013-01-10 01:06:46 -06:00
HD Moore 1e94b090e7 The __END__ trick is no longer needed 2013-01-10 00:29:11 -06:00
HD Moore acabc14ec3 This restores functionality across all rails 3.x 2013-01-10 00:28:12 -06:00
HD Moore 0e92de8f61 This works against a wider range of RoR 3.x targets 2013-01-10 00:10:26 -06:00
HD Moore 5e7a4f154e Fix platform/arch 2013-01-09 23:24:37 -06:00
HD Moore e15c731651 Clarify credit 2013-01-09 23:22:40 -06:00
HD Moore 4c1e501ed0 Exploit for CVE-2013-0156 and new ruby-platform modules 2013-01-09 23:10:13 -06:00
jvazquez-r7 ad3ca3a6bb regex to check version fixed 2013-01-09 23:48:55 +01:00
jvazquez-r7 5901058a61 Merge branch 'ms11_081' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_081 2013-01-09 23:24:14 +01:00
sinn3r fe8b9c24cf Merge branch 'jvazquez-r7-honeywell_tema_exec' 2013-01-09 16:08:19 -06:00
sinn3r f3b88d34c1 Add MS11-081 2013-01-09 15:52:33 -06:00
jvazquez-r7 52157b9124 extplorer_upload_exec cleanup 2013-01-09 19:45:17 +01:00
jvazquez-r7 8f91352c4a Merge branch 'extplorer_upload_exec' of https://github.com/bcoles/metasploit-framework into bcoles-extplorer_upload_exec 2013-01-09 19:44:43 +01:00
jvazquez-r7 7a1a9985d5 Merge branch 'mysql_login_exceptions' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mysql_login_exceptions 2013-01-09 18:21:03 +01:00
Spencer McIntyre d79a3c8e6b list valid DECODER values and add the sshexec module 2013-01-09 10:27:22 -05:00
jvazquez-r7 736f8db6c0 Deleting from browser autopwn 2013-01-09 09:58:20 +01:00
jvazquez-r7 377905be7f Avoid FileDropper in this case 2013-01-09 09:15:38 +01:00
jvazquez-r7 52982c0785 Added BrowserAutopwn info 2013-01-08 19:53:34 +01:00
jvazquez-r7 0e475dfce1 improvements and testing 2013-01-08 19:43:58 +01:00
jvazquez-r7 b2575f0526 Added module for OSVDB 76681 2013-01-08 17:46:31 +01:00
sinn3r 2a1ab2c99a Improve the module 2013-01-07 19:03:58 -06:00
sinn3r 1d3c1ec7fc Merge branch 'master' of github.com:CharlieEriksen/metasploit-framework into CharlieEriksen-master 2013-01-07 19:03:35 -06:00
Charlie Eriksen 4e0fca6d0f Adding DB error handling
As per sinn3r's suggestion, adding handling for the most common MySQL
errors.

Also adding HostNotPrivileged, which I encountered during my testing.
2013-01-07 23:52:13 +00:00
sinn3r 5bc1066c69 Change how modules use the mysql login functions 2013-01-07 16:12:10 -06:00
sinn3r a59c474e3e Merge branch 'jvazquez-r7-ibm_cognos_tm1admsd_bof' 2013-01-07 13:34:52 -06:00
Tod Beardsley 36adf86184 Various and sundry fixes for normalize_uri 2013-01-07 12:02:08 -06:00
Tod Beardsley 33751c7ce4 Merges and resolves CJR's normalize_uri fixes
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules

Note that this trips all kinds of msftidy warnings, but that's for another
day.

Conflicts:
	modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
	modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
Charlie Eriksen a8df3d71ff Changes based on Sinn3r's feedback
A bucket-load of changes!

- Added a fallback for if there is no Set-Cookie header
- Added a check if the cookie we produce is simply empty, meaning we
failed something :(
- Removed use of flatten. Though I may look into making that extraction
better
- Changed cgi requests to use vars_(post|get)
- Clarified a few status prints
- A few EOL space fixes
2013-01-06 12:34:27 +00:00
Charlie Eriksen a5113f0da4 Adding a check function
Because it makes sense. The non-vulnerable versions doesn't have
/libs/pdf.php.

So pretty simple.
2013-01-05 18:37:29 +00:00
Charlie Eriksen ae72022777 Improvement for CVE 2012-4915
Made two tiny improvements based on Meatballs' points

- Added handling for 127.0.0.1 as DB_HOST
- Added a note in the description about it changing the pasword
2013-01-05 18:23:00 +00:00
Charlie Eriksen 25cadf8b87 Adding exploit for CVE 2012-4915
Initial commit.

Major functionality working. A bit of polish is still needed in a few
spots to handle exceptions and such.
2013-01-05 14:21:02 +00:00
jvazquez-r7 883b3446f3 license text 2013-01-05 08:03:25 +01:00
jvazquez-r7 0a13f01f23 Added module for ZDI-12-101 2013-01-05 07:40:32 +01:00
Christian Mehlmauer 6654faf55e Msftidy fixes 2013-01-04 09:29:34 +01:00
sinn3r b50e040e69 Fix e-mail format, and the extra comma 2013-01-04 01:11:40 -06:00
sinn3r 6d4abe947d Merge branch 'id_revision' of github.com:FireFart/metasploit-framework into FireFart-id_revision 2013-01-04 00:23:03 -06:00
sinn3r 38de5d63d8 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-01-03 17:49:24 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
sinn3r b061a0f9c1 Merge branch 'enterasys_netsight_syslog_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-enterasys_netsight_syslog_bof 2013-01-03 17:45:24 -06:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
jvazquez-r7 a0b4045b4b trying to fix the variable offset length 2013-01-04 00:25:34 +01:00
sinn3r 724fa62019 Merge branch 'enterasys_netsight_syslog_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-enterasys_netsight_syslog_bof 2013-01-03 15:35:29 -06:00
sinn3r 6fd35482cc This exploit should be in browser auto pwn 2013-01-03 14:45:00 -06:00
jvazquez-r7 9cea2d9af9 reference updated 2013-01-03 19:39:18 +01:00
jvazquez-r7 45808a3a44 Added module for ZDI-11-350 2013-01-03 19:17:45 +01:00
sinn3r 06b937ec11 Implements WTFUzz's no-spray technique
Do not try to bend the spoon, that is impossible. Instead, only
try to realize the truth: there is no spoon.
2013-01-03 11:57:47 -06:00
sinn3r c86c6f1ba0 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2013-01-02 17:26:42 -06:00
jvazquez-r7 758edd7aed make msftidy happy 2013-01-03 00:02:03 +01:00
Charlie Eriksen 97253d46a1 Multiple change for Juan
Incooperated changes as per Juan's suggestions.

- Removed redundant space option for the payload
- Doing the uri more intelligently
- Detecting allow_url_include being disabled and reporting it
- Moved to unix/webapp
- Removed redundant handler call
- Adding to description that this requires allow_url_include to be
enabled
2013-01-02 21:19:06 +00:00
Charlie Eriksen 78c6d04b31 Fixing from crlf to lf
By accident the line endings changed to crlf.

Mihi pointed out that the last diff was funky because the commit by
accident had crlf rather than the lf from the initial commits.

Also adding an email, as per the HACKING guide and since hdm pointed out
the usefulness of it.
2013-01-02 20:14:09 +00:00
Charlie Eriksen ef3f15e881 Adding a PLUGINSPATH option
Adding a PUGINSPATH option as per FireFart's comment.

