820f589df0
Missed this one.
2013-06-17 15:52:53 -05:00
163d3e771b
Handle connect_login return value properly
...
Some modules ignore connect_login's return value, which may result
an EOF if send_cmd() is used later on. All the modules fixed are
the ones require auth according to the module description, or
CVE/vendor/OSVDB info.
2013-06-17 15:48:34 -05:00
11bf17b0d6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-15 11:55:22 -05:00
bd17e67f75
Land #1960 , lower ranking for MS13-009
2013-06-14 15:28:06 -05:00
2abf70a1ca
Lower ranking for MS13-009
...
We haven't been able to make this one more reliable, so todb suggests
we lower the ranking first.
2013-06-14 15:24:43 -05:00
d35c3469e8
Fix typo
...
EDB reference
2013-06-14 15:16:20 -05:00
2d083be8e7
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-14 13:28:44 -05:00
0d384d23b8
Land #1954 - Fix resource_uri and mp4 file path
2013-06-14 13:15:17 -05:00
060261bb3b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-14 13:15:13 -05:00
933ac88b44
Missing the file param that's needed to download the mp4
2013-06-14 13:13:48 -05:00
d2df3234f4
Land #1955 - mozilla_mchannel.rb undefined agent variable
2013-06-14 11:14:20 -05:00
223807d0df
Land #1956 - fix regex error for mozilla_reduceright.rb
2013-06-14 11:09:49 -05:00
86258e32b1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-13 16:05:03 -05:00
0440c03c7a
Land #1934 - Fix UltraISO Exploit File Creation
2013-06-13 13:57:09 -05:00
95118895d6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-13 13:05:42 -05:00
81813a78fc
Fix module Name
2013-06-13 11:55:23 -05:00
707bc33148
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-13 10:17:28 -05:00
eaba8e7b59
up to date
2013-06-12 15:44:00 -05:00
afb2f83238
Add module for CVE-2012-1533
2013-06-12 14:40:53 -05:00
c38eabe481
Fix description, code and perform test
2013-06-12 11:07:03 -05:00
5c8053491f
Add DEP bypass for ntdll ms12-001
2013-06-12 10:41:05 -05:00
a1c7961cbc
Suport js obfuscation for the trigger
2013-06-12 08:06:12 -05:00
5240c6e164
Add module for MS13-037 CVE-2013-2551
2013-06-12 07:37:57 -05:00
9ea58ba165
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-11 10:40:01 -05:00
081baad68c
Remove variable 'overflow' because it's not used
...
The 'overflow' variable isn't needed
2013-06-11 02:26:45 -05:00
ca0ab8d6ee
maxthon_history_xcs.rb - fix User-agent string
...
request.headers['User-agent'] is incorrect, it should be
request.headers['User-Agent'].
Downloaded following version from oldapps.com to confirm
the exploit code is wrong.
Supported Systems Windows 98, 2000 (Maxthon 2.5.15 Build
1000), XP, Vista, 7, 8
MD5 Checksum F3791637C886A46940876211209F82F4
SHA1 Checksum 039BB218245E5DC1BAB0F57298C68AC487F86323
Release Date 20 October, 2011 (2 years ago )
2013-06-11 13:37:21 +10:00
69c25014ae
Make msftidy happy
2013-06-13 18:58:38 -05:00
12801430e3
Update both ultraiso files to the right fix
2013-06-13 18:44:19 -05:00
4e41e871bb
mozilla_reduceright.rb - fix regex error.
...
[] is character class, and will match on 1, 6, 7, and |.
Where as (16|17) will match on either 16, or 17.
irb(main):053:0> y = /Firefox\/3\.6\.[16|17]/
=> /Firefox\/3\.6\.[16|17]/
irb(main):054:0> x = "Firefox/3.6.13"
=> "Firefox/3.6.13"
irb(main):055:0> x =~ y
=> 0
irb(main):056:0> y = /Firefox\/3\.6\.(16|17)/
=> /Firefox\/3\.6\.(16|17)/
irb(main):057:0> x =~ y
=> nil
2013-06-11 11:52:27 +10:00
996171b35f
mozilla_mchannel.rb undefined agent variable
...
