Meatballs
16302f752e
Enable generic command
2014-12-23 14:22:26 +00:00
Meatballs
a3b0b9de62
Configure module to target bash by default
2014-12-23 14:19:51 +00:00
Meatballs
313d6cc2f8
Add super call
2014-12-23 14:12:47 +00:00
Meatballs
43221d4cb0
Remove redundant debugging stuff
2014-12-23 14:09:12 +00:00
Meatballs
42a10d6d50
Add Powershell target
2014-12-23 14:07:57 +00:00
Meatballs
40c1fb814e
one line if statement
2014-12-23 11:20:24 +00:00
Meatballs
b41e259252
Move it to a common method
2014-12-23 11:16:07 +00:00
Brendan Coles
5c82b8a827
Add ProjectSend Arbitrary File Upload module
2014-12-23 10:53:03 +00:00
Jon Hart
abec7c206b
Update description to describe current limitations
2014-12-22 20:32:45 -08:00
Jon Hart
1505588bf6
Rename the file to reflect what it really is
2014-12-22 20:27:40 -08:00
Jon Hart
ff440ed5a4
Describe vulns in more detail, add more URLs
2014-12-22 20:20:48 -08:00
Jon Hart
b4f6d984dc
Minor style cleanup
2014-12-22 17:51:35 -08:00
Jon Hart
421fc20964
Partial mercurial support. Still need to implement bundle format
2014-12-22 17:44:14 -08:00
Jon Hart
fdd1d085ff
Don't encode the payload because this only complicates OS X
2014-12-22 13:36:38 -08:00
Joe Vennix
0bf3a9cd55
Fix duplicate :ua_maxver key.
2014-12-22 14:57:44 -06:00
Jon Hart
ea9f5ed6ca
Minor cleanup
2014-12-22 12:16:53 -08:00
Jon Hart
dd73424bd1
Don't link to unused repositories
2014-12-22 12:04:55 -08:00
Jon Hart
6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off
2014-12-22 11:36:50 -08:00
Jon Hart
574d3624a7
Clean up setup_git verbose printing
2014-12-22 11:09:08 -08:00
Jon Hart
16543012d7
Correct planted clone commands
2014-12-22 10:56:33 -08:00
Jon Hart
01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested
2014-12-22 10:43:54 -08:00
Jon Hart
3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos
2014-12-22 10:03:30 -08:00
Jon Hart
308eea0c2c
Make malicious hook file name be customizable
2014-12-22 08:28:55 -08:00
Jon Hart
7f3cfd2207
Add a ranking
2014-12-22 07:51:47 -08:00
Jon Cave
44084b4ef6
Correct Microsoft security bulletin for ppr_flatten_rec
2014-12-22 10:40:23 +00:00
Gabor Seljan
9be95eacb8
Use %Q for double-quoted string
2014-12-22 07:37:32 +01:00
sgabe
bb33a91110
Update description to be a little more descriptive
2014-12-21 19:31:58 +01:00
Jon Hart
74783b1c78
Remove ruby and telnet requirement
2014-12-21 10:06:06 -08:00
sgabe
cd02e61a57
Add module for OSVDB-114279
2014-12-21 17:00:45 +01:00
Jon Hart
31f320c901
Add mercurial debugging
2014-12-20 20:00:12 -08:00
Jon Hart
3da1152743
Add better logging. Split out git support in prep for mercurial
2014-12-20 19:34:55 -08:00
Jon Hart
58d5b15141
Add another useful URL. Use a more git-like URIPATH
2014-12-20 19:11:56 -08:00
sgabe
9f97b55a4b
Add module for CVE-2014-2973
2014-12-20 18:38:22 +01:00
Jon Hart
f41d0fe3ac
Randomize most everything about the malicious commit
2014-12-19 19:31:00 -08:00
Jon Hart
805241064a
Create a partially capitalized .git directory
2014-12-19 19:07:45 -08:00
Jon Hart
f7630c05f8
Use payload.encoded
2014-12-19 18:52:34 -08:00
Jon Hart
7f2247f86d
Add description and URL
2014-12-19 15:50:16 -08:00
Jon Hart
9b815ea0df
Some style cleanup
2014-12-19 15:35:09 -08:00
Jon Hart
4d0b5d1a50
Add some vprints and use a sane URIPATH
2014-12-19 15:33:26 -08:00
Tod Beardsley
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart
48444a27af
Remove debugging pp
2014-12-19 15:27:06 -08:00
Jon Hart
1c7fb7cc7d
Mostly working exploit for CVE-2014-9390
2014-12-19 15:24:27 -08:00
Jon Hart
4888ebe68d
Initial commit of POC module for CVE-2013-9390 ( #4435 )
2014-12-19 12:58:02 -08:00
David Maloney
f237c56a13
This oracle scheduler exploit hangs if not vuln
...
When this exploit gets run against a system that isn't vulnerable
it can hang for a signifigant ammount of time. This change uses the check
method on the exploit to see whether it should proceed. Don't try to exploit
the host if it's not vulnerable.