Because the path to plugins(and wp-content) can be changed, I've added a
PLUGINSPATH options.
This allows for targeting of sites where either folder has been moved,
by specifying the relative path to where all plugins are stored.
2013-01-02 18:56:49 +00:00
Charlie Eriksen 6fb2130265 Adding a damn space
It suddenly jumped at me that there was a missing space in the module
info. Couldn't unsee.
2013-01-01 23:40:01 +00:00
Charlie Eriksen 4ba5b45ad3 Fixed the check
Turns out the export returns a 500 by default. Fixing.
2013-01-01 23:15:10 +00:00
Charlie Eriksen dd0482cb9d Code style fix!
Now variable names are in-line with the coding guidelines!
2013-01-01 23:01:14 +00:00
Charlie Eriksen 2fe2d5d3dd Adding exploit for OSVDB 87353
Adding an exploit for OSVDB 87353, which allows for a remote file
inclusion in the Advanced Custom Fields plugin for Wordpress. and shell
given that url include is enabled in the php installation.
2013-01-01 22:52:55 +00:00
sinn3r 38157b86a9 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-31 11:15:44 -06:00
sinn3r f7543e18fe Your def of commit apparently is a little different than mine, git. 2012-12-31 00:35:13 -06:00
sinn3r 2b3f7c4430 Module rename
Sorry, Tod, this must be done.
2012-12-31 00:29:19 -06:00
sinn3r 5703274bc4 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-30 20:34:57 -06:00
sinn3r 1084334d5e Randomness 2012-12-30 20:34:14 -06:00
sinn3r 7cb42a5eb4 Add BID ref 2012-12-30 18:14:22 -06:00
sinn3r cc52e2c533 Where's Juan's name? 2012-12-30 12:58:16 -06:00
jvazquez-r7 14f21c0a29 using the rop as expected 2012-12-30 16:13:48 +01:00
jvazquez-r7 eed5a74f32 description updated and reference added 2012-12-30 16:08:01 +01:00
bcoles 8e543cf5f5 Add eXtplorer v2.1 auth bypass exploit module 2012-12-30 23:51:41 +10:30
Christian Mehlmauer f7d6594314 re-deleted comma 2012-12-30 13:39:14 +01:00
jvazquez-r7 6be8ed6168 readd fix for #1219 2012-12-30 13:25:42 +01:00
jvazquez-r7 cd58cc73d9 fixed rop chain for w2003 2012-12-30 13:12:55 +01:00
Christian Mehlmauer cab84b5c27 Fix for issue #1219 2012-12-30 13:02:13 +01:00
Christian Mehlmauer dcf018c339 Comma 2012-12-30 12:54:44 +01:00
Christian Mehlmauer 14d197eeb2 Added Windows Server 2003 2012-12-30 11:35:29 +01:00
jvazquez-r7 6cb9106218 Added module for CVE-2012-4792 2012-12-30 01:46:56 +01:00
sinn3r eb2037bdba Merge branch 'inotes_dwa85w_bof' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-inotes_dwa85w_bof 2012-12-28 12:16:06 -06:00
jvazquez-r7 9ffb0dcf79 switch to some random data 2012-12-28 12:48:36 +01:00
jvazquez-r7 8f62cd5561 swith to some random data 2012-12-28 12:47:20 +01:00
jvazquez-r7 af61438b0b added module for zdi-12-132 2012-12-28 11:45:32 +01:00
jvazquez-r7 8ea5c993a2 added module for zdi-12-134 2012-12-28 11:44:30 +01:00
sinn3r 771460fa4c Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-26 11:35:52 -06:00
sinn3r d2dc7ebc2d Merge branch 'feature/windows-postgres-payload-dll' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/windows-postgres-payload-dll 2012-12-26 11:18:21 -06:00
sinn3r 8223df375d Avoid making the title sound too generic. 2012-12-26 11:15:37 -06:00
sinn3r 0b2ea3e55e Fix weird tabs vs spaces prob 2012-12-26 11:14:48 -06:00
jvazquez-r7 e895ccb6b1 added random string functions 2012-12-25 18:13:02 +01:00
jvazquez-r7 fec989026f Added module for CVE-2012-5691 2012-12-25 18:05:10 +01:00
sinn3r 2682908ff2 Small corrections here and there 2012-12-24 18:20:46 -06:00
sinn3r 6a3bf6a2a6 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-24 17:57:02 -06:00
sinn3r 38f0886058 James has more modules that need to be updated.
e-mail update.
2012-12-24 17:51:58 -06:00
jvazquez-r7 5b8492fc0d module cleanup by juan 2012-12-24 23:26:40 +01:00
jvazquez-r7 ac6f34dc09 module name renamed 2012-12-24 23:26:06 +01:00
jvazquez-r7 bf036c97ad added initial submission from james fitts 2012-12-24 23:25:25 +01:00
jvazquez-r7 7173c9b598 update james email address 2012-12-24 22:46:47 +01:00
sinn3r d69e506221 Final changes 2012-12-24 15:08:52 -06:00
sinn3r 3d27397429 This error will still show even if we get a shell 2012-12-24 15:06:15 -06:00
jvazquez-r7 0950240d9a module cleanup by juan 2012-12-24 18:59:45 +01:00
jvazquez-r7 9020c96373 module renamed 2012-12-24 18:59:25 +01:00
jvazquez-r7 09568f255e Submission by James Fitts 2012-12-24 18:58:53 +01:00
sinn3r 076c8aa995 Merge branch 'nullbind-mssql_linkcrawler' 2012-12-24 11:14:28 -06:00
sinn3r 677b9718da Finalizing module 2012-12-24 11:13:51 -06:00
jvazquez-r7 4c897c5181 added module for ZDI-12-154 2012-12-24 16:23:19 +01:00
sinn3r d2e3e5defb Merge branch 'jlee-r7-cleanup/post-windows-services' 2012-12-22 13:29:48 -06:00
jvazquez-r7 e15cf9f288 Merge branch 'netwin_surgeftp_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-netwin_surgeftp_exec 2012-12-22 15:50:07 +01:00
sinn3r d97a63a94c Make changes based on juan and egypt's feedback 2012-12-22 02:35:22 -06:00
James Lee 20cc2fa38d Make Windows postgres_payload more generic
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
  the ability to use generate_payload_dll() which generates a generic dll
  that spawns rundll32 and runs the shellcode in that process. This is
  basically what the linux version accomplishes by compiling the .so on
  the fly. On major advantage of this is that the resulting DLL will
  work on pretty much any version of postgres

* Adds Exploit::FileDropper to windows version as well. This gives us
  the ability to delete the dll via the resulting session, which works
  because the template dll contains code to shove the shellcode into a
  new rundll32 process and exit, thus leaving the file closed after
  Postgres calls FreeLibrary.

* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
  Windows

* Adds a check method to both Windows and Linux versions that simply
  makes sure that the given credentials work against the target service.

* Replaces the version-specific lo_create method with a generic
  technique that works on both 9.x and 8.x

* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
  gets downcased and subsequently causes postgres to error out before
  opening the DLL