If the TARGET is chosen instead of using the default
automatic, the agent variable will be undefined, which
causes the exploit to fail.
2013-06-11 10:43:47 +10:00
72b871d762
up to date
2013-06-10 16:37:05 -05:00
d91b412661
adobe_flash_sps.rb - resource_uri vs get_resource
...
resource_uri will randomize the returned uri unless
datastore['URIPATH"] is set.
get_resource will return the currently used reosurce_uri
Since the incorrect type is used, this exploit is completely broken.
Tested fix with both URIPATH set to / and unset, and it works after
redirect.
2013-06-11 07:13:02 +10:00
9c44ea0c61
up to date
2013-06-10 13:02:01 -05:00
b20a38add4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-10 12:22:52 -05:00
0895184e1f
Land #1932 - Actually support OUTPUTPATH datastore option
2013-06-10 11:22:28 -05:00
f58e279066
Cleanup on module names, descriptions.
2013-06-10 10:52:22 -05:00
cd64e3593c
Fix UltraISO file creation
...
This makes file creation where datastore['FILENAME'] is not used when
a different filename is required, and ends up creating files in the
wrong place.
2013-06-09 12:37:34 +10:00
c6b4290fea
Fix UltraISO Exploit File Creation
...
Both ultraiso_ccd.rb and ultraiso_cue.rb use File.open to create
files, instead of using the create_file() function. This leads
to files being created in the wrong directory.
We work around this by dynamically changing the
file_format_filename function to return the corrected filename.
2013-06-09 09:51:15 +10:00
cb79aa252a
Fix output path in ms10_004_textbytesatom.rb
...
ms10_004_textbytesatom.rb does not write to the local data directory,
instead it writes to the metasploit path (at least, that's where I
started msfrpcd).
This fixes it by using Msf::Config.local_directory
2013-06-09 07:28:48 +10:00
9c27a294cb
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-07 13:01:37 -05:00
a157e65802
Land #1916 , @wchen-r7's exploit for Synactics PDF
2013-06-07 12:11:45 -05:00
ea2895ac13
Change to AverageRanking
...
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
2013-06-07 12:08:51 -05:00
9c7b446532
Updates description about default browser setting
2013-06-07 11:58:31 -05:00
f3421f2c3a
Fix different landings
2013-06-07 10:26:04 -05:00
0fb77cb4a7
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-07 08:44:07 -05:00
da4b18c6a1
[FixRM:#8012] - Fix message data type to int
...
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
e559824dc8
Remove whitespace
2013-06-06 20:08:50 -05:00
d3e57ffc46
Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
...
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx. When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
2013-06-06 20:05:08 -05:00
e5a17ba227
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-05 09:41:23 -05:00
6d3dcf0cef
Land #1912 - Fixed check for Admins SID in whoami /group output
2013-06-05 02:55:38 -05:00
a3b25fd7c9
Land #1909 - Novell Zenworks Mobile Device Managment exploit & auxiliary
2013-06-05 02:45:45 -05:00
0c1d46c465
Add more references
2013-06-05 02:43:43 -05:00
46aa6d38f8
Add a check for it
2013-06-05 02:41:03 -05:00
a270d37306
Take apart the version detection code
2013-06-05 02:34:35 -05:00
25fe03b981
People like this format better: IP:PORT - Message
2013-06-05 02:26:18 -05:00
02e29fff66
Make msftidy happy
2013-06-05 02:25:08 -05:00
35459f2657
Small name change, don't mind me
2013-06-05 02:18:11 -05:00
227fa4d779
Homie needs a default target
2013-06-05 02:16:59 -05:00
1032663cd4
Fixed check for Administrators SID in whoami /group output
2013-06-04 18:34:06 -04:00
ed4766dc46
initial commit of novell mdm modules
2013-06-04 09:20:10 -07:00
a5f9ed890b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-03 16:23:12 -05:00
30a019e422
Land #1891 , @wchen-r7's improve for ie_cgenericelement_uaf
2013-06-03 15:35:43 -05:00
4079484968
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-03 15:27:36 -05:00
4cf682691c
New module title and description fixes
2013-06-03 14:40:38 -05:00
cb33c5685f
Landing #1890 - Oracle WebCenter Content openWebdav() vulnerability
2013-06-02 12:35:40 -05:00
cc951e3412
Modifies the exploit a little for better stability
...
