Commit Graph

3342 Commits (5bd414d4b4a28d4a5b6768a852adef5c4a514123)

Author SHA1 Message Date
jvazquez-r7 bdd2287daf Land #1809, @wchen-r7's modification for ie_cgenericelement_uaf 2013-05-08 16:21:11 -05:00
sinn3r 9a1400a75b Forgot to remove this print_warning 2013-05-08 15:44:04 -05:00
sinn3r 075f6e8d45 Updates ROP chain and mstime_malloc usage 2013-05-08 15:42:45 -05:00
sinn3r c7609ac7d1 Initial update 2013-05-08 14:24:52 -05:00
jvazquez-r7 1aa80cd35e Add module for CVE-2013-0726 2013-05-08 13:48:48 -05:00
Rob Fuller 71c68d09c1 Allow user ability to set filename for psexec service binary
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
jvazquez-r7 bcdad23559 up to date 2013-05-06 23:09:32 -05:00
jvazquez-r7 0fa65a6802 Merge branch 'sap_soap_rfc_sxpg_command_exec' of https://github.com/nmonkee/metasploit-framework 2013-05-06 18:50:31 -05:00
jvazquez-r7 425a16c511 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-05 22:00:07 -05:00
Tod Beardsley 8239998ada Typo on URL for #1797. Thx @Meatballs1 2013-05-05 12:26:06 -05:00
Tod Beardsley c9ea7e250e Fix disclosure date, ref for #1897 2013-05-05 12:13:02 -05:00
sinn3r a33510e821 Add MS IE8 DoL 0day exploit (CVE-2013-1347)
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
jvazquez-r7 2384f34ada Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-03 15:39:16 -05:00
jvazquez-r7 13202a3273 Add OSVDB reference 2013-05-03 09:46:29 -05:00
jvazquez-r7 a95de101e7 Delete extra line 2013-05-02 22:04:27 -05:00
jvazquez-r7 6210b42912 Port EDB 25141 to msf 2013-05-02 22:00:43 -05:00
jvazquez-r7 796f7a39ac Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-02 20:04:48 -05:00
jvazquez-r7 a2e1fbe7a9 Make msftidy happy 2013-05-02 19:46:26 -05:00
sinn3r eb23b5feeb Forgot to remove function ie8_smil. Don't need this anymore. 2013-05-02 14:04:15 -05:00
sinn3r 329e8228d1 Uses js_mstime_malloc to do the no-spray technique 2013-05-02 14:00:15 -05:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
jvazquez-r7 99b46202b9 Do final cleanup for sap_configservlet_exec_noauth 2013-04-26 08:45:34 -05:00
jvazquez-r7 308b880d79 Land #1759, @andrewkabai's exploit for SAP Portal Command Execution 2013-04-26 08:44:11 -05:00
Andras Kabai 5839e7bb16 simplify code 2013-04-26 12:14:42 +02:00
Andras Kabai 4aadd9363d improve description 2013-04-26 12:13:45 +02:00
sinn3r f3f60f3e02 Fixes P/P/R for target 0 (BadBlue 2.72b)
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken.  Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.

[FixRM #7875]
2013-04-25 20:20:24 -05:00
Andras Kabai 9dd9b2d1ba implement cleanup functionality
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
Andras Kabai a28ef1847b update references 2013-04-25 18:26:13 +02:00
Andras Kabai 676f2f5f4a implement "check" functionality 2013-04-25 07:47:30 +02:00
Andras Kabai 3b46d5d4cd fix typos 2013-04-25 07:22:16 +02:00
Andras Kabai 2759ef073e correction on error handling 2013-04-25 07:19:27 +02:00
Andras Kabai 6b14ac5e71 add rank to module 2013-04-25 07:07:35 +02:00
Andras Kabai f22d19a10c remove unused code block
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
jvazquez-r7 38e41f20fe Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-24 13:24:13 -05:00
Andras Kabai 0339be229a implement dynamic timeout handling 2013-04-24 18:22:37 +02:00
Andras Kabai 6f8fc81497 improve error handling 2013-04-24 17:59:11 +02:00
Andras Kabai 57113bee80 fine correction
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
Andras Kabai 6485124cdf fix module name 2013-04-24 10:54:52 +02:00
Andras Kabai 358b8934bf clarify description 2013-04-24 10:31:40 +02:00
Andras Kabai 00e6eeca54 implement command line magick to prevent bad char usage