* Cleans up lots of rdoc in Exploit::Postgres
2012-12-22 00:30:09 -06:00
sinn3r 9b768a2c62 Merge branch 'cleanup/post-windows-services' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-cleanup/post-windows-services 2012-12-21 23:42:17 -06:00
sinn3r 49248c79d6 Oops, didn't mean to keep these lines 2012-12-21 22:22:58 -06:00
sinn3r 9af8c9b457 Small corrections 2012-12-21 18:52:40 -06:00
sinn3r ca72132fc0 Add a check 2012-12-21 16:23:31 -06:00
sinn3r 1323081bce msftidy cleanup 2012-12-21 16:11:16 -06:00
sinn3r 529a3c9a63 Add Netwin SurgeFTP module 2012-12-21 16:10:27 -06:00
jvazquez-r7 d5f08a2405 Added module for CVE-2012-6329 for foswiki 2012-12-21 22:08:08 +01:00
jvazquez-r7 02782258eb fix eol for ms12_004_midi 2012-12-21 21:01:39 +01:00
jvazquez-r7 ff4b959c04 Merge branch 'ms12_004_leaky_icky' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms12_004_leaky_icky 2012-12-21 21:01:05 +01:00
sinn3r 115ad9ae33 Small corrections 2012-12-21 12:56:44 -06:00
sinn3r 3c398d0e62 Final cleanup 2012-12-21 10:46:36 -06:00
sinn3r 4c58991c89 Cleanup ROP a little 2012-12-21 10:35:28 -06:00
sinn3r e95f0267c6 Update for some leaky icky 2012-12-21 10:03:38 -06:00
jvazquez-r7 76cad3dd4c Added module for CVE-2012-6329 2012-12-21 11:30:04 +01:00
HD Moore b3c0c6175d FixRM #3398 by removing double user-agent headers 2012-12-20 14:45:18 -06:00
sput-nick 4595a96ece updated CVE and OSVDB wikka_spam_exec references 2012-12-19 16:42:47 -05:00
jvazquez-r7 f820ffb32d update authors 2012-12-18 23:57:29 +01:00
jvazquez-r7 8a07d2e53d Added module for ZDI-12-168 2012-12-18 23:48:53 +01:00
sinn3r 0344c568fd Merge branch 'smb_fixes' of git://github.com/alexmaloteaux/metasploit-framework into alexmaloteaux-smb_fixes 2012-12-18 11:38:14 -06:00
Garret Picchioni fa42d0c7fe Fixed minor spelling errors 2012-12-17 15:18:08 -07:00
sinn3r 88f02e0016 Merge branch 'jvazquez-r7-crystal_reports_printcontrol' 2012-12-17 13:52:11 -06:00
sinn3r 9198e0dc05 Merge branch 'crystal_reports_printcontrol' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-crystal_reports_printcontrol 2012-12-17 13:40:41 -06:00
Tod Beardsley 10511e8281 Merge remote branch 'origin/bug/fix-double-slashes'
Ran the new normalize_uri() specs, all passes, so I'm quite confident in
this change.
2012-12-17 13:29:19 -06:00
jvazquez-r7 3ed36bd66a trying to fix stability issues on w7 2012-12-17 19:17:36 +01:00
sinn3r 37ce92afb1 Merge branch 'crystal_reports_printcontrol' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-crystal_reports_printcontrol 2012-12-16 16:15:24 -06:00
jvazquez-r7 bce7d48931 comment updated 2012-12-14 23:55:12 +01:00
jvazquez-r7 0a0b26dc2c after study the crash after the overflow... 2012-12-14 23:54:44 +01:00
sinn3r 53a2fda608 Merge branch 'mssql_linkcrawler' of git://github.com/nullbind/metasploit-framework into nullbind-mssql_linkcrawler 2012-12-14 15:23:25 -06:00
sinn3r 12472756aa Merge branch 'master' into bug/safari-metadata-version 2012-12-14 12:52:18 -06:00
jvazquez-r7 3e3f35419b Added module for CVE-2010-2590 2012-12-14 12:50:29 +01:00
joe eb972eaf0a Add a maxver for the safari_metadata_archive exploit.
* Apple Security Update 2006-001 (http://support.apple.com/kb/TA23971)
* Update applied to 10.4.5, where safari 2.0.3 is default browser.
* Because update did not bump Safari version, not all 2.0.3 browsers will be affected.
2012-12-14 02:17:25 -06:00
sinn3r d2885d9045 Correct US Cert references 2012-12-13 14:19:53 -06:00
nullbind 67829756f8 fixed errors 2012-12-12 17:45:02 -06:00
Tod Beardsley e762ca0d9b Merge remote branch 'jlee-r7/midnitesnake-postgres_payload' 2012-12-12 15:30:56 -06:00
sinn3r a69a4fbbce Extra spaces, be gone. 2012-12-12 14:38:00 -06:00
sinn3r 3a481c8e42 Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode 2012-12-12 14:31:04 -06:00
David Maloney 5856874cea Login check fixes for exploit 2012-12-12 14:18:41 -06:00
sinn3r b465d20d61 Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode 2012-12-12 11:59:23 -06:00
David Maloney 5e8b9a20a4 Fix boneheaded mistake 2012-12-12 09:18:03 -06:00
sinn3r 3f4efea879 No twitter name, please. 2012-12-11 14:52:39 -06:00
sinn3r 343a785420 Add OSVDB references 2012-12-11 12:47:08 -06:00
jvazquez-r7 2eb4de815d added c# code by Nicolas Gregoire 2012-12-11 16:33:41 +01:00
jvazquez-r7 44633c4f5b deleted incorrect cve ref 2012-12-11 12:16:47 +01:00
jvazquez-r7 fdb457d82b Merge branch 'refs_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-refs_update 2012-12-11 12:16:06 +01:00
sinn3r b315a4eee4 Grammar 2012-12-11 00:19:15 -06:00
jvazquez-r7 e3a126aa75 Added module for ZDI-10-174 2012-12-11 01:37:44 +01:00
sinn3r 31e2a164a9 MySQL file priv gets a ref from OSVDB 2012-12-10 12:15:44 -06:00
sinn3r f5193b595c Update references 2012-12-10 11:42:21 -06:00
David Maloney e448431c8a Add 32bit comapt mode for 64 bit targets on wirnm
When a 32 bit payload is selected for an x64 target using the powershell
2.0 method,
it will try to invoke the 32bit version of pwoershell to sue instead
allowing us to still get a session even with the wrong payload arch
2012-12-10 11:39:24 -06:00
Tod Beardsley 7ea188e02d Merge pull request #1147 from wchen-r7/cve_text_consistency
Change CVE text format
2012-12-09 14:48:08 -08:00
sinn3r 23d0ffa3ab Dang it, grammar fail. 2012-12-09 01:39:24 -06:00
sinn3r 64a8b59ff9 Change CVE forma
Although the original text should work perfectly, for better
consistency, it's best to remove the "CVE" part. This may not
be a big deal in framework, but stands out a lot in Pro.
2012-12-09 01:09:21 -06:00
sinn3r 811bc49bfd Merge branch 'bug/rm7593-flash-otf' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-bug/rm7593-flash-otf 2012-12-08 17:16:14 -06:00
jvazquez-r7 d921c6f6e9 bid reference added 2012-12-08 15:09:32 +01:00
jvazquez-r7 080e45045b Merge branch 'nagios_graph_explorer' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-nagios_graph_explorer 2012-12-08 15:08:57 +01:00
sinn3r 60feba164d Add OSVDB 2012-12-07 23:18:02 -06:00
sinn3r 15661b82bc Add Nagios Network Monitor Graph Explorer module 2012-12-07 23:16:25 -06:00
sinn3r e989142d9d Merge branch 'freefloat' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-freefloat 2012-12-07 14:48:01 -06:00
sinn3r 78b4233b56 Final changes 2012-12-07 14:44:41 -06:00
jvazquez-r7 bae5442ca6 working... 2012-12-07 21:38:17 +01:00
sinn3r 901ef5060c Merge branch 'maxthon' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-maxthon 2012-12-07 13:52:23 -06:00
sinn3r 3f1cfcc184 More changes 2012-12-07 13:47:07 -06:00
jvazquez-r7 1aaecbcf0c cleanup and user agent check 2012-12-07 20:38:08 +01:00
sinn3r a1336c7b5a Some more changes 2012-12-07 13:32:44 -06:00
sinn3r 403ac1dc37 I would do anything for a cake. 2012-12-07 13:15:27 -06:00
sinn3r 9838a2c75f This never works for us. Gonna ditch it. 2012-12-07 13:02:26 -06:00
jvazquez-r7 b0be8dc4df history exploit cleanup 2012-12-07 19:23:00 +01:00
sinn3r 38f2348c33 First changes 2012-12-07 11:27:09 -06:00
sinn3r a872362a65 Merge branch 'maxthon3' of git://github.com/malerisch/metasploit-framework into maxthon 2012-12-07 11:17:15 -06:00
sinn3r 2260e4b471 Switch to manual payload selection, because we don't auto-detect 2012-12-07 11:07:11 -06:00
James Lee 8812285678 Move print of my_target.name to after nil check
Avoids
  "Exception handling request: undefined method `name' for nil:NilClass"
when we don't have a target for the connecting browser.