This patch makes sure the LFH is enabled before the CGenericElement
object is created. Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
f68d35f251
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-01 17:09:23 -05:00
5939ca8ce4
Add analysis at the end of the module
2013-06-01 15:59:17 -05:00
9be8971bb0
Add module for ZDI-13-094
2013-06-01 15:44:01 -05:00
8671ae9de7
add osvdb ref
2013-06-01 14:27:50 -05:00
d42ac02e3e
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-31 23:01:05 -05:00
f8e9535c39
Add ZDI reference
2013-05-31 20:50:53 -05:00
3a360caba1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-31 19:03:21 -05:00
4f6d80c813
Land #1804 , user-settable filename for psexec
2013-05-31 13:34:52 -05:00
5964d36c40
Fix a syntax error
...
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
70037fdbed
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-30 15:02:34 -05:00
d0489b5d1e
Delete some commas
2013-05-30 14:25:53 -05:00
6abb591428
Do minor cleanup for lianja_db_net
2013-05-30 14:25:05 -05:00
70e1379338
Use msvcrt in ropdb for stability.
2013-05-30 11:13:22 -04:00
c3ab1ed2a5
Exploit module for Lianja SQL 1.0.0RC5.1
2013-05-29 08:48:41 -04:00
66ea59b03f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-28 15:22:46 -05:00
d16d316658
Fixes mssql_findandsampledata & ms11_006_creat esizeddibsection
...
[FixRM:7987]
[FixRM:7986]
2013-05-28 11:15:17 -05:00
e678b2c5d8
Add module for CVE-2012-5946
2013-05-26 00:21:20 -05:00
57b7e4ec44
Update ms11_006_createsizeddibsection.rb
2013-05-25 13:14:41 +06:00
0dee5ae94d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-22 12:54:44 -05:00
ecb9d1d7fa
Landing #1848 - AdobeCollabSync Buffer Overflow on Adobe Reader X
2013-05-22 12:24:42 -05:00
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
f4498c3916
Remove $Id tags
...
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
0f3b13e21d
up to date
2013-05-16 15:02:41 -05:00
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
352a7afcd6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-14 22:29:24 -05:00
e1111928c2
Adds patch info for ie_cgenericelement_uaf
...
This one is MS13-038
2013-05-14 14:55:02 -05:00
01ce751c51
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-12 17:08:14 -05:00
ce594a3ba2
Deprecate modules/exploits/windows/http/sap_mgmt_con_osexec_payload
2013-05-12 08:46:40 -05:00
7fcf20201b
Ranking should be the same (to GoodRanking)
2013-05-11 09:19:25 -05:00
823d89935a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-09 12:36:43 -05:00
95b0d4e5ec
move filename init up to remove dup code
...
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
9043eeda66
A slight change for stability
...
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable. I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
866fa167ab
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-08 16:29:52 -05:00
bdd2287daf
Land #1809 , @wchen-r7's modification for ie_cgenericelement_uaf
2013-05-08 16:21:11 -05:00
9a1400a75b
Forgot to remove this print_warning
2013-05-08 15:44:04 -05:00
075f6e8d45
Updates ROP chain and mstime_malloc usage
2013-05-08 15:42:45 -05:00
c7609ac7d1
Initial update
2013-05-08 14:24:52 -05:00
1aa80cd35e
Add module for CVE-2013-0726
2013-05-08 13:48:48 -05:00
71c68d09c1
Allow user ability to set filename for psexec service binary
...
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
bcdad23559
up to date
2013-05-06 23:09:32 -05:00
0fa65a6802
Merge branch 'sap_soap_rfc_sxpg_command_exec' of https://github.com/nmonkee/metasploit-framework
2013-05-06 18:50:31 -05:00
425a16c511
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-05 22:00:07 -05:00
8239998ada
Typo on URL for #1797 . Thx @Meatballs1
2013-05-05 12:26:06 -05:00
c9ea7e250e
Fix disclosure date, ref for #1897
2013-05-05 12:13:02 -05:00
a33510e821
Add MS IE8 DoL 0day exploit (CVE-2013-1347)
...