2014-12-16 09:42:42 -06:00
Jon Hart
025c0771f8
Have exploit call check. Have check report_vuln
2014-12-15 09:53:11 -08:00
Jon Hart
f521e7d234
Use newer Ruby hash syntax
2014-12-15 09:17:32 -08:00
Jon Hart
c93dc04a52
Resolve address before storing the working cred
2014-12-15 09:11:12 -08:00
Jon Hart
5ca8f187b3
Merge remote-tracking branch 'upstream/pr/4328' into temp
2014-12-15 08:15:51 -08:00
Sean Verity
9a0ed723d1
Adds error handling for drive letter enumeration
2014-12-14 12:56:20 -05:00
Brendan Coles
4530066187
return nil
2014-12-15 01:04:39 +11:00
Brendan Coles
55d9e9cff6
Use list of potential analytics hosts
2014-12-14 23:15:41 +11:00
rcnunez
223d6b7923
Merged with Fr330wn4g3's changes
2014-12-14 13:08:19 +08:00
Sean Verity
0c5f4ce4ee
Removed the handler-ish code
2014-12-13 22:18:41 -05:00
Sean Verity
2addd0fdc4
Fixed name, removed tabs, updated license
2014-12-13 20:37:19 -05:00
jvazquez-r7
b1453afb52
Land #4297 , fixes #4293 , Use OperatingSystems::Match::WINDOWS
...
* instead of Msf::OperatingSystems::WINDOWS
2014-12-12 18:19:58 -06:00
HD Moore
4fc4866fd8
Merge code in from #2395
2014-12-12 16:22:51 -06:00
Tod Beardsley
488f46c8a1
Land #4324 , payload_exe rightening.
...
Fixes #4323 , but /not/ #4246 .
2014-12-12 15:04:57 -06:00
Tod Beardsley
9908e0e35b
Land #4384 , fix typo.
2014-12-12 14:39:47 -06:00
HD Moore
50b734f996
Add Portuguese target, lands #3961 (also reorders targets)
2014-12-12 14:23:02 -06:00
jvazquez-r7
008c33ff51
Fix description
2014-12-12 13:36:28 -06:00
Tod Beardsley
81460198b0
Add openssl payload to distcc exploit
...
This is required to test #4274
2014-12-12 13:25:55 -06:00
jvazquez-r7
b334e7e0c6
Land #4322 , @FireFart's wordpress exploit for download-manager plugin
2014-12-12 12:41:59 -06:00
jvazquez-r7
aaed7fe957
Make the timeout for the calling payload request lower
2014-12-12 12:41:06 -06:00
Jon Hart
00f66b6050
Correct named captures
2014-12-12 10:22:14 -08:00
jvazquez-r7
98dca6161c
Delete unused variable
2014-12-12 12:03:32 -06:00
jvazquez-r7
810bf598b1
Use fail_with
2014-12-12 12:03:12 -06:00
Jon Hart
1e6bbc5be8
Use blank?
2014-12-12 09:51:08 -08:00
jvazquez-r7
4f3ac430aa
Land #4341 , @EgiX's module for tuleap PHP Unserialize CVE-2014-8791
2014-12-12 11:48:25 -06:00
jvazquez-r7
64f529dcb0
Modify default timeout for the exploiting request
2014-12-12 11:47:49 -06:00
Jon Hart
24f1b916e0
Minor ruby style cleanup
2014-12-12 09:47:35 -08:00
Jon Hart
1d1aa5838f
Use Gem::Version to compare versions in check
2014-12-12 09:47:01 -08:00
jvazquez-r7
d01a07b1c7
Add requirement to description
2014-12-12 11:42:45 -06:00
jvazquez-r7
fd09b5c2f6
Fix title
2014-12-12 10:52:18 -06:00
jvazquez-r7
4871228816
Do minor cleanup
2014-12-12 10:52:06 -06:00
Christian Mehlmauer
0f27c63720
fix msftidy warnings
2014-12-12 13:16:21 +01:00
Jon Hart
65b316cd8c
Land #4372
2014-12-11 18:48:16 -08:00
Christian Mehlmauer
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
Christian Mehlmauer
de88908493
code style
2014-12-11 23:30:20 +01:00
Jon Hart
24dbc28521
Land #4356
2014-12-11 09:03:18 -08:00
Tod Beardsley
0eea9a02a1
Land #3144 , psexec refactoring
2014-12-10 17:30:39 -06:00
Meatballs
c813c117db
Use DNS names
2014-12-10 22:25:44 +00:00
Marc Wickenden
245b76477e
Fix issue with execution of perl due to gsub not matching across newlines
2014-12-10 21:38:04 +00:00
EgiX
700ccc71e7
Create tuleap_unserialize_exec.rb
2014-12-09 10:15:46 +01:00
jvazquez-r7
21742b6469
Test #3729
2014-12-06 21:20:52 -06:00
Brendan Coles
42744e5650
Add actualanalyzer_ant_cookie_exec exploit
2014-12-06 19:09:20 +00:00
William Vu
2f98a46241
Land #4314 , @todb-r7's module cleanup
2014-12-05 14:05:09 -06:00
sinn3r
7ae786a53b
Add a comment as an excuse to tag the issue
...
Fix #4246
... so it will automatically close the ticket.
2014-12-05 11:26:26 -06:00
sinn3r
f25e3ebaaf
Fix #4246 - More undef 'payload_exe' in other modules
...
Root cause: payload_exe is an accessor in the TFPT command stager
mixin, you need stager_instance in order to retreive that info.
2014-12-05 11:19:58 -06:00
headlesszeke
8d1ca872d8
Now with logging of command response output
2014-12-05 10:58:40 -06:00
Christian Mehlmauer
5ea062bb9c
fix bug
2014-12-05 11:30:45 +01:00
Christian Mehlmauer
55b8d6720d
add wordpress download-manager exploit
2014-12-05 11:17:54 +01:00
sinn3r
e3f7398acd
Fix #4246 - Access payload_exe information correctly
...