[FixRM #7593]
2012-12-07 11:00:24 -06:00
sinn3r c08ee695a9 Merge branch 'splunk_upload_app_exec_cleanup' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-splunk_upload_app_exec_cleanup 2012-12-07 10:46:28 -06:00
sinn3r fafdcbaae1 Vuln discovered by Rich.
See: https://twitter.com/webstersprodigy/status/277087755073380353
2012-12-07 10:42:45 -06:00
jvazquez-r7 e5cc950fe1 fix identation 2012-12-07 11:57:11 +01:00
jvazquez-r7 133ad04452 Cleanup of #1062 2012-12-07 11:55:48 +01:00
sinn3r cddda9eab7 Merge branch 'master' into nullbind-mssql_linkcrawler 2012-12-06 23:51:06 -06:00
sinn3r 88c97cd2b5 Merge branch 'mssql_linkcrawler' of git://github.com/nullbind/metasploit-framework into nullbind-mssql_linkcrawler 2012-12-06 18:08:13 -06:00
sinn3r bf47eaaa41 Remove code that's commented out. Clearly not needed anymore. 2012-12-06 12:57:41 -06:00
sinn3r 0ea5c781c1 Tabs and spaces don't mix 2012-12-06 12:53:22 -06:00
sinn3r 37f9cff25a Merge branch 'ibm_director_cim_dllinject' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ibm_director_cim_dllinject 2012-12-06 12:36:48 -06:00
jvazquez-r7 fd20998f40 using the primer callback as pointed by egypt 2012-12-06 18:59:46 +01:00
sinn3r 817a7749c1 Merge branch 'ibm_director_cim_dllinject' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ibm_director_cim_dllinject 2012-12-06 11:35:09 -06:00
jvazquez-r7 8e21d9e235 fix source_address param 2012-12-06 18:34:22 +01:00
sinn3r 1fb05c0baf Merge branch 'ibm_director_cim_dllinject' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ibm_director_cim_dllinject 2012-12-06 11:34:19 -06:00
Tod Beardsley 215017e17c Merge remote branch 'wchen-r7/better_tectia_ssh' 2012-12-06 11:01:36 -06:00
sinn3r 06927345e5 If message becomes nil, we should force a to_s for the regex
next_message can be nil sometimes if packet is nil (see net/ssh's
poll_message source)
2012-12-06 10:44:16 -06:00
jvazquez-r7 fc8b08f10f trailing comma 2012-12-06 17:32:58 +01:00
jvazquez-r7 532afc2919 Added module for CVE-2009-0880 2012-12-06 16:43:07 +01:00
jvazquez-r7 6d3d4c1d84 Added support for FileDropper 2012-12-06 12:03:17 +01:00
sinn3r 18f4df0a38 Fix weird indent prob 2012-12-06 03:58:16 -06:00
sinn3r a90ed82413 Correct CVE format 2012-12-06 03:57:46 -06:00
sinn3r 2b96c4e2a5 Add Kingcope's MySQL 'Stuxnet' technique exploit
Because why not.  One more trick to a pentest + coverage = better.
2012-12-06 03:56:23 -06:00
sinn3r 530332b176 Apply evil-e's fix when port isn't 22
See #1130
2012-12-05 21:42:53 -06:00
sinn3r 32c5f12912 Hmm, I should change the target name 2012-12-05 21:38:31 -06:00
sinn3r d3c1fa842a Lots of improvements
Keyboard-interactive method isn't required to exploit Tectia SSH.
So this update will just go straight to password method. There's
also improvements for the check() method: Not only does it check
the SSH version (banner), it will also check and see if the server
is using password method to auth.
2012-12-05 21:34:33 -06:00
malerisch 5e28563e4e Advisories URLs changed 2012-12-05 14:33:25 -08:00
sinn3r 49999a56ea Added CVE & vendor advisory information 2012-12-05 10:13:44 -06:00
jvazquez-r7 dd1d60293c Merge branch 'indesign_server' of https://github.com/h0ng10/metasploit-framework into h0ng10-indesign_server 2012-12-05 15:27:25 +01:00
sinn3r b85919266d Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-12-04 15:55:08 -06:00
jvazquez-r7 2cca857f6f added support for Mac OS X 2012-12-04 22:04:21 +01:00
jvazquez-r7 9d8f0f94f6 added support for Mac OS X 2012-12-04 22:03:58 +01:00
jvazquez-r7 5548bebb16 embeding payload on the c# script 2012-12-04 17:44:55 +01:00
sinn3r e6c6133c90 must be password authentication 2012-12-04 09:56:51 -06:00
sinn3r 2467183c4f "Appears" is better
"Appears" is a more accureate way describing how much we think the
host is vulnerable.
2012-12-04 09:28:05 -06:00
sinn3r b5e7009283 Since we have included Tcp for check(), we don't need to reg rhost 2012-12-04 09:25:24 -06:00
sinn3r 3c59c2d5c0 This extra space must die. 2012-12-03 21:09:07 -06:00
sinn3r 211a1674f5 Add kingcope's Tectia SSH 0day 2012-12-03 21:07:32 -06:00
h0ng10 752907d5f0 exploit for OSVDB-87548 2012-12-03 19:01:40 -05:00
jvazquez-r7 3f3bdb8473 my editor... 2012-12-03 21:45:26 +01:00
jvazquez-r7 8a9ad4253a comment about the original discoverer updated 2012-12-03 21:44:35 +01:00
jvazquez-r7 2cb824d62d Added module for CVE-2012-5357 2012-12-03 20:12:02 +01:00
James Lee bc63ee9c46 Merge branch 'jvazquez-r7-file_dropper_support_local' into rapid7 2012-11-30 13:43:02 -06:00
sinn3r 9d52048d7f Forgot to remove this after badchar analysis 2012-11-30 02:17:08 -06:00
sinn3r 37f731fe7d Add OSVDB-80896 BlazeVideo HDTV Player Pro 6.6 Buffer Overflow 2012-11-30 02:14:22 -06:00
HD Moore 93a69ea62e Fix instances of invalid lower-case datastore use 2012-11-29 00:05:36 -06:00
HD Moore 8b3d200986 Add a check for nil 2012-11-28 23:50:29 -06:00
Alexandre Maloteaux c0c3dff4e6 Several fixes for smb, mainly win 8 compatibility 2012-11-28 22:49:40 +01:00
jvazquez-r7 17518f035c support for local exploits on file_dropper 2012-11-28 22:17:27 +01:00
sinn3r b2f906e83e Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-11-28 15:10:51 -06:00
sinn3r b764110e6e Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00
jvazquez-r7 85ed074674 Final cleanup on always_install_elevated 2012-11-28 21:50:08 +01:00
jvazquez-r7 fd1557b6d2 Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated 2012-11-28 21:49:36 +01:00
sinn3r fd2296317d Strip the credential dumping stuff (making it auxiliary)
Also a little description update
2012-11-28 14:27:01 -06:00
sinn3r 6b524ff22a Merge branch 'eaton_network_shutdown' of git://github.com/h0ng10/metasploit-framework into h0ng10-eaton_network_shutdown 2012-11-28 11:22:36 -06:00
Meatballs1 7fea0d4af6 Add initial auto run script 2012-11-28 16:38:31 +00:00
Meatballs1 a3fbf276f9 Reinstated cleanup 2012-11-28 11:23:08 +00:00
Meatballs1 b5b47152fc Changed to static msi filename 2012-11-28 11:21:02 +00:00
h0ng10 897ae102d4 fixed msftidy.rb complains 2012-11-28 01:22:19 -05:00
h0ng10 7109d63f36 Code clean up, thanks to Brandon Perry 2012-11-28 01:20:41 -05:00
Meatballs1 76f7abe5b6 Little tidy up 2012-11-27 23:58:58 +00:00
Meatballs1 81c2182424 Msftidy 2012-11-27 23:33:07 +00:00
Meatballs1 9741d55724 Moved to agnostic post module commands 2012-11-27 23:26:19 +00:00
Meatballs1 6fe378b594 Minor changes to description 2012-11-27 20:56:52 +00:00
Meatballs1 d067b040a0 Minor changes to description 2012-11-27 20:55:36 +00:00
Meatballs1 7727f3d6e8 Msftidy 2012-11-27 18:31:54 +00:00
Meatballs1 889c8ac12d Add build instructions and removed binary 2012-11-27 18:18:20 +00:00
Meatballs1 bc9065ad42 Move MSI source and binary location 2012-11-27 18:12:49 +00:00