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
2384f34ada
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-03 15:39:16 -05:00
13202a3273
Add OSVDB reference
2013-05-03 09:46:29 -05:00
a95de101e7
Delete extra line
2013-05-02 22:04:27 -05:00
6210b42912
Port EDB 25141 to msf
2013-05-02 22:00:43 -05:00
796f7a39ac
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-02 20:04:48 -05:00
a2e1fbe7a9
Make msftidy happy
2013-05-02 19:46:26 -05:00
eb23b5feeb
Forgot to remove function ie8_smil. Don't need this anymore.
2013-05-02 14:04:15 -05:00
329e8228d1
Uses js_mstime_malloc to do the no-spray technique
2013-05-02 14:00:15 -05:00
a4632b773a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-28 12:59:16 -05:00
99b46202b9
Do final cleanup for sap_configservlet_exec_noauth
2013-04-26 08:45:34 -05:00
308b880d79
Land #1759 , @andrewkabai's exploit for SAP Portal Command Execution
2013-04-26 08:44:11 -05:00
5839e7bb16
simplify code
2013-04-26 12:14:42 +02:00
4aadd9363d
improve description
2013-04-26 12:13:45 +02:00
f3f60f3e02
Fixes P/P/R for target 0 (BadBlue 2.72b)
...
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken. Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.
[FixRM #7875 ]
2013-04-25 20:20:24 -05:00
9dd9b2d1ba
implement cleanup functionality
...
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
a28ef1847b
update references
2013-04-25 18:26:13 +02:00
676f2f5f4a
implement "check" functionality
2013-04-25 07:47:30 +02:00
3b46d5d4cd
fix typos
2013-04-25 07:22:16 +02:00
2759ef073e
correction on error handling
2013-04-25 07:19:27 +02:00
6b14ac5e71
add rank to module
2013-04-25 07:07:35 +02:00
f22d19a10c
remove unused code block
...
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
38e41f20fe
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-24 13:24:13 -05:00
0339be229a
implement dynamic timeout handling
2013-04-24 18:22:37 +02:00
6f8fc81497
improve error handling
2013-04-24 17:59:11 +02:00
57113bee80
fine correction
...
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
6485124cdf
fix module name
2013-04-24 10:54:52 +02:00
358b8934bf
clarify description
2013-04-24 10:31:40 +02:00
00e6eeca54
implement command line magick to prevent bad char usage
...
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
783cca6c17
allow only ARCH_X86 payloads
2013-04-24 09:29:47 +02:00
cae30bec23
Clean up all the whitespace found
2013-04-23 18:27:11 -05:00
750638e4d6
note on bad characters
2013-04-22 17:24:08 +02:00
a1e52b5b27
command execution needs cmd /c
2013-04-22 10:20:45 +02:00
d26289e05a
proper output handling in case of CMD payloads
2013-04-20 17:38:58 +02:00
d59ba37e6d
resize linemax
2013-04-20 17:37:50 +02:00
e36b58169b
implement CmbStagerVBS payload execution
2013-04-20 16:37:47 +02:00
8244c4dcac
multiple payload types, different paths to execute payloads
2013-04-20 14:20:30 +02:00
7b6a784a84
basic payload execution through OS command execution
2013-04-20 13:02:22 +02:00
223556a4e6
switch to exploit module environment
...
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
cff47771a2
initial commit
...
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
088eb8618d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-16 21:11:55 -05:00
4e8d32a89a
cleanup for freefloatftp_user
2013-04-16 20:43:38 -05:00
eedeb37047
Landing #1731 , @dougsko's freefloat ftp server bof exploit
2013-04-16 20:42:01 -05:00
cc35591723
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-15 17:43:15 -05:00
a36c6d2434
Lands #1730 , adds a VERBOSE option checker
...