This fixes an undef method 'payload_exe' error. We broke this when
all modules started using Msf::Exploit::CmdStager as the only source
to get a command stager payload. The problem with that is "payload_exe"
is an accessor in CmdStagerTFTP, not in CmdStager, so when the module
wants to access that, we trigger the undef method error.
To be exact, this is the actual commit that broke it:
7ced5927d8
Fix #4246
2014-12-05 02:08:13 -06:00
Jon Hart
52851d59c0
Update GATEWAY to GATEWAY_PROBE_HOST, add GATEWAY_PROBE_PORT
2014-12-04 13:26:16 -08:00
Jon Hart
6bd56ac225
Update any modules that deregistered NETMASK
2014-12-04 13:22:06 -08:00
Meatballs
e471271231
Move comment
2014-12-04 20:24:37 +00:00
Meatballs
c14ba11e79
If extapi dont stage payload
2014-12-04 20:17:48 +00:00
Tod Beardsley
79f2708a6e
Slight fixes to grammar/desc/whitespace
...
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
sinn3r
2fcbcc0c26
Resolve merge conflict for ie_setmousecapture_uaf ( #4213 )
...
Conflicts:
modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
2014-12-03 14:12:15 -06:00
sinn3r
a631ee65f6
Fix #4293 - Use OperatingSystems::Match::WINDOWS
...
Fix #4293 . Modules should use OperatingSystems::Match::WINDOWS
instead of Msf::OperatingSystems::WINDOWS, because the second
won't match anything anymore.
2014-12-02 13:46:27 -06:00
sinn3r
a88ee0911a
Fix os detection
...
See #3373
2014-12-02 01:15:55 -06:00
sinn3r
a42c7a81e7
Fix os detection
...
See #4283
2014-12-02 01:13:51 -06:00
headlesszeke
564488acb4
Changed and to &&
2014-12-02 00:02:53 -06:00
headlesszeke
280e10db55
Add module for Arris VAP2500 Remote Command Execution
2014-12-01 23:07:56 -06:00
William Vu
394d132d33
Land #2756 , tincd post-auth BOF exploit
2014-12-01 12:13:37 -06:00
sinn3r
0f973fdf2b
Fix #4284 - Typo "neline" causing the exploit to break
...
"neline" isn't supposed to be there at all.
2014-12-01 01:24:30 -06:00
Tim
5c50a07c0f
futex_requeue
2014-12-01 03:49:22 +00:00
jvazquez-r7
7a2c9c4c0d
Land #4263 , @jvennix-r7's OSX Mavericks root privilege escalation
...
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7
b357fd88a7
Add comment
2014-11-30 21:08:38 -06:00
jvazquez-r7
0ab99549bd
Change ranking
2014-11-30 21:08:12 -06:00
jvazquez-r7
7772da5e3f
Change paths, add makefile and compile
2014-11-30 21:06:11 -06:00
jvazquez-r7
d7d1b72bce
Rename local_variables
2014-11-30 20:40:55 -06:00
jvazquez-r7
d77c02fe43
Delete unnecessary metadata
2014-11-30 20:37:34 -06:00
sinn3r
f7f4a191c1
Land #4255 - CVE-2014-6332 Internet Explorer
2014-11-28 10:12:27 -06:00
sinn3r
2a7d4ed963
Touchup
2014-11-28 10:12:05 -06:00
Rasta Mouse
985838e999
Suggestions from OJ
2014-11-27 21:38:50 +00:00
Rasta Mouse
25ecf73d7d
Add configurable directory, rather than relying on the session working
...
directory.
2014-11-27 17:12:37 +00:00
OJ
75e5553cd4
Change to in exploit
2014-11-26 16:53:30 +10:00
jvazquez-r7
9524efa383
Fix banner
2014-11-25 23:14:20 -06:00
jvazquez-r7
16ed90db88
Delete return keyword
2014-11-25 23:11:53 -06:00
jvazquez-r7
85926e1a07
Improve check
2014-11-25 23:11:32 -06:00
jvazquez-r7
5a2d2914a9
Fail on upload errors
2014-11-25 22:48:57 -06:00
jvazquez-r7
b24e641e97
Modify exploit logic
2014-11-25 22:11:43 -06:00
jvazquez-r7
4bbadc44d6
Use Msf::Exploit::FileDropper
2014-11-25 22:00:42 -06:00
jvazquez-r7
7fbd5b63b1
Delete the Rex::MIME::Message gsub
2014-11-25 21:54:50 -06:00
jvazquez-r7
eaa41e9a94
Added reference
2014-11-25 21:37:04 -06:00
jvazquez-r7
2c207597dc
Use single quotes
2014-11-25 18:30:25 -06:00
jvazquez-r7
674ceeed40
Do minor cleanup
2014-11-25 18:26:41 -06:00
jvazquez-r7
6ceb47619a
Change module filename
2014-11-25 18:09:15 -06:00
jvazquez-r7
1305d56901
Update from upstream master
2014-11-25 18:07:13 -06:00
Joe Vennix
3a5de9970f
Update description, rename xnu_ver -> osx_ver.
2014-11-25 12:38:29 -06:00
Joe Vennix
7a3fb12124
Add an OSX privilege escalation from Google's Project Zero.
2014-11-25 12:34:16 -06:00
spdfire
583494c0db
use BrowserExploitServer
2014-11-24 18:49:27 +01:00
spdfire
08a67d78c5
module for CVE-2014-6332.