h0ng10 4ef0d8699a added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00
James Lee 17d8d3692b Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-11-27 11:14:54 -06:00
sinn3r b395f8f96d Only XP for target coverage 2012-11-27 10:48:20 -06:00
sinn3r 2e71fc740e No badchars, then no need to have the key 2012-11-27 10:46:20 -06:00
jvazquez-r7 8c53b275c6 Added module for cve-2012-3753 2012-11-27 12:10:00 +01:00
Tod Beardsley f1fedee63b EOL space, deleted 2012-11-26 14:19:40 -06:00
jvazquez-r7 36e2a4fddc Merge branch 'splunk_nil_cookie' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-splunk_nil_cookie 2012-11-26 19:18:32 +01:00
sinn3r 9c3be383d0 The 'Set-Cookie' header should be checked before accessing it 2012-11-26 12:06:43 -06:00
malerisch 6dfda6da37 Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 15:53:58 -08:00
sinn3r e9256de6f6 Merge branch 'jvazquez-r7-apple_quicktime_texml_font_table' 2012-11-23 18:53:31 -06:00
sinn3r 89ddedf773 If no badchars, no need to specify. 2012-11-23 18:46:50 -06:00
jvazquez-r7 4c9b8d4567 targets updated 2012-11-23 18:48:59 +01:00
HD Moore d4e873df07 Fix bad reference (thanks Daniel Moeller) 2012-11-22 23:51:57 -06:00
jvazquez-r7 52ff38ad8a add module for cve-2012-3752 2012-11-22 19:56:12 +01:00
Meatballs1 579126c777 Remove redundant sleep 2012-11-22 10:44:41 +00:00
Meatballs1 021e0f37e9 Cleanup s 2012-11-22 10:34:05 +00:00
Meatballs1 7936fce7cf Remove auto migrate - we probably dont want to migrate away from a SYSTEM process. 2012-11-22 10:29:58 +00:00
Meatballs1 128eafe22c Changed to Local Exploit 2012-11-22 10:26:23 +00:00
sinn3r 007dcd2dcb Module is good, except with a little grammar error 2012-11-21 10:30:28 -06:00
jvazquez-r7 04aae008ca fix to use pseudorandom exe name 2012-11-21 09:56:20 +01:00
jvazquez-r7 14cba22e64 changes requested by egypt 2012-11-21 09:46:22 +01:00
jvazquez-r7 99d32191c5 Added module for OSVDB 87334 2012-11-20 23:15:21 +01:00
Tod Beardsley 6b4c131cf5 Avoiding a future conflict with release 2012-11-20 13:24:19 -06:00
jvazquez-r7 959ea1f0c5 final cleanup 2012-11-20 12:52:00 +01:00
jvazquez-r7 b002996708 Merge branch 'narcissus' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-narcissus 2012-11-20 12:49:15 +01:00
sinn3r edaa66094c Merge branch 'jlee-r7-feature/automatic-fs-cleanup' 2012-11-19 16:13:08 -06:00
sinn3r a93fbfea32 Add Narcissus module (OSVDB-87410) 2012-11-19 15:12:57 -06:00
nullbind dc93bd7215 removed redundant file 2012-11-19 14:27:08 -06:00
jvazquez-r7 35b3bf4aa5 back to the original Brute mixin 2012-11-19 14:13:49 +01:00
jvazquez-r7 24fe043960 Merge branch 'samba' of https://github.com/mephos/metasploit-framework into mephos-samba 2012-11-19 14:13:15 +01:00
sinn3r f4aa84956c Add technet reference 2012-11-17 01:24:12 -06:00
sinn3r d4749ff009 Merge branch 'feature/automatic-fs-cleanup' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/automatic-fs-cleanup 2012-11-16 19:02:46 -06:00
James Lee 591b085858 Add support for shell sessions in FileDropper 2012-11-16 15:51:54 -06:00
sinn3r f784ea65af Merge branch 'master' into ms12-005_mod 2012-11-16 11:59:41 -06:00
sinn3r 8375bb8390 Merge branch 'bypassuac_admincheck' of git://github.com/mubix/metasploit-framework into mubix-bypassuac_admincheck 2012-11-16 11:29:09 -06:00
sinn3r 8930d618e3 Merge branch 'invision_pboard_cleanup' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-invision_pboard_cleanup 2012-11-16 11:24:04 -06:00
jvazquez-r7 e8fe6031e9 Let default timeout for send_request_cgi 2012-11-16 18:09:47 +01:00
jvazquez-r7 51f238ec38 up to date 2012-11-16 16:03:09 +01:00
James Lee 83708a5a48 Add a FileDropper mixin for recording cleanup targets
Doesn't cover shell sessions yet, so needs a bit more work
2012-11-15 17:52:10 -06:00
David Maloney de016780b8 Rename the PAYLOAD_TYPE datastore option
This datastore option conflicts with a reserved option in Pro causing
this module to fail in Pro.
2012-11-15 14:42:31 -06:00
Rob Fuller e18acf2103 remove debugging code 2012-11-14 23:56:32 -05:00
Rob Fuller 7d41f1f9a0 add admin already and admin group checks 2012-11-14 23:54:01 -05:00
jvazquez-r7 09ec7dea95 fix check function after speak with egix 2012-11-15 01:34:17 +01:00
jvazquez-r7 3ba3e906d7 added improvements by egix 2012-11-15 01:20:32 +01:00
sinn3r af8ac2fbf6 There's a bug here, can you tell?
Need to be aware of what happens when no version is captured.
2012-11-14 11:54:59 -06:00
jvazquez-r7 88ea347e40 added cookie prefix check 2012-11-14 16:20:40 +01:00
sinn3r 1546aa6a10 No need to repeat the default values 2012-11-13 18:38:17 -06:00
sinn3r 9054fafb15 Not sure why paths were repeated, but no more. 2012-11-13 18:32:32 -06:00
sinn3r 4675cd873b Merge branch 'client_system_analyzer_upload' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-client_system_analyzer_upload 2012-11-13 11:21:23 -06:00
James Lee bbb2f69b55 Add missing require for PhpExe 2012-11-13 10:17:42 -06:00
sinn3r 7d317e7863 Use PhpEXE, and a check() function
Uses the PhpEXE mixin for the payload. And then in the future
we can modify PhpEXE again to allow it to be space-free (problem
being a space is required when you use a function).  Also, this
commit has a new check function.
2012-11-13 01:41:26 -06:00
sinn3r 162b5a391a Merge branch 'invision_pboard_unserialize_exec' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-invision_pboard_unserialize_exec 2012-11-13 00:40:30 -06:00
jvazquez-r7 8e7a748805 thins in place... 2012-11-11 20:19:20 +01:00
jvazquez-r7 5076198ba2 fixing bperry comments 2012-11-11 20:18:19 +01:00
jvazquez-r7 c4f10a1d53 added bid reference 2012-11-11 17:48:57 +01:00
jvazquez-r7 9d3c068da0 added linux target 2012-11-11 17:28:48 +01:00
jvazquez-r7 8619c5291b Added module for CVE-2012-5076 2012-11-11 17:05:51 +01:00
jvazquez-r7 42dd1ee3ff added module for CVE-2012-5692 2012-11-10 11:35:21 +01:00
Chris John Riley f88ec5cbc8 Add normalize_uri to modules that may have
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
jvazquez-r7 21693831ae Added module for ZDI-11-018 2012-11-08 17:32:42 +01:00
HD Moore 36066f8c78 Catch a few stragglers for double slash 2012-11-08 07:21:37 -06:00
HD Moore 4d2147f392 Adds normalize_uri() and fixes double-slash typos 2012-11-08 07:16:51 -06:00
James Lee ac1b60e6db Remove debug load 2012-11-07 20:00:41 -06:00
David Maloney 208e706307 Module title fixes 2012-11-07 10:33:14 -06:00
James Lee 34bc92584b Refactor WindowsServices
* Pulls common code up from several methods into #open_sc_manager
* Deprecates the name Windows::WindowsServices in favor of
  Windows::Services. The platform is already clear from the namespace.
* Makes the post/test/services test module actually work