Also removes VERBOSE options from extant modules. There were only 5 of
them, and one was a commented option.
2013-04-15 15:32:56 -05:00
29101bad41
Removing VERBOSE offenders
2013-04-15 15:29:56 -05:00
79620ed660
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-09 17:12:16 +02:00
e2b8d5ed23
Fix from David Kennedy, enable Windows 8 support
2013-04-09 02:07:40 -05:00
070fd399f2
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-31 20:23:08 +02:00
1d6184cd63
fixed author details
2013-03-30 12:41:31 +01:00
6cd6a7d6b9
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-28 12:16:18 +01:00
0109d81c95
fix typo
2013-03-27 17:39:18 +01:00
507692c660
SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXECUTE Function Command Execution
2013-03-27 15:20:18 +00:00
c225d8244e
Added module for CVE-2013-1493
2013-03-26 22:30:18 +01:00
393d5d8bf5
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-25 19:09:42 +01:00
56c07211a0
Merge branch 'actfax_raw_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_raw_bof
2013-03-25 11:56:15 -05:00
47e3d7de59
Merge branch 'bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue' of github.com:neinwechter/metasploit-framework into neinwechter-bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue
2013-03-25 11:46:37 -05:00
d54687cb37
fix typo
2013-03-25 00:58:47 +01:00
26b43d9ed2
Added module for ZDI-13-050
2013-03-25 00:54:30 +01:00
cb56b2de4b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-23 20:06:05 +01:00
89c0e8c27e
Fix add_resource call in adobe_flas_mp5_cprt
2013-03-22 19:27:02 -04:00
6eaf995642
cleaning exploiting string
2013-03-22 21:48:02 +01:00
fd63283524
make msftidy happy
2013-03-22 21:46:12 +01:00
051e31c19f
Merge branch 'kingview_kingmess_kvl' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-kingview_kingmess_kvl
2013-03-22 13:00:38 -05:00
7391bc0201
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-20 00:46:10 +01:00
26dec4eb8f
last cleanup for sami_ftpd_list
2013-03-19 21:32:05 +01:00
42efe5955b
Merge branch 'osvdb-90815' of https://github.com/dougsko/metasploit-framework into dougsko-osvdb-90815
2013-03-19 21:31:46 +01:00
80d218b284
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-19 19:55:51 +01:00
b19c51aa81
cleanup for sami_ftpd_list
2013-03-19 19:04:14 +01:00
e2a9245b08
Changed target to Windows XP
2013-03-19 13:20:23 -03:00
0c0d15024a
No tabs for these
2013-03-19 08:39:47 -05:00
fb90a1b497
Uses IP address length in offset calculation
2013-03-18 16:18:04 -03:00
4aab1cc5df
delete debug code
2013-03-18 16:28:39 +01:00
dffec1cd41
added module for cve-2012-4914
2013-03-17 21:12:40 +01:00
3d92d6e977
removed the handler call
2013-03-15 16:48:53 -04:00
a96283029e
made payload size a little smaller
2013-03-15 16:08:43 -04:00
8b5c782b54
changed Platform from Windows to win
2013-03-15 15:13:52 -04:00
8f4b3d073a
Explicitly set EXITFUNC to thread
2013-03-15 14:52:39 -04:00
e9af05a178
made recommended changes
2013-03-15 11:35:12 -04:00
dc94816650
Merge branch 'master' of https://github.com/dougsko/metasploit-framework
2013-03-14 22:53:03 +01:00
4bb64a0f41
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-14 16:10:10 -04:00
bbbf395659
got everything working and cleaned up
2013-03-14 16:02:41 -04:00
e21288481d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-14 16:36:04 +01:00
1f7b2a8e9f
minor edits
2013-03-13 17:48:37 -04:00
fa5c988110
got sami_ftpd_list.rb working
2013-03-13 17:27:02 -04:00
456e4449e5
definitely the free trial of 6.53 is also vulnerable
2013-03-13 20:29:07 +01:00
5345af87f2
better description according to advisory
2013-03-13 20:25:13 +01:00
5339c6f76e
better target description according to advisory
2013-03-13 20:23:22 +01:00
50083996ff
better target description
2013-03-13 20:13:09 +01:00
a2755820cb
Added module for CVE-2012-4711
2013-03-13 20:07:58 +01:00
458ffc1f19
Add a target for Firebird 2.1.4.18393
2013-03-13 13:44:28 -04:00
5312c58c72
Added BID for ms09_002_memory_corruption.