2014-11-24 08:25:18 +01:00
Mark Schloesser
9e9954e831
fix placeholder to show the firmware version I used
2014-11-19 21:23:39 +01:00
Mark Schloesser
a718e6f83e
add exploit for r7-2014-18 / CVE-2014-4880
2014-11-19 21:07:02 +01:00
Joe Vennix
a9cb6e0d2f
Add jduck as an author on samsung_knox_smdm_url
2014-11-19 10:18:08 -06:00
Meatballs
1d0d5582c1
Remove datastore options
2014-11-19 15:05:36 +00:00
Meatballs
7004c501f8
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2
...
Conflicts:
modules/exploits/windows/smb/psexec.rb
2014-11-19 14:40:50 +00:00
jvazquez-r7
542eb6e301
Handle exception in brute force exploits
2014-11-18 12:17:10 -08:00
Jon Hart
60e31cb342
Allow sunrpc_create to raise on its own
2014-11-18 12:17:10 -08:00
jvazquez-r7
7daedac399
Land #3972 @jhart-r7's post gather module for remmina Remmina
...
* Gather credentials managed with Remmina
2014-11-17 16:44:41 -06:00
Tod Beardsley
286827c6e5
Land #4186 , Samsung KNOX exploit. Ty @jvennix-r7!
2014-11-17 13:29:39 -06:00
Tod Beardsley
39980c7e87
Fix up KNOX caps, descriptive description
2014-11-17 13:29:00 -06:00
Tod Beardsley
0f41bdc8b8
Add an OSVDB ref
2014-11-17 13:26:21 -06:00
jvazquez-r7
145e610c0f
Avoid shadowing new method
2014-11-17 12:22:30 -06:00
William Vu
91ba25a898
Land #4208 , psexec delay fix
2014-11-17 11:35:56 -06:00
Joe Vennix
cd61975966
Change puts to vprint_debug.
2014-11-17 10:13:13 -06:00
floyd
9243cfdbb7
Minor fixes to ruby style things
2014-11-17 17:12:17 +01:00
Joe Vennix
2a24151fa8
Remove BAP target, payload is flaky. Add warning.
2014-11-17 02:02:37 -06:00
HD Moore
9fe4994492
Chris McNab has been working with MITRE to add these CVEs
...
These CVEs are not live yet, but have been confirmed by cve-assign
t
2014-11-16 18:42:53 -06:00
Joe Vennix
5de69ab6a6
minor syntax fixes.
2014-11-15 21:39:37 -06:00
Joe Vennix
3fb6ee4f7d
Remove dead constant.
2014-11-15 21:38:11 -06:00
Joe Vennix
7a62b71839
Some URL fixes from @jduck and exploit ideas from Andre Moulu.
...
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
2014-11-15 21:33:16 -06:00
Christian Mehlmauer
28135bcb09
Land #4159 , MantisBT PHP code execution by @itseco
2014-11-15 07:49:54 +01:00
Rich Lundeen
27d5ed624f
fix for IE9 exploit config
2014-11-14 17:21:59 -08:00
Rich Lundeen
17ab0cf96e
ADD winxpIE8 exploit for MS13-080
2014-11-14 17:16:51 -08:00
sinn3r
e194d5490d
See #4162 - Don't delay before deleting a file via SMB
...
So I was looking at issue #4162 , and on my box I was seeing this
problem of the exploit failing to delete the payload in C:\Windows,
and the error was "Rex::Proto::SMB::Exceptions::NoReply The SMB
server did not reply to our request". I ended up removing the sleep(),
and that got it to function properly again. The box was a Win 7 SP1.
I also tested other Winodws boxes such as Win XP SP3, Windows Server
2008 SP2 and not having the sleep() doesn't seem to break anything.
So I don't even know why someone had to add the sleep() in the first
place.
2014-11-14 15:45:37 -06:00
jvazquez-r7
ee9b1aa83a
Manage Rex::ConnectionRefused exceptions
2014-11-14 10:53:03 -06:00
jvazquez-r7
428fe00183
Handle Rex::ConnectionTimeout
2014-11-13 22:34:28 -06:00
Jon Hart
57aef9a6f5
Land #4177 , @hmoore-r7's fix for #4169
2014-11-13 18:29:57 -08:00
jvazquez-r7
4a0e9b28a4
Use peer
2014-11-13 19:26:01 -06:00
jvazquez-r7
4a06065774
Manage Exceptions to not wait the full wfs_delay
2014-11-13 19:17:09 -06:00
jvazquez-r7
73ce4cbeaa
Use primer
2014-11-13 18:21:19 -06:00
jvazquez-r7
0bcb99c47d
Fix metadata
2014-11-13 18:00:11 -06:00
jvazquez-r7
a5c8152f50
Use fail_with
2014-11-13 17:57:26 -06:00
jvazquez-r7
6ddf6c3863
Fail when the loader cannot find the java payload class
2014-11-13 17:55:49 -06:00
Christian Mehlmauer
3faa48d810
small bugfix
2014-11-13 22:51:41 +01:00
Christian Mehlmauer
7d6b6cba43
some changes
2014-11-13 22:46:53 +01:00
Tod Beardsley
dd1920edd6
Minor typos and grammar fixes
2014-11-13 14:48:23 -06:00
Juan Escobar
17032b1eed
Fix issue reported by FireFart
2014-11-13 04:48:45 -05:00
jvazquez-r7
31f3aa1f6d
Refactor create packager methods
2014-11-13 01:16:15 -06:00
jvazquez-r7
38a96e3cfc
Update target info
2014-11-13 00:56:42 -06:00
jvazquez-r7
e25b6145f9
Add module for MS14-064 bypassing UAC through python for windows
2014-11-13 00:56:10 -06:00
Joe Vennix
ea6d8860a1
Not root, just arbitrary permissions.