[See #1007]
[See #1012]
2012-11-06 17:30:04 -06:00
jvazquez-r7 9166d12179 Merge branch 'WinRM_piecemeal' of https://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-WinRM_piecemeal 2012-11-05 23:08:59 +01:00
Tod Beardsley 70d53b4e2d Merge remote branch 'jvazquez-r7/emc_networker_format_string' 2012-11-05 16:03:56 -06:00
jvazquez-r7 77b1e9e648 added comment about ropdb 2012-11-05 23:02:23 +01:00
Tod Beardsley e385aad9e5 Merge remote branch 'jvazquez-r7/emc_networker_format_string' 2012-11-05 16:02:18 -06:00
David Maloney 9d5ab5a66f Stupid typing error 2012-11-05 15:41:47 -06:00
David Maloney 314026ed0e Some error checking and fixups 2012-11-05 13:29:57 -06:00
nullbind 0246e921c5 style, ref, desc, and author updates 2012-11-05 12:45:54 -06:00
David Maloney 7c141e11c4 Hopefully final touches
Some smftidy cleanup, and added a method to check that the payload is
the correct arch when using the powershell method
2012-11-05 10:06:57 -06:00
jvazquez-r7 04668c7d61 fix response codes check to avoid second tries to fail 2012-11-05 09:26:26 +01:00
David Maloney 25a6e983a1 Remove the older modules 2012-11-04 14:48:34 -06:00
David Maloney fca8208171 Some minor code cleanup 2012-11-04 14:45:15 -06:00
David Maloney f69ccc779f Unified smarter module 2012-11-04 13:14:02 -06:00
David Maloney c30ada5eac Adds temp vbs mod and tweaked decoder stub 2012-11-04 12:49:15 -06:00
jvazquez-r7 88c99161b4 added universal target 2012-11-03 18:52:07 +01:00
jvazquez-r7 b8eea1007f Added module for CVE-2012-2288 EMC Networker Format String 2012-11-03 18:17:12 +01:00
sinn3r d4fc99e40c Merge branch 'ms10_104_100_continue_support' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ms10_104_100_continue_support 2012-11-02 15:16:35 -05:00
David Maloney ffca972075 Opps mispalced line 2012-11-02 09:34:32 -05:00
David Maloney 355bdbfa39 Add check for propper powershell version 2012-11-02 09:33:28 -05:00
nullbind 9158497fb4 msftidy updates 2012-11-01 20:59:37 -05:00
nullbind 8bb95e9f17 msftidy updates 2012-11-01 20:56:52 -05:00
Tod Beardsley b1b85bee44 Actually require PhpEXE mixin. 2012-11-01 14:53:18 -05:00
David Maloney f843740fcb more fixes 2012-11-01 11:59:18 -05:00
jvazquez-r7 22fbfb3601 cleanup 2012-11-01 17:38:04 +01:00
jvazquez-r7 e720769747 Added module for ZDI-12-171 2012-11-01 17:17:45 +01:00
David Maloney aeb837838f typo 2012-11-01 11:03:50 -05:00
David Maloney 84c8660c96 Fix targets to be more specific 2012-11-01 11:00:45 -05:00
David Maloney 0eccfaf1bb Add a disclosure date 2012-11-01 10:24:28 -05:00
David Maloney 59f5d9bc5d Man i'm rusty at writing for framework
Fixes up all sinn3r's findings so far
2012-11-01 08:37:21 -05:00
David Maloney 00b9fb3c90 Switc smart mgirate to post mod as it should be 2012-10-31 17:03:49 -05:00
David Maloney dd7ab11e38 Minor cleanup 2012-10-31 16:14:34 -05:00
David Maloney 86f6d59d2e Adding the winrm powershell exploit
also adds the smart_migrate meterp script for autorun purposes
2012-10-31 15:46:11 -05:00
m m e170c1e3e3 typo in centos5 range 2012-10-31 18:28:26 +01:00
m m f7481b160c add centos5 target 2012-10-31 18:21:41 +01:00
jvazquez-r7 ef0f415c51 related to #980 adds support for HttpClient 2012-10-31 17:46:57 +01:00
jvazquez-r7 91e6b7cd28 added ie8 target 2012-10-31 11:57:38 +01:00
jvazquez-r7 a3358a471f Merge branch 'aladdin_bof' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-aladdin_bof 2012-10-31 11:57:20 +01:00
sinn3r ec8a2955e1 Add OSVDB-86723 Aladdin Knowledge System ChooseFilePath Bof 2012-10-31 03:32:43 -05:00
m m 3e3c518753 remove SessionTypes as per egypt 2012-10-30 17:13:57 +01:00
jvazquez-r7 26808093d8 Merge branch 'nil_res_bug_fixes' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-nil_res_bug_fixes 2012-10-30 16:18:05 +01:00
sagishahar 53c7479d70 Add Windows 8 support
Verified with Windows 8 Enterprise Evaluation
2012-10-29 20:12:47 +02:00
m m 3855ba88b1 add meterpreter/command support to samba exploit using ROP 2012-10-29 17:33:00 +01:00
jvazquez-r7 0e3bc7d060 hp operations agent mods: fix use of pattern_create, use ropdb 2012-10-29 15:45:40 +01:00
sinn3r 2c4273e478 Correct some modules with res nil 2012-10-29 04:41:30 -05:00
sinn3r e9b9c96221 Merge branch 'mssql_linkcrawler' of git://github.com/nullbind/metasploit-framework into nullbind-mssql_linkcrawler 2012-10-28 18:10:17 -05:00
nullbind 5ce6526125 first official release 2012-10-28 13:49:32 -05:00
jvazquez-r7 19920b3275 update module titles for hp operation agent vulns 2012-10-28 02:38:39 +01:00
sinn3r 4e6b5393c5 Merge branch 'manage_engine_sqli' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-manage_engine_sqli 2012-10-27 18:53:47 -05:00
sinn3r 320a23286a Merge branch 'warnings' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-warnings 2012-10-27 18:52:34 -05:00
sinn3r 7db7f1bfdf Merge branch 'turboftp_update' of git://github.com/corelanc0d3r/metasploit-framework into corelanc0d3r-turboftp_update 2012-10-27 18:51:41 -05:00
sinn3r c015372ce0 Merge branch 'hp_operations_agent_coda_8c' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-hp_operations_agent_coda_8c 2012-10-27 18:45:36 -05:00
jvazquez-r7 73deeacd7e deleted unnecessary http headers according to my tests 2012-10-28 00:52:52 +02:00
jvazquez-r7 b4b1b77a77 deleted unnecessary http headers according to my tests 2012-10-28 00:51:18 +02:00
jvazquez-r7 51bc806014 Added module for CVE-2012-2019 2012-10-27 22:45:37 +02:00
jvazquez-r7 bcb80431d6 Added module for CVE-2012-2020 2012-10-27 22:43:16 +02:00
corelanc0d3r b48e355a6d fixed typo and defined badchars 2012-10-24 20:04:54 +02:00
sinn3r ede5d0f46b This is meant to be a warning, so we use print_warning 2012-10-24 00:55:54 -05:00
sinn3r 799c22554e Warn user if a file/permission is being modified during new session 2012-10-24 00:54:17 -05:00
sinn3r f1423bf0b4 If a message is clearly a warning, then use print_warning 2012-10-24 00:44:53 -05:00
sinn3r 8eb790f62c Final touchup 2012-10-23 19:46:09 -05:00
sinn3r f9bb910c3b Make the check() try SQLI 2012-10-23 19:42:36 -05:00
sinn3r 8c5a73bb7f Change exception handling 2012-10-23 19:34:12 -05:00
sinn3r 90542547c6 Add auto-target, and some changes to cleanup 2012-10-23 19:07:13 -05:00
Tod Beardsley be9a954405 Merge remote branch 'jlee-r7/cleanup/post-requires' 2012-10-23 15:08:25 -05:00
Michael Schierl 910644400d References EDB cleanup
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
sinn3r 22223d5d81 Better cleanup abilities 2012-10-23 13:58:19 -05:00
Michael Schierl 21f6127e29 Platform windows cleanup
Change all Platform 'windows' to 'win', as it internally is an alias
anyway and only causes unnecessary confusion to have two platform names
that mean the same.
2012-10-23 20:33:01 +02:00
James Lee 9c95c7992b Require's for all the include's 2012-10-23 13:24:05 -05:00
sinn3r 4c41319c7c Remove unused vars 2012-10-23 12:55:43 -05:00
sinn3r bef4539915 Update description 2012-10-23 12:47:46 -05:00
sinn3r 3ff888a5c0 Move to 'multi' because it supports windows and linux 2012-10-23 12:41:51 -05:00
sinn3r 5f088fa718 Remove default platform 2012-10-23 12:41:17 -05:00
sinn3r e05d353e8a Add Linux support 2012-10-23 12:40:13 -05:00
sinn3r bc3472a9b9 Randomize variable names 2012-10-23 11:41:53 -05:00
sinn3r 923ffe277d Write EXE to JSP instead of using a TCPServer 2012-10-23 11:32:09 -05:00
sinn3r 33ce74fe8c Merge branch 'msftidy-1' of git://github.com/schierlm/metasploit-framework into schierlm-msftidy-1 2012-10-23 02:10:56 -05:00
sinn3r e5ec51a780 Rename file for consistency 2012-10-23 02:05:55 -05:00
sinn3r 669d22c917 Final improvements 2012-10-23 02:05:08 -05:00
sinn3r 5072156df6 Designed specifically for Windows, so let's move to Windows
Plus additional fixes
2012-10-22 23:01:58 -05:00
sinn3r 2484bb02cf Add the initial version of the module
From EDB.
2012-10-22 22:41:30 -05:00
James Lee b2db3e133d Rescue when the service is crashed
Failed exploit attempts leave the service in a state where the port is
still open but login attmempts reset the connection. Rescue that and
give the user an indication of what's going on.
2012-10-22 17:57:30 -05:00
Rob Fuller 7437d9844b standardizing author info 2012-10-22 17:01:58 -04:00
Michael Schierl 5b18a34ad4 References cleanup
Uppercase MSB, spaces in URLs.
2012-10-22 22:37:01 +02:00
Michael Schierl f9ac55c221 Infohash key cleanups
Replace obvious typos in infohash keys. Note that this *does*
affect the behaviour as those keys have been ignored before.
2012-10-22 21:24:36 +02:00
Michael Schierl e9f7873afc Version cleanup
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
Michael Schierl e769abc868 Platform cleanup: platform should be lowercase 2012-10-22 20:14:39 +02:00
Michael Schierl 657d527f8d DisclosureDate cleanup: Try parsing all dates
Fix all dates unparsable by `Date.strptime(value, '%b %d %Y')`
2012-10-22 20:04:21 +02:00
Michael Schierl 70ac7c8345 Author cleanup: fix unmatched angle brackets 2012-10-22 19:45:27 +02:00
Michael Schierl d337d5204b Author cleanup: One module did not have an author 2012-10-22 18:38:18 +02:00
sinn3r ad9946689e Update description 2012-10-21 16:40:01 -05:00
sinn3r 1821c11369 Code cleanup 2012-10-21 16:40:01 -05:00
sinn3r c404b72d08 Doesn't make a lot of sense setting DefaultTarget to an older one 2012-10-21 16:40:01 -05:00
lincoln@corelan.be c7d12d94b7 turboftp exploit 2012-10-21 16:40:00 -05:00
James Lee 768d2c5921 Go back to old behavior for unknown versions
May not be correct, but it's what we used to do, so probably better than
just raising.