2013-03-12 16:57:47 +01:00
56bb907f9f
Fixed exceptions in ms05_054_onload exploit module.
2013-03-12 16:57:47 +01:00
8f9c4f62c8
up to date
2013-03-12 16:50:45 +01:00
74b58185cd
up to date
2013-03-12 16:48:11 +01:00
2f95d083e8
Updating URL for Honewell EBI exploit
2013-03-11 13:35:58 -05:00
23972fbebc
Merge branch 'release'
2013-03-11 13:08:30 -05:00
d81d9261e7
Adding Honeywell exploit.
2013-03-11 13:03:59 -05:00
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
64398d2b60
deleting some commas
2013-03-07 21:34:51 +01:00
ab44e3e643
cleanup for fb_cnct_group
2013-03-07 21:34:07 +01:00
398d13e053
Initial commit of the Firebird CNCT Group Number Buffer Overflow.
2013-03-07 09:51:05 -05:00
b65f410048
Updates the description
2013-03-06 16:37:41 -06:00
fee07678dd
Rename module to better describe the bug.
2013-03-06 16:33:41 -06:00
79d3597d31
That's not a real check...
2013-03-06 16:32:53 -06:00
16d7b625bc
Format cleanup
2013-03-06 16:31:39 -06:00
7219c7b4aa
Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb
2013-03-06 16:15:24 -06:00
aa5c9461ae
Fixed more styling issues, EOL, tabs and headers
2013-03-06 10:50:31 -08:00
437d6d6ba6
Fixed EOL, bad indent, added header, removed #!/usr/env/ruby
2013-03-06 10:44:29 -08:00
af9982e289
Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb
2013-03-06 12:11:58 -06:00
aa3a54fba0
Added CoDeSyS Gateway.exe Server remote execution via arbitrary file creation
2013-03-06 09:29:28 -08:00
c290bc565e
Merge branch 'master' into feature/http/authv2
2013-02-28 14:33:44 -06:00
2b65cfa5ab
Minor changes
2013-02-22 21:02:19 -06:00
1623877151
Merge branch 'MS13-009' of github.com:jjarmoc/metasploit-framework into jjarmoc-MS13-009
2013-02-22 20:58:42 -06:00
5b16e26f82
change module filename
2013-02-21 20:05:13 +01:00
b4f4cdabbc
cleanup for the module
2013-02-21 20:04:05 +01:00
0ae489b37b
last of revert-merge snaffu
2013-02-19 23:16:46 -06:00
5108e8ef1c
Correct tab
2013-02-19 11:44:41 -06:00
b2664e04fb
Merge branch 'bigant_server_dupf_upload' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-bigant_server_dupf_upload
2013-02-19 11:42:04 -06:00
9813c815ef
Minor changes
2013-02-19 11:40:06 -06:00
553d7abe43
Merge branch 'bigant_server_sch_dupf_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-bigant_server_sch_dupf_bof
2013-02-19 11:26:47 -06:00
416a7aeaa3
make msftidy happy for s4u_persistence
2013-02-18 15:23:06 +01:00
be0feecf8f
Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence
2013-02-18 15:22:37 +01:00
25f8a7dcb9
Fix expire tag logic and slight clean up
...
Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting.
2013-02-17 22:35:52 -05:00
322fa53d49
fix typo
2013-02-17 20:29:41 +01:00
31a3a374c3
Added module for CVE-2012-6274
2013-02-17 20:25:39 +01:00
1a2a0bc38e
Added module for CVE-2012-6275
2013-02-17 20:21:45 +01:00
a8d574e4ce
Updated one print_status
2013-02-17 14:08:33 -05:00
ade2c9ef56
msftidy - fix line endings.