2014-11-12 21:51:55 -06:00
Joe Vennix
1895311911
Change URL to single line.
2014-11-12 10:56:51 -06:00
Joe Vennix
8689b0adef
Add module for samsung knox root exploit.
2014-11-12 09:53:20 -06:00
jvazquez-r7
c35dc2e6b3
Add module for CVE-2014-6352
2014-11-12 01:10:49 -06:00
HD Moore
6b4eb9a8e2
Differentiate failed binds from connects, closes #4169
...
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Juan Escobar
ac17780f6d
Fix by @FireFart to recover communication with the application after a meterpreter session
2014-11-11 05:49:18 -05:00
Juan Escobar
6bf1f613b6
Fix issues reported by FireFart
2014-11-11 00:41:58 -05:00
Juan Escobar
d4bbf0fe39
Fix issues reported by wchen-r7 and mmetince
2014-11-10 15:27:10 -05:00
floyd
9d848c8c3b
Adding tincd post-auth stack buffer overflow exploit module for several OS
...
Minor changes to comments
Updated URLs
Added Fedora ROP, cleaned up
Fixing URLs again, typos
Added support for Archlinux (new target)
Added support for OpenSuse (new target)
Tincd is now a separate file, uses the TCP mixin/REX sockets.
Started ARM exploiting
Style changes, improvements according to egyp7's comments
Style changes according to sane rubocop messages
RSA key length other than 256 supported. Different key lengths for client/server supported.
Drop location for binary can be customized
Refactoring: Replaced pop_inbuffer with slice
Refactoring: fail_with is called, renamed method to send_recv to match other protocol classes,
using rand_text_alpha instead of hardcoded \x90,
Fixed fail command usage
Version exploiting ARM with ASLR brute force
Cleaned up version with nicer program flow
More elegant solution for data too large for modulus
Minor changes in comments only (comment about firewalld)
Correct usage of the TCP mixin
Fixes module option so that the path to drop the binary on the server is not validated against the local filesystem
Added comments
Minor edits
Space removal at EOL according to msftidy
2014-11-10 12:03:17 +01:00
William Vu
0e772cc338
Land #4161 , "stop" NilClass fix
2014-11-09 19:37:32 -06:00
sinn3r
cd0dbc0e24
Missed another
2014-11-09 14:06:39 -06:00
Juan Escobar
9cce7643ab
update description and fix typos
2014-11-09 09:10:01 -05:00
Juan Escobar
5d17637038
Add CVE-2014-7146 PHP Code Execution for MantisBT
2014-11-09 08:00:44 -05:00
Jon Hart
2b7d25950b
Land #4148 , @wchen-r7 fixed #4133
2014-11-07 08:26:29 -08:00
sinn3r
0dbfecba36
Better method name
...
Should be srvhost, not lhost
2014-11-07 02:23:34 -06:00
Joshua Smith
7b25e3be75
Land #4139 , Visual Mining NetCharts
...
landed after some touch up
2014-11-06 22:52:41 -06:00
Joshua Smith
7510fb40aa
touch up visual_mining_netcharts_upload
2014-11-06 22:50:20 -06:00
sinn3r
579481e5f8
Explain why I did this
...
Also tagging Fix #4133
2014-11-06 14:25:11 -06:00
sinn3r
f210ade253
Use SRVHOST for msvidctl_mpeg2
2014-11-06 14:23:21 -06:00
sinn3r
f7e308cae8
Land #4110 - Citrix Netscaler BoF
2014-11-06 00:04:17 -06:00
jvazquez-r7
54c1e13a98
Land #4140 , @wchen-r7's default template for adobe_pdf_embedded_exe
...
* Fixes #4134
* Adds a default PDF template
2014-11-05 20:21:14 -06:00
jvazquez-r7
adefb2326e
Land #4124 , @wchen-r7 fixes #4115 adding HTTP auth support to iis_webdav_upload_asp
2014-11-05 18:14:33 -06:00
sinn3r
1b2554bc0d
Add a default template for CVE-2010-1240 PDF exploit
2014-11-05 17:08:38 -06:00
jvazquez-r7
79cabc6d68
Fix clean up
2014-11-05 15:46:33 -06:00
jvazquez-r7
c08993a9c0
Add module for ZDI-14-372
2014-11-05 15:31:20 -06:00
jvazquez-r7
400ef51897
Land #4076 , exploit for x7chat PHP application
2014-11-03 18:22:04 -06:00
jvazquez-r7
3bf7473ac2
Add github pull request as reference
2014-11-03 18:18:42 -06:00
jvazquez-r7
44a2f366cf
Switch ranking
2014-11-03 18:06:09 -06:00
jvazquez-r7
039d3cf9ae
Do minor cleanup
2014-11-03 18:04:30 -06:00
Juan Escobar
7e4248b601
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04
2014-11-03 16:42:50 -05:00
sinn3r
9a27984ac1
switch from error to switch
2014-11-03 13:56:41 -06:00
sinn3r
a823ca6b2f
Add support for HTTP authentication. And more informative.