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
Andras Kabai 783cca6c17 allow only ARCH_X86 payloads 2013-04-24 09:29:47 +02:00
sinn3r cae30bec23 Clean up all the whitespace found 2013-04-23 18:27:11 -05:00
Andras Kabai 750638e4d6 note on bad characters 2013-04-22 17:24:08 +02:00
Andras Kabai a1e52b5b27 command execution needs cmd /c 2013-04-22 10:20:45 +02:00
Andras Kabai d26289e05a proper output handling in case of CMD payloads 2013-04-20 17:38:58 +02:00
Andras Kabai d59ba37e6d resize linemax 2013-04-20 17:37:50 +02:00
Andras Kabai e36b58169b implement CmbStagerVBS payload execution 2013-04-20 16:37:47 +02:00
Andras Kabai 8244c4dcac multiple payload types, different paths to execute payloads 2013-04-20 14:20:30 +02:00
Andras Kabai 7b6a784a84 basic payload execution through OS command execution 2013-04-20 13:02:22 +02:00
Andras Kabai 223556a4e6 switch to exploit module environment
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
Andras Kabai cff47771a2 initial commit
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
jvazquez-r7 088eb8618d Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-16 21:11:55 -05:00
jvazquez-r7 4e8d32a89a cleanup for freefloatftp_user 2013-04-16 20:43:38 -05:00
jvazquez-r7 eedeb37047 Landing #1731, @dougsko's freefloat ftp server bof exploit 2013-04-16 20:42:01 -05:00
jvazquez-r7 cc35591723 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-15 17:43:15 -05:00
Tod Beardsley a36c6d2434 Lands #1730, adds a VERBOSE option checker
Also removes VERBOSE options from extant modules. There were only 5 of
them, and one was a commented option.
2013-04-15 15:32:56 -05:00
Tod Beardsley 29101bad41 Removing VERBOSE offenders 2013-04-15 15:29:56 -05:00
jvazquez-r7 79620ed660 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-09 17:12:16 +02:00
HD Moore e2b8d5ed23 Fix from David Kennedy, enable Windows 8 support 2013-04-09 02:07:40 -05:00
jvazquez-r7 070fd399f2 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-31 20:23:08 +02:00
m-1-k-3 1d6184cd63 fixed author details 2013-03-30 12:41:31 +01:00
jvazquez-r7 6cd6a7d6b9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 12:16:18 +01:00
jvazquez-r7 0109d81c95 fix typo 2013-03-27 17:39:18 +01:00
nmonkee 507692c660 SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXECUTE Function Command Execution 2013-03-27 15:20:18 +00:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
jvazquez-r7 393d5d8bf5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 19:09:42 +01:00
sinn3r 56c07211a0 Merge branch 'actfax_raw_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_raw_bof 2013-03-25 11:56:15 -05:00
sinn3r 47e3d7de59 Merge branch 'bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue' of github.com:neinwechter/metasploit-framework into neinwechter-bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue 2013-03-25 11:46:37 -05:00
jvazquez-r7 d54687cb37 fix typo 2013-03-25 00:58:47 +01:00
jvazquez-r7 26b43d9ed2 Added module for ZDI-13-050 2013-03-25 00:54:30 +01:00
jvazquez-r7 cb56b2de4b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-23 20:06:05 +01:00
Nathan Einwechter 89c0e8c27e Fix add_resource call in adobe_flas_mp5_cprt 2013-03-22 19:27:02 -04:00
jvazquez-r7 6eaf995642 cleaning exploiting string 2013-03-22 21:48:02 +01:00
jvazquez-r7 fd63283524 make msftidy happy 2013-03-22 21:46:12 +01:00
sinn3r 051e31c19f Merge branch 'kingview_kingmess_kvl' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-kingview_kingmess_kvl 2013-03-22 13:00:38 -05:00
jvazquez-r7 7391bc0201 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-20 00:46:10 +01:00
jvazquez-r7 26dec4eb8f last cleanup for sami_ftpd_list 2013-03-19 21:32:05 +01:00