Also documents things a bit better.
2012-10-18 16:57:40 -05:00
James Lee 1eccb24bf8 Raise if the version isn't what we expect
Also adds some clarifying commentation and adds todb to the list of
authors since he wrote the original module for windows upon which this
one is based.
2012-10-18 15:55:55 -05:00
James Lee 3c5c1cd86e Remove unnecessary version restrictions
Since the payload is now run in the .so constructor, there's no need to
be compatible with a particular Postgres API.

Also:
 - report the service
 - delete the payload in the payload itself to reduce forensics
	 footprint
 - randomize the created function name instead of abusing
	 postgres_create_sys_exec
2012-10-18 15:40:27 -05:00
James Lee 0221f75f39 Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-10-18 13:57:25 -05:00
sput-nick 60dc83748c Update modules/exploits/windows/browser/mozilla_mchannel.rb 2012-10-17 12:25:44 -03:00
James Lee 52feae2dcd Add missing require
[FixRM #7345]
2012-10-15 17:18:04 -05:00
Tod Beardsley 9192a01803 All exploits need a disclosure date. 2012-10-15 16:29:12 -05:00
jvazquez-r7 2acfb0537c Merge branch 'ajaxplorer' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ajaxplorer 2012-10-15 08:30:08 +02:00
sinn3r 529f88c66d Some msftidy fixes 2012-10-14 19:16:54 -05:00
sinn3r 97ac7fa184 Merge branch 'module-wle-service-permissions' of git://github.com/zeroSteiner/metasploit-framework 2012-10-14 18:27:32 -05:00
sinn3r cedcace1a7 Forgot to change the output variable
Because the original script used match()
2012-10-14 11:43:33 -05:00
James Lee 9c6fdbe9d7 Compile a .so instead of being version-specific
This makes it possible to use payloads for the appropriate architecture