2014-11-03 13:46:53 -06:00
Tod Beardsley
51b96cb85b
Cosmetic title/desc updates
2014-11-03 13:37:45 -06:00
jvazquez-r7
40bf44bd05
Don't allow 127.0.0.1 as SRVHOST
2014-10-31 08:19:15 -05:00
jvazquez-r7
7d2fa9ee94
Delete unnecessary to_s
2014-10-30 22:59:22 -05:00
sinn3r
64f4777407
Land #4091 - Xerox DLM injection
2014-10-30 22:15:16 -05:00
sinn3r
b7a1722b46
Pass msftidy, more descriptive name and description
2014-10-30 22:14:18 -05:00
jvazquez-r7
8fdea5f74c
Change module filename
2014-10-30 20:34:24 -05:00
jvazquez-r7
9404e24b24
Update module information
2014-10-30 20:33:38 -05:00
Jon Hart
1a37a6638c
Fix splunk_upload_app_exec to work on new installs. Style
2014-10-30 18:28:56 -07:00
Jon Hart
55f245f20f
Merge #3507 into local, recently updated branch of master for landing
2014-10-30 17:28:20 -07:00
jvazquez-r7
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
jvazquez-r7
ac939325ce
Add module first version
2014-10-29 21:11:57 -05:00
Deral Heiland
64a59e805c
Fix a simple typo
2014-10-29 12:40:24 -04:00
Deral Heiland
1bf1be0e46
Updated to module based feedback from wchen-r7
2014-10-29 11:42:07 -04:00
Juan Escobar
2e53027bb6
Fix value of X7C2P cookie and typo
2014-10-29 08:32:36 -05:00
Juan Escobar
9f21ac8ba2
Fix issues reported by wchen-r7
2014-10-28 21:31:33 -05:00
Meatballs
4f61710c9a
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2
2014-10-28 20:26:44 +00:00
William Vu
71a6ec8b12
Land #4093 , cups_bash_env_exec CVE-2014-6278
2014-10-28 12:47:51 -05:00
Brendan Coles
57baf0f393
Add support for CVE-2014-6278
2014-10-28 17:10:19 +00:00
William Vu
3de5c43cf4
Land #4050 , CUPS Shellshock
...
Bashbleeded!!!!!!!!!!!
2014-10-28 11:59:31 -05:00
Brendan Coles
78b199fe72
Remove CVE-2014-6278
2014-10-28 16:18:24 +00:00
Joe Vennix
c6bbc5bccf
Merge branch 'landing-4055' into upstream-master
2014-10-28 11:18:20 -05:00
Deral Heiland
9021e4dae6
Xerox Workcentre firmware injection exploit
2014-10-28 11:15:43 -04:00
jvazquez-r7
5e0993d756
Add OJ as author
2014-10-28 09:58:34 -05:00
Brendan Coles
a060fec760
Detect version in check()
2014-10-28 12:28:18 +00:00
Juan Escobar
2ba2388889
Fix issues reported by jvasquez
2014-10-27 19:15:39 -05:00
jvazquez-r7
373ce8d340
Use perl encoding
2014-10-27 15:30:02 -05:00
Luke Imhoff
216360d664
Add missing require
...
MSP-11145
2014-10-27 15:19:59 -05:00
jvazquez-r7
9da83b6782
Update master changes
2014-10-27 14:35:30 -05:00
Spencer McIntyre
04a99f09bb
Land #4064 , Win32k.sys NULL Pointer Dereference
2014-10-27 14:01:07 -04:00
William Vu
950fc46e4b
Normalize description
2014-10-27 12:09:39 -05:00
Spencer McIntyre
830f631da4
Make the check routine less strict
2014-10-27 12:51:20 -04:00
sinn3r
aa5dc0a354
100 columns per line
2014-10-27 10:24:11 -05:00
sinn3r
7e56948191
Update description about pureftpd_bash_env_exec
...
Make exploitable requirements more obvious
2014-10-27 10:23:06 -05:00
Spencer McIntyre
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
jvazquez-r7
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
Juan Escobar
848f24a68c
update module description
2014-10-27 02:07:16 -05:00
root
d66dc88924
Add PHP Code Execution for X7 Chat 2.0.5
2014-10-27 01:01:31 -05:00
jvazquez-r7
c319ea91b3
Delete verbose print
2014-10-26 17:31:19 -05:00
jvazquez-r7
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
Spencer McIntyre
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
Brendan Coles
554935e60b
Add check() and support CVE-2014-6278
2014-10-26 18:11:36 +00:00
jvazquez-r7
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
sinn3r
7cb4320a76
Land #3561 - unix cmd generic_sh encoder
2014-10-23 15:48:00 -05:00
sinn3r
13fd6a3374
Land #4046 - Centreon SQL and Command Injection
2014-10-23 13:17:00 -05:00
sinn3r
ce841e57e2
Rephrase about centreon.session
2014-10-23 13:15:55 -05:00
sinn3r
889045d1b6
Change failure message
2014-10-23 12:55:27 -05:00
Spencer McIntyre
f886ab6f97
Land #4020 , Jenkins-CI CSRF token support
2014-10-20 19:03:24 -04:00
jvazquez-r7
c77a0984bd
Land #3989 , @us3r777's exploit for CVE-2014-7228, Joomla Update unserialize
...
the commit.
empty message aborts
2014-10-20 13:39:08 -05:00
jvazquez-r7
4e6f61766d
Change module filename
2014-10-20 13:31:22 -05:00
jvazquez-r7
e202bc10f0
Fix title
2014-10-20 13:30:44 -05:00
jvazquez-r7
f07c5de711
Do code cleanup
2014-10-20 13:27:48 -05:00
sinn3r
dbaf9c5857
Land #4001 - HP Data Protector EXEC_INTEGUTIL Remote Code Execution
2014-10-20 11:44:21 -05:00
Tod Beardsley
6812b8fa82
Typo and grammar
2014-10-20 11:02:09 -05:00
jvazquez-r7
052a9fec86
Delete return
2014-10-20 10:52:33 -05:00
jvazquez-r7
199f6eba76
Fix check method
2014-10-20 10:46:40 -05:00
us3r777
16101612a4
Some changes to use primer
...