2013-02-14 11:42:02 -06:00
4c90cacffe
Send iframe when URIPATH isnt '/'
2013-02-14 11:23:08 -06:00
947aa24d44
MS13-009 / CVE-2013-0025 ie_slayout_uaf.rb by Scott Bell
2013-02-14 11:18:19 -06:00
7b2c1afadb
I'm an idiot, fix logon xpath
2013-02-14 09:16:47 -05:00
e78cbdd14d
missed one line
2013-02-13 18:17:38 -05:00
bbf8fe0213
Use Post::File methods and fail_with
2013-02-13 18:10:05 -05:00
4074a12fd7
Randomize some gadgets
2013-02-13 14:12:52 -06:00
f58cc6a2e0
more fix version info
2013-02-12 18:51:04 +01:00
96b1cb3cfb
fix version info
2013-02-12 18:50:36 +01:00
69267b82b0
Make stable #1318 foxit reader exploit
2013-02-12 18:44:19 +01:00
8ddc19e842
Unmerge #1476 and #1444
...
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.
First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.
FixRM #7752
2013-02-11 20:49:55 -06:00
9040fcd5ae
Merge branch 'darkoperator-post2localexploit' of https://github.com/darkoperator/metasploit-framework into darkoperator-darkoperator-post2localexploit
2013-02-12 01:52:05 +01:00
42a6d96ff4
using Post::File methods plus little more cleanup
2013-02-12 01:33:07 +01:00
97edbb7868
using always a vbs file to drop exe
2013-02-12 00:58:26 +01:00
5edb138a8f
fixed nil issue
2013-02-11 11:51:33 -04:00
3a499b1a6d
added s4u_persistence.rb
2013-02-10 14:22:36 -05:00
17b349ab50
added crash to comments
2013-02-09 17:49:57 +01:00
5b576c1ed0
fix ident and make happy msftidy
2013-02-09 17:40:45 +01:00
fea84cad10
Fix additional typos per recomendation
2013-02-08 14:47:16 -04:00
5b3b0a8b6d
Merge branch 'dmaloney-r7-http/auth_methods' into rapid7
2013-02-08 12:45:35 -06:00
b8f0a94c3f
Fixed typos mentioned by Egypt
2013-02-08 14:42:10 -04:00
0ad548a777
I expect people to know what a share is.
2013-02-07 19:16:44 -06:00
9415e55211
Merge branch 'feature/rm5455-patch-smb_relay' of github.com:lmercer-r7/metasploit-framework into lmercer-r7-feature/rm5455-patch-smb_relay
2013-02-07 19:12:58 -06:00
c131b7ef0e
Added exception handing and return checking as requested by Sinn3r
2013-02-07 21:06:05 -04:00
19e989dff9
Initial commit fo the migrated module
2013-02-07 19:11:44 -04:00
1095fe198b
Merge branch 'rapid7' into dmaloney-r7-http/auth_methods
2013-02-06 16:57:50 -06:00
0186e290d3
Merge branch 'ovftool_format_string_fileformat' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_fileformat
2013-02-05 15:13:51 -06:00
b706af54a0
Merge branch 'ovftool_format_string_browser' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_browser
2013-02-05 15:12:24 -06:00
92ef462c34
This commit completes powershell based psexec
...
The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
2013-02-04 20:39:05 -05:00
44d4e298dc
Attempting to cleanup winrm auth
2013-02-04 15:48:31 -06:00
4c1e630bf3
BasicAuth datastore cleanup
...
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
2c3de43f4b
datastore opts cleanup
...
cleanuo digestauth datastore options in modules
2013-02-04 12:10:44 -06:00
9ce5f39bc6
added migrate as initial script
2013-02-04 16:42:56 +01:00
e0d4bb5799
Added module for cve-2012-3569, browser version
2013-02-04 16:37:42 +01:00
135718a97b
Added module for cve-2012-3569, fileformat version
2013-02-04 16:36:33 +01:00
e8def29b4f
Dropping all twitter handles
...
Also adds "pbot" as an accepted lowercase word. This will come up pretty
routinley for functions and stuff.