NOTE: need to test windows and make sure I didn't break it
2012-10-13 15:18:25 -05:00
sinn3r cc303665e8 Credit 2012-10-13 00:42:44 -05:00
sinn3r 5b2998a121 Add OSVDB-63552 AjaXplorer module (2010) 2012-10-13 00:35:48 -05:00
James Lee ad1870d819 Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-10-12 14:18:34 -05:00
James Lee 90ae5c1178 Add PhpEXE support to RateMyPet module 2012-10-12 04:53:01 -05:00
James Lee db12413b09 Convert vcms_upload to use PhpEXE
Incidentally adds a Linux x86 target
2012-10-12 04:29:57 -05:00
James Lee 13a5892e95 Add a mixin for uploading/executing bins with PHP
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
Spencer McIntyre 3ab24cdbb9 added exploits/windows/local/service_permissions 2012-10-11 22:42:36 -04:00
James Lee 0adabb1e06 Merge branch 'wchen-r7-projectpier' into rapid7
[Closes #889]
2012-10-11 18:32:04 -05:00
sinn3r 55c0cda86c Merge branch 'fix_vprint_reduceright' of git://github.com/kernelsmith/metasploit-framework into kernelsmith-fix_vprint_reduceright 2012-10-11 16:55:52 -05:00
kernelsmith c911eeece2 change vprint_error to print_error
exploits/windows/browser/mozilla_reduceright does not tell you when an
incompatible browser connects like most other browser exploits do
(unless verbose is true).  This change just changes the vprint to print
to be more consistent w/other browser exploits
2012-10-11 16:51:17 -05:00
sinn3r 9ea208d129 Oops, overwrote egypt's changes by accident 2012-10-11 16:40:52 -05:00
sinn3r 82eaa322fe Make cleanup work better 2012-10-11 16:39:54 -05:00
James Lee 3a66a07844 Proposed re-wording of description
[See #889]
2012-10-11 15:48:04 -05:00
sinn3r 24980e735b I found an OSVDB ID 2012-10-11 15:28:07 -05:00
sinn3r 55128f5bb3 Make sure res has value before passing it on to exec_php 2012-10-11 14:43:38 -05:00
sinn3r 033a11eff5 Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00
sinn3r 1ea73b7bd2 Small description change and favor the use of print_error 2012-10-10 13:37:23 -05:00
jvazquez-r7 f32ce87071 delete comment added by error 2012-10-10 19:32:25 +02:00
jvazquez-r7 13e914d65e added on_new_session handler to warn users about cleanup 2012-10-10 19:31:38 +02:00
jvazquez-r7 37dc19951b Added module for ZDI-12-169 2012-10-10 19:14:54 +02:00
HD Moore 22f7c42b85 Merge branch 'master' into feature/updated-mobile 2012-10-09 12:58:19 -05:00
jvazquez-r7 4fa3631e34 avoiding the python support on the barracuda one if cannot be tested 2012-10-09 18:01:23 +02:00
jvazquez-r7 f33411abd1 Merge branch 'python_payload_support' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-python_payload_support 2012-10-09 18:00:44 +02:00
sinn3r a12aed7ffc Don't really need these keywords 2012-10-09 00:49:05 -05:00
sinn3r b657fd31cc Merge branch 'php_include' of https://github.com/ethicalhack3r/metasploit-framework into ethicalhack3r-php_include 2012-10-09 00:45:46 -05:00
sinn3r c094508119 Support Python payload
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
jvazquez-r7 b356b403b0 Merge branch 'phptax' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-phptax 2012-10-09 00:10:31 +02:00
sinn3r 06e2994b7e connectiontype to find and python payload support 2012-10-08 15:13:27 -05:00
sinn3r abb4bdd408 metadata formatting, and a little res gotcha 2012-10-08 15:00:51 -05:00
sinn3r 04aa69192d Dang typo 2012-10-08 13:35:13 -05:00
jvazquez-r7 ef9d627e13 Added module for ZDI-12-106 2012-10-08 20:04:01 +02:00
sinn3r 8ff4442f9e Add PhpTax pfilez exec module
This module exploits a vuln found in PhpTax.  When generating a
PDF, the icondrawpng() function in drawimage.php does not
properly handle the pfilez parameter, which will be used in a
exec() statement, and results in arbitrary code execution.
2012-10-08 12:46:56 -05:00
sinn3r e9b70a3a4f Merge branch 'avaya_winpmd_unihostrouter' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-avaya_winpmd_unihostrouter 2012-10-07 15:35:30 -05:00
jvazquez-r7 0acd9e4eec Merge branch 'ms10_002_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms10_002_ropdb_update 2012-10-07 17:49:45 +02:00
jvazquez-r7 40983460bf added module for avaya winpmd bof, osvdb 73269 2012-10-07 12:05:13 +02:00
sinn3r bdb9b75e1e Use RopDb, and print what target the module has selected. 2012-10-07 01:42:29 -05:00
HD Moore 64f29952dc Merge branch 'master' into feature/updated-mobile 2012-10-07 00:32:02 -05:00
sinn3r 5b656087b5 Use RopDb in adobe_flash_otf_font, also cleaner code & output 2012-10-06 21:03:41 -05:00
jvazquez-r7 874fe64343 Merge branch 'ms11_050_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_050_ropdb_update 2012-10-06 14:10:36 +02:00
sinn3r e02adc1f35 Merge branch 'mubix-bypassuac_uac_check' 2012-10-06 02:09:16 -05:00
sinn3r 33429c37fd Change print_error to print_debug as a warning 2012-10-06 02:08:19 -05:00
sinn3r 94d5eb7a8c Use RopDb in MS11-050, and correct autopwninfo 2012-10-06 01:45:40 -05:00
Rob Fuller 55474dd8bf add simple UAC checks to bypassuac 2012-10-06 00:59:54 -04:00
Rob Fuller b984d33996 add RunAs ask module 2012-10-06 00:51:44 -04:00
sinn3r 769fa3743e Explain why the user cannot modify the URIPATH 2012-10-05 17:24:06 -05:00
ethicalhack3r f4e442bcbd Added headers support to php_include module 2012-10-05 23:00:38 +02:00
sinn3r 2aa59623d1 Merge branch 'ropdb_for_browsers' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ropdb_for_browsers 2012-10-05 15:43:18 -05:00
sinn3r 21ea77ff8b Fix spaces 2012-10-05 15:40:37 -05:00
sinn3r a60851e9d1 Merge branch 'mubix-bypassuac_localport' 2012-10-05 14:28:12 -05:00
sinn3r 6342c270f4 Merge branch 'bypassuac_localport' of https://github.com/mubix/metasploit-framework into mubix-bypassuac_localport 2012-10-05 14:16:16 -05:00
sinn3r 33db3d9610 RopDb for ntr_activex_check_bof.rb 2012-10-05 14:09:59 -05:00
sinn3r f92843c96e RopDb for ie_execcommand_uaf.rb 2012-10-05 13:49:17 -05:00
jvazquez-r7 aba69d8438 fix indentation 2012-10-05 20:18:40 +02:00
jvazquez-r7 4c646762a5 Added target debian squeeze 2012-10-05 20:12:09 +02:00
sinn3r 9a53a49625 RopDb for vlc_amv.rb 2012-10-05 12:54:16 -05:00
sinn3r d9278d82f8 Adopt RopDb for msxml_get_definition_code_exec.rb 2012-10-05 12:20:41 -05:00
sinn3r 6fc8790dd7 Adopt RopDb for ms12_037_same_id.rb 2012-10-05 12:17:19 -05:00
sinn3r 1268614d54 Adopt RopDb for adobe_flash_mp4_cprt.rb 2012-10-05 11:15:53 -05:00
sinn3r 98931e339a Adopt RopDb for adobe_flash_rtmp.rb 2012-10-05 11:05:19 -05:00
sinn3r 631a06f3bb Adopt RopDb for adobe_flashplayer_flash10o.rb 2012-10-05 10:55:55 -05:00
Rob Fuller 0ae7756d26 fixed missing > on author 2012-10-05 11:13:40 -04:00
sinn3r bcc56cb7cc Merge branch 'bypassuac_localport' of https://github.com/mubix/metasploit-framework into mubix-bypassuac_localport 2012-10-05 01:05:30 -05:00
sinn3r 77438d2fc7 Make URI modification more obvious, and let the user know why 2012-10-04 17:52:04 -05:00
Rob Fuller 8520cbf218 fixes spotted by @jlee-r7 2012-10-04 17:34:35 -04:00
James Lee ae11c2ffc0 Merge branch 'rapid7' into kernelsmith-update-ms10_042-info
[Closes #860]
2012-10-04 15:29:32 -05:00
Tod Beardsley 4400cb94b5 Removing trailing spaces 2012-10-04 14:58:53 -05:00
kernelsmith 6ef87d1695 update info to reflect use of webdav
ms10_042_helpctr_xss_cmd_exec.rb doesn't tell you that it's going to
use webdav, and it's options dont' have the (Don't change) warning for
SRVPORT and URIPATH.  This update fixes all that
2012-10-04 14:09:53 -05:00
Rob Fuller 3f2fe8d5b4 port bypassuac from post module to local exploit 2012-10-04 14:31:23 -04:00
sinn3r d515b3274d Apply wfsdelay and apply egypt's suggestions 2012-10-04 00:40:52 -05:00
sinn3r 9dad8b28ee Merge branch 'qnx_qconn_exec' of https://github.com/bcoles/metasploit-framework into bcoles-qnx_qconn_exec 2012-10-03 22:09:14 -05:00
sinn3r fbc3709774 Change the title and regex a bit 2012-10-03 12:16:25 -05:00
jvazquez-r7 30846f4190 fix typo in comment 2012-10-03 16:06:00 +02:00
jvazquez-r7 24037ac79a Added module for CVE-2011-4051 2012-10-03 16:03:36 +02:00
sinn3r e39472f7d4 Merge branch 'zeroSteiner-module-ms11-080' 2012-10-02 12:01:01 -05:00
sinn3r e36507fc05 Code cleanup and make msftidy happy 2012-10-02 12:00:23 -05:00
Spencer McIntyre 21e832ac1c add call to memory protect to fix DEP environments 2012-10-01 18:49:18 -04:00
bcoles e2276bfedb Add QNX QCOMM command execution module 2012-09-30 17:21:08 +09:30
jvazquez-r7 6679ff765a remove extra commas 2012-09-28 12:21:59 +02:00
sinn3r 4087790cf7 Oops, forgot to update the check() function 2012-09-27 18:22:57 -05:00
jvazquez-r7 9d3a1871a6 Added module for Samba CVE-2012-1182 2012-09-28 01:18:52 +02:00
Spencer McIntyre c93692b06d add a check to verify session is not already system for MS11-080 2012-09-27 08:36:13 -04:00
Spencer McIntyre 8648953747 added MS11-080 AFD JoinLeaf Windows Local Exploit 2012-09-26 11:01:30 -04:00
HD Moore 3ade5a07e7 Add exploit for phpmyadmin backdoor 2012-09-25 10:47:53 -05:00
sinn3r 1111de0197 Add OSVDB reference 2012-09-25 01:19:58 -05:00
sinn3r 2db2c780d6 Additional changes
Updated get_target function, comment for original author, possible
bug in handling page redirection.
2012-09-24 17:38:19 -05:00
sinn3r 03815b47f8 Merge branch 'ie_uaf_js_spray_obfuscate' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ie_uaf_js_spray_obfuscate 2012-09-24 17:14:26 -05:00
jvazquez-r7 25e6990dc7 added osvdb reference 2012-09-24 21:49:32 +02:00
jvazquez-r7 2784a5ea2d added js obfuscation for heap spray 2012-09-24 21:28:34 +02:00
sinn3r 0e94340967 Merge branch 'auxilium' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-auxilium 2012-09-24 10:22:18 -05:00
sinn3r 57b3aae9c0 Only JRE ROP is used 2012-09-24 10:21:02 -05:00
sinn3r 98f4190288 Add Auxilium RateMyPet module 2012-09-24 10:16:11 -05:00
jvazquez-r7 d476ab75cc fix comment 2012-09-24 10:03:31 +02:00
jvazquez-r7 f3a64432e9 Added module for ZDI-12-170 2012-09-24 10:00:38 +02:00
sinn3r cade078203 Update author info 2012-09-22 02:29:20 -05:00
sinn3r d3611c3f99 Correct the tab 2012-09-21 12:29:24 -05:00
sinn3r 25f4e3ee1f Update patch information for MS12-063 2012-09-21 12:28:41 -05:00
jvazquez-r7 ed24154915 minor fixes 2012-09-21 11:36:58 +02:00
bcoles 6ee2c32f08 add ZEN Load Balancer module 2012-09-21 17:25:20 +09:30
sinn3r 54b98b4175 Merge branch 'ntr_activex_check_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ntr_activex_check_bof 2012-09-20 16:43:20 -05:00
sinn3r 4ead0643a0 Correct target parameters 2012-09-20 16:41:54 -05:00
sinn3r 41449d8379 Merge branch 'ntr_activex_stopmodule' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ntr_activex_stopmodule 2012-09-20 16:33:12 -05:00
Tod Beardsley a5ffe7297f Touching up Kernelsmith's wording.
It is merely the ROP chain, not the vuln, that requires Java.
2012-09-20 14:52:52 -05:00
Tod Beardsley 883dc26d73 Merge remote branch 'kernelsmith/ie_execcommand_uaf_info' 2012-09-20 14:48:36 -05:00
jvazquez-r7 e98e3a1a28 added module for cve-2012-0266 2012-09-20 19:03:46 +02:00
jvazquez-r7 b61c8b85b8 Added module for CVE-2012-02672 2012-09-20 19:02:20 +02:00
David Maloney f75ff8987c updated all my authour refs to use an alias 2012-09-19 21:46:14 -05:00
kernelsmith f1a39c76ed update to ie_execcommand_uaf's info to add ROP info
This module requires the following dependencies on the target for the
ROP chain to function.  For WinXP SP3 with IE8, msvcrt must be present
(which it is on default installs).  For Vista/Win7 with IE8 or Win7
with IE9, ire 1.6.x or below must be installed.
2012-09-19 14:10:02 -05:00
Ramon de C Valle 11f82de098 Update author information 2012-09-19 14:00:51 -03:00
sinn3r cc8102434a CVE assigned for the IE '0day' 2012-09-18 16:13:27 -05:00
Tod Beardsley 25475ffc93 Msftidy fixes.
Whitespace on ie_execcommand_uaf, and skipping a known-weird caps check
on a particular software name.
2012-09-18 11:25:00 -05:00
jvazquez-r7 8b251b053e initializing msghdr a little better 2012-09-18 12:12:27 +02:00
jvazquez-r7 16c5df46fc fix while testing ubuntu intrepid 2012-09-18 11:52:50 +02:00
sinn3r 5fbc4b836a Add Microsoft advisory 2012-09-17 22:13:57 -05:00
Tod Beardsley 75bbd1c48d Being slightly more clear on Browser Not Supported
With this and the rest of sinn3r's fixes, it looks like we can close the
Redmine bug.

[FixRM #7242]
2012-09-17 11:16:19 -05:00