Follow wiki How-to-write-a-module-using-HttpServer-and-HttpClient
2014-10-20 17:26:16 +02:00
us3r777
1e143fa300
Removed unused variables
2014-10-20 16:58:41 +02:00
Spencer McIntyre
005baa7f7e
Retry the script page request to get the token
...
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
2014-10-19 14:04:16 -04:00
Brendan Coles
0ede70e7f6
Add exploit module for CUPS shellshock
2014-10-19 17:58:49 +00:00
sinn3r
d1523c59a9
Land #3965 - BMC Track-It! Arbitrary File Upload
2014-10-17 19:47:42 -05:00
sinn3r
8b5a33c23f
Land #4044 - MS14-060 "Sandworm"
2014-10-17 16:46:32 -05:00
William Vu
d5b698bf2d
Land #3944 , pkexec exploit
2014-10-17 16:30:55 -05:00
jvazquez-r7
70f8e8d306
Update description
2014-10-17 16:17:00 -05:00
jvazquez-r7
e52241bfe3
Update target info
2014-10-17 16:14:54 -05:00
jvazquez-r7
7652b580cd
Beautify description
2014-10-17 15:31:37 -05:00
jvazquez-r7
d831a20629
Add references and fix typos
2014-10-17 15:29:28 -05:00
sinn3r
ef1556eb62
Another update
2014-10-17 13:56:37 -05:00
jvazquez-r7
8fa648744c
Add @wchen-r7's unc regex
2014-10-17 13:46:13 -05:00
William Vu
10f3969079
Land #4043 , s/http/http:/ splat
...
What is a splat?
2014-10-17 13:41:07 -05:00
William Vu
dbfe398e35
Land #4037 , Drupageddon exploit
2014-10-17 12:39:59 -05:00
William Vu
a514e3ea16
Fix bad indent (should be spaces)
...
msftidy is happy now.
2014-10-17 12:39:25 -05:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
jvazquez-r7
e5903562ee
Delete bad/incomplete validation method
2014-10-17 10:36:01 -05:00
sinn3r
a79427a659
I shoulda checked before git commit
2014-10-17 00:54:45 -05:00
sinn3r
4c0048f26a
Update description
2014-10-17 00:46:17 -05:00
sinn3r
3a63fa12b8
'ppsx_module_smaller' to branch cve_2014_4114
2014-10-17 00:10:57 -05:00
William Vu
e242bf914f
Land #4031 , fixes for pureftpd_bash_env_exec
2014-10-16 19:55:09 -05:00
jvazquez-r7
1d16bd5c77
Fix vulnerability discoverer
2014-10-16 18:01:45 -05:00
jvazquez-r7
807f1e3560
Fix target name
2014-10-16 17:58:45 -05:00
jvazquez-r7
c1f9ccda64
Fix ruby
2014-10-16 17:55:00 -05:00
jvazquez-r7
e40642799e
Add sandworm module
2014-10-16 16:37:37 -05:00
Brandon Perry
353d2f79cc
tweak pw generation
2014-10-16 12:06:19 -07:00
Brandon Perry
5f8c0cb4f3
Merge branch 'drupal' of https://github.com/FireFart/metasploit-framework into drupageddon
2014-10-16 11:53:54 -07:00
Christian Mehlmauer
c8dd08f605
password hashing
2014-10-17 15:52:47 +02:00
Brandon Perry
23b7b8e400
fix for version 7.0-7.31
2014-10-16 11:53:48 -07:00
Brandon Perry
9bab77ece6
add urls
2014-10-16 10:36:37 -07:00
Brandon Perry
b031ce4df3
Create drupal_drupageddon.rb
2014-10-16 16:42:47 -05:00
Brandon Perry
5c4ac48db7
update the drupal module a bit with error checking
2014-10-16 10:32:39 -07:00
Spencer McIntyre
09069f75c2
Fix #4019 , fix NameError peer and disconnect in check
2014-10-16 08:32:20 -04:00
Fernando Munoz
4c2ae1a753
Fix jenkins when CSRF is enabled
2014-10-14 19:33:23 -05:00
Tod Beardsley
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
Tod Beardsley
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Tod Beardsley
b1223165d4
Trivial grammar fixes
2014-10-14 12:00:50 -05:00
jvazquez-r7
39a09ad750
Use ARCH_CMD on Windows target
2014-10-14 10:24:32 -05:00
jvazquez-r7
a0fc0cf87f
Update ranking
2014-10-13 17:44:00 -05:00
jvazquez-r7
ca05c4c2f4
Fix @wchen-r7's feedback
...