jvazquez-r7 42efe5955b Merge branch 'osvdb-90815' of https://github.com/dougsko/metasploit-framework into dougsko-osvdb-90815 2013-03-19 21:31:46 +01:00
jvazquez-r7 80d218b284 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-19 19:55:51 +01:00
jvazquez-r7 b19c51aa81 cleanup for sami_ftpd_list 2013-03-19 19:04:14 +01:00
dougsko e2a9245b08 Changed target to Windows XP 2013-03-19 13:20:23 -03:00
sinn3r 0c0d15024a No tabs for these 2013-03-19 08:39:47 -05:00
dougsko fb90a1b497 Uses IP address length in offset calculation 2013-03-18 16:18:04 -03:00
jvazquez-r7 4aab1cc5df delete debug code 2013-03-18 16:28:39 +01:00
jvazquez-r7 dffec1cd41 added module for cve-2012-4914 2013-03-17 21:12:40 +01:00
Doug P 3d92d6e977 removed the handler call 2013-03-15 16:48:53 -04:00
Doug P a96283029e made payload size a little smaller 2013-03-15 16:08:43 -04:00
Doug P 8b5c782b54 changed Platform from Windows to win 2013-03-15 15:13:52 -04:00
Doug P 8f4b3d073a Explicitly set EXITFUNC to thread 2013-03-15 14:52:39 -04:00
Doug P e9af05a178 made recommended changes 2013-03-15 11:35:12 -04:00
jvazquez-r7 dc94816650 Merge branch 'master' of https://github.com/dougsko/metasploit-framework 2013-03-14 22:53:03 +01:00
Doug P 4bb64a0f41 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-14 16:10:10 -04:00
Doug P bbbf395659 got everything working and cleaned up 2013-03-14 16:02:41 -04:00
jvazquez-r7 e21288481d Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-14 16:36:04 +01:00
Doug P 1f7b2a8e9f minor edits 2013-03-13 17:48:37 -04:00
Doug P fa5c988110 got sami_ftpd_list.rb working 2013-03-13 17:27:02 -04:00
jvazquez-r7 456e4449e5 definitely the free trial of 6.53 is also vulnerable 2013-03-13 20:29:07 +01:00
jvazquez-r7 5345af87f2 better description according to advisory 2013-03-13 20:25:13 +01:00
jvazquez-r7 5339c6f76e better target description according to advisory 2013-03-13 20:23:22 +01:00
jvazquez-r7 50083996ff better target description 2013-03-13 20:13:09 +01:00
jvazquez-r7 a2755820cb Added module for CVE-2012-4711 2013-03-13 20:07:58 +01:00
Spencer McIntyre 458ffc1f19 Add a target for Firebird 2.1.4.18393 2013-03-13 13:44:28 -04:00
Patrick Webster 5312c58c72 Added BID for ms09_002_memory_corruption. 2013-03-12 16:57:47 +01:00
Patrick Webster 56bb907f9f Fixed exceptions in ms05_054_onload exploit module. 2013-03-12 16:57:47 +01:00
jvazquez-r7 8f9c4f62c8 up to date 2013-03-12 16:50:45 +01:00
jvazquez-r7 74b58185cd up to date 2013-03-12 16:48:11 +01:00
Tod Beardsley 2f95d083e8 Updating URL for Honewell EBI exploit 2013-03-11 13:35:58 -05:00
Tod Beardsley 23972fbebc Merge branch 'release' 2013-03-11 13:08:30 -05:00
Tod Beardsley d81d9261e7 Adding Honeywell exploit. 2013-03-11 13:03:59 -05:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
jvazquez-r7 64398d2b60 deleting some commas 2013-03-07 21:34:51 +01:00
jvazquez-r7 ab44e3e643 cleanup for fb_cnct_group 2013-03-07 21:34:07 +01:00
Spencer McIntyre 398d13e053 Initial commit of the Firebird CNCT Group Number Buffer Overflow. 2013-03-07 09:51:05 -05:00
sinn3r b65f410048 Updates the description 2013-03-06 16:37:41 -06:00
sinn3r fee07678dd Rename module to better describe the bug. 2013-03-06 16:33:41 -06:00
sinn3r 79d3597d31 That's not a real check... 2013-03-06 16:32:53 -06:00
sinn3r 16d7b625bc Format cleanup 2013-03-06 16:31:39 -06:00
sinn3r 7219c7b4aa Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb 2013-03-06 16:15:24 -06:00
Enrique A. Sanchez Montellano aa5c9461ae Fixed more styling issues, EOL, tabs and headers 2013-03-06 10:50:31 -08:00
Enrique A. Sanchez Montellano 437d6d6ba6 Fixed EOL, bad indent, added header, removed #!/usr/env/ruby 2013-03-06 10:44:29 -08:00
sinn3r af9982e289 Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb 2013-03-06 12:11:58 -06:00