2013-02-01 16:33:52 -06:00
1a01d6d033
Fix scrutinizer checks
2013-01-31 14:48:54 -06:00
5332e80ae9
Fix errant use of .to_s instead of .path
2013-01-31 14:18:42 -06:00
4de5e475c3
Fix check
2013-01-31 02:15:50 -06:00
c174e6a208
Correctly use normalize_uri()
...
normalize_uri() should be used when you're joining URIs. Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
6ba85d4c06
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 12:38:53 -05:00
aaf18f0257
EOL whitespace, yo.
2013-01-29 14:22:30 -06:00
deb9385181
Patch for smb_relay.rb to allow the share written to, to be defined in an option
...
As described in Redmine Feature #5455
2013-01-29 15:19:35 -05:00
690ef85ac1
Fix trailing slash problem
...
These modules require the target URI to be a directory path. So
if you remove the trailing slash, the web server might return a
301 or 404 instead of 200.
Related to: [SeeRM: #7727 ]
2013-01-28 13:19:31 -06:00
61cd3b55fc
hide window
2013-01-24 14:43:07 -05:00
3faf4b3aca
adding sinn3r as author
2013-01-24 18:13:30 +01:00
2cedcad810
Check PID
2013-01-24 10:46:23 -06:00
ad108900d5
Why yes I know it's a module
2013-01-23 16:23:41 -06:00
22f7619892
Improve Carlos' payload injection module - See #1201
...
Lots of changes, mainly:
* Description update
* Avoid accessing protected methods
* More careful exception & return value handling
2013-01-23 16:15:14 -06:00
e93b7ffcaf
Add Carlos Perez's payload injection module
...
See #1201
2013-01-23 14:07:48 -06:00
e6ebf772de
allow psh to run in background via cmd start
2013-01-21 08:12:56 -05:00
43a5322bd4
psexec_psh cleanup
2013-01-20 22:15:55 -05:00
cae0362aa3
Add disk-less AV bypass PSExec module using PSH
...
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.
In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.
This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.
Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-20 21:46:26 -05:00
51ba500b9f
msftidy compliant
2013-01-16 12:28:09 +01:00
0f24671cf7
Changes how the usernames are loaded.
...
Allows usernames to be loaded as a file (wordlist), that way the
it's much easier to manage. It defaults to unix_users.txt,
because these usernames are common in any SSH hosts out there.
If the user only wants to try a specific user (which is better,
because you reduce traffic noise that way), then he/she can set
the USERNAME option, and that should be the only one tried --
similar to how AuthBrute behaves.
I also fixed the regex in check().
2013-01-16 02:14:52 -06:00
04b35a38ff
Update MSB ref
2013-01-14 14:59:32 -06:00
c6c59ace46
final cleanup
2013-01-14 20:53:19 +01:00
5ecb0701ea
Merge branch 'freesshd_authbypass' of https://github.com/danielemartini/metasploit-framework into danielemartini-freesshd_authbypass
2013-01-14 20:52:45 +01:00
04fe1dae11
Added module for Freesshd Authentication Bypass (CVE-2012-6066)
...
This module works against FreeSSHD <= 1.2.6. Tested against
password and public key authentication methods. It will generate
a random key and password.
To use it you need to know a valid username. The module contains
a basic bruteforce methods, so you can specify more than one to try.
2013-01-13 17:08:04 +01:00
5901058a61
Merge branch 'ms11_081' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_081
2013-01-09 23:24:14 +01:00
fe8b9c24cf
Merge branch 'jvazquez-r7-honeywell_tema_exec'
2013-01-09 16:08:19 -06:00
sinn3r
jvazquez-r7
William Vu
Ruslaideemin
Tod Beardsley
cbgabriel
steponequit
Steve Tornio
James Lee
Spencer McIntyre
darknight007
Rob Fuller
Andras Kabai
Tod Beardsley
HD Moore
m-1-k-3
nmonkee
sinn3r
Nathan Einwechter
dougsko
Patrick Webster
Enrique A. Sanchez Montellano
David Maloney
Thomas McCarthy
Jeff Jarmoc
smilingraccoon
Carlos Perez
RageLtMan
lmercer
Daniele Martini