* use vprint_* on check
* rescue get_once
2014-10-12 17:44:33 -05:00
us3r777
444b01c4b0
Typo + shorten php serialized object
2014-10-12 21:29:04 +02:00
jvazquez-r7
46bf8f28e0
Fix regex
2014-10-11 21:37:05 -05:00
jvazquez-r7
6092e84067
Add module for ZDI-14-344
2014-10-11 21:33:23 -05:00
0a2940
e689a0626d
Use Rex.sleep :-)
...
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"
user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
Pedro Ribeiro
4b7a446547
... and restore use of the complicated socket
2014-10-09 18:30:45 +01:00
Pedro Ribeiro
c78651fccc
Use numbers for version tracking
2014-10-09 18:29:27 +01:00
us3r777
2428688565
CVE-2014-7228 Joomla/Akeeba Kickstart RCE
...
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
Christian Mehlmauer
1584c4781c
Add reference
2014-10-09 06:58:15 +02:00
jvazquez-r7
4f96d88a2f
Land #3949 , @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload
2014-10-08 16:35:49 -05:00
jvazquez-r7
66a8e7481b
Fix description
2014-10-08 16:35:14 -05:00
jvazquez-r7
8ba8402be3
Update timeout
2014-10-08 16:32:05 -05:00
jvazquez-r7
bbf180997a
Do minor cleanup
2014-10-08 16:29:11 -05:00
Jay Smith
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
jvazquez-r7
411f6c8b2d
Land #3793 , @mfadzilr's exploit for CVE-2014-6287, HFS remote code execution
2014-10-08 12:16:09 -05:00
jvazquez-r7
98b69e095c
Use %TEMP% and update ranking
2014-10-08 12:12:00 -05:00
jvazquez-r7
d90fe4f724
Improve check method
2014-10-08 12:03:16 -05:00
jvazquez-r7
25344aeb6a
Change filename
2014-10-08 11:55:33 -05:00
jvazquez-r7
909f88680b
Make exploit aggressive
2014-10-08 11:08:01 -05:00
jvazquez-r7
d02f0dc4b9
Make minor cleanup
2014-10-08 10:36:56 -05:00
jvazquez-r7
d913bf1c35
Fix metadata
2014-10-08 10:29:59 -05:00
Pedro Ribeiro
0a9795216a
Add OSVDB id and full disclosure URL
2014-10-08 08:25:41 +01:00
sinn3r
c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution
2014-10-08 00:30:07 -05:00
Pedro Ribeiro
d328b2c29d
Add exploit for Track-It! file upload vuln
2014-10-07 23:50:10 +01:00
jvazquez-r7
299d9afa6f
Add module for centreon vulnerabilities
2014-10-07 14:40:51 -05:00
jvazquez-r7
3daa1ed4c5
Avoid changing modules indentation in this pull request
2014-10-07 10:41:25 -05:00
jvazquez-r7
341d8b01cc
Favor echo encoder for back compatibility
2014-10-07 10:24:32 -05:00
jvazquez-r7
0089810026
Merge to update
2014-10-06 19:09:31 -05:00
jvazquez-r7
212762e1d6
Delete RequiredCmd for unix cmd encoders, favor EncoderType
2014-10-06 18:42:21 -05:00
us3r777
03888bc97b
Change the check function
...
Use regex based detection
2014-10-06 18:56:01 +02:00
us3r777
29111c516c
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
...
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
James Lee
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
William Vu
f7e709dcb3
Land #3941 , new WPVDB reference
2014-10-03 10:17:02 -05:00
Christian Mehlmauer
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
0a2940
f2b9aeed74
typo
2014-10-03 11:02:56 +01:00
0a2940
f60f6d9c92
add exploit for CVE-2011-1485
2014-10-03 10:54:43 +01:00
Brandon Perry
2c9446e6a8
Update f5_icontrol_exec.rb
2014-10-02 17:56:24 -05:00
Christian Mehlmauer
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
Vincent Herbulot
63426793ef
Use vars_get instead of direct URI concatenation
2014-10-02 11:03:12 +02:00
Joe Vennix
5a8eca8946
Adds a :vuln_test option to BES, just like in BAP.
...
I needed this to run a custom JS check for the Android
webview vuln when the exploit is served straight
through BES. The check already existed when using BAP,
so I tried to preserve that syntax, and also added a
:vuln_test_error as an optional error message.
This commit also does some mild refactoring of un-
useful behavior in BES.
2014-10-01 23:34:31 -05:00
HD Moore
0380c5e887
Add CVE-2014-6278 support, lands #3932
2014-10-01 18:25:41 -05:00
William Vu
c1b0acf460
Add CVE-2014-6278 support to the exploit module
...
Same thing.
2014-10-01 17:58:25 -05:00
William Vu
5df614d39b
Land #3928 , release fixes
2014-10-01 17:21:08 -05:00
Spencer McIntyre
8cf718e891
Update pureftpd bash module rank and description
2014-10-01 17:19:31 -04:00
Tod Beardsley
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
Spencer McIntyre
cf6029b2cf
Remove the less stable echo stager from the exploit
2014-10-01 15:15:07 -04:00
Spencer McIntyre
632edcbf89
Add CVE-2014-6271 exploit via Pure-FTPd ext-auth
2014-10-01 14:57:40 -04:00
William Vu
9bfd013e10
Land #3923 , mv misc/pxexploit to local/pxeexploit
...
Also renamed typo'd pxexploit -> pxeexploit.
2014-09-30 17:48:06 -05:00
William Vu
039e544ffa
Land #3925 , rm indeces_enum
...
Deprecated.
2014-09-30 17:45:38 -05:00
sinn3r
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00