Enrique A. Sanchez Montellano aa3a54fba0 Added CoDeSyS Gateway.exe Server remote execution via arbitrary file creation 2013-03-06 09:29:28 -08:00
David Maloney c290bc565e Merge branch 'master' into feature/http/authv2 2013-02-28 14:33:44 -06:00
sinn3r 2b65cfa5ab Minor changes 2013-02-22 21:02:19 -06:00
sinn3r 1623877151 Merge branch 'MS13-009' of github.com:jjarmoc/metasploit-framework into jjarmoc-MS13-009 2013-02-22 20:58:42 -06:00
jvazquez-r7 5b16e26f82 change module filename 2013-02-21 20:05:13 +01:00
jvazquez-r7 b4f4cdabbc cleanup for the module 2013-02-21 20:04:05 +01:00
David Maloney 0ae489b37b last of revert-merge snaffu 2013-02-19 23:16:46 -06:00
sinn3r 5108e8ef1c Correct tab 2013-02-19 11:44:41 -06:00
sinn3r b2664e04fb Merge branch 'bigant_server_dupf_upload' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-bigant_server_dupf_upload 2013-02-19 11:42:04 -06:00
sinn3r 9813c815ef Minor changes 2013-02-19 11:40:06 -06:00
sinn3r 553d7abe43 Merge branch 'bigant_server_sch_dupf_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-bigant_server_sch_dupf_bof 2013-02-19 11:26:47 -06:00
jvazquez-r7 416a7aeaa3 make msftidy happy for s4u_persistence 2013-02-18 15:23:06 +01:00
jvazquez-r7 be0feecf8f Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence 2013-02-18 15:22:37 +01:00
Thomas McCarthy 25f8a7dcb9 Fix expire tag logic and slight clean up
Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting.
2013-02-17 22:35:52 -05:00
jvazquez-r7 322fa53d49 fix typo 2013-02-17 20:29:41 +01:00
jvazquez-r7 31a3a374c3 Added module for CVE-2012-6274 2013-02-17 20:25:39 +01:00
jvazquez-r7 1a2a0bc38e Added module for CVE-2012-6275 2013-02-17 20:21:45 +01:00
Thomas McCarthy a8d574e4ce Updated one print_status 2013-02-17 14:08:33 -05:00
Jeff Jarmoc ade2c9ef56 msftidy - fix line endings. 2013-02-14 11:42:02 -06:00
Jeff Jarmoc 4c90cacffe Send iframe when URIPATH isnt '/' 2013-02-14 11:23:08 -06:00
Jeff Jarmoc 947aa24d44 MS13-009 / CVE-2013-0025 ie_slayout_uaf.rb by Scott Bell 2013-02-14 11:18:19 -06:00
Thomas McCarthy 7b2c1afadb I'm an idiot, fix logon xpath 2013-02-14 09:16:47 -05:00
smilingraccoon e78cbdd14d missed one line 2013-02-13 18:17:38 -05:00
smilingraccoon bbf8fe0213 Use Post::File methods and fail_with 2013-02-13 18:10:05 -05:00
sinn3r 4074a12fd7 Randomize some gadgets 2013-02-13 14:12:52 -06:00
jvazquez-r7 f58cc6a2e0 more fix version info 2013-02-12 18:51:04 +01:00
jvazquez-r7 96b1cb3cfb fix version info 2013-02-12 18:50:36 +01:00
jvazquez-r7 69267b82b0 Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00
Tod Beardsley 8ddc19e842 Unmerge #1476 and #1444
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.

First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.

FixRM #7752
2013-02-11 20:49:55 -06:00
jvazquez-r7 9040fcd5ae Merge branch 'darkoperator-post2localexploit' of https://github.com/darkoperator/metasploit-framework into darkoperator-darkoperator-post2localexploit 2013-02-12 01:52:05 +01:00
jvazquez-r7 42a6d96ff4 using Post::File methods plus little more cleanup 2013-02-12 01:33:07 +01:00
jvazquez-r7 97edbb7868 using always a vbs file to drop exe 2013-02-12 00:58:26 +01:00
Carlos Perez 5edb138a8f fixed nil issue 2013-02-11 11:51:33 -04:00
smilingraccoon 3a499b1a6d added s4u_persistence.rb 2013-02-10 14:22:36 -05:00
jvazquez-r7 17b349ab50 added crash to comments 2013-02-09 17:49:57 +01:00
jvazquez-r7 5b576c1ed0 fix ident and make happy msftidy 2013-02-09 17:40:45 +01:00
Carlos Perez fea84cad10 Fix additional typos per recomendation 2013-02-08 14:47:16 -04:00
James Lee 5b3b0a8b6d Merge branch 'dmaloney-r7-http/auth_methods' into rapid7 2013-02-08 12:45:35 -06:00
Carlos Perez b8f0a94c3f Fixed typos mentioned by Egypt 2013-02-08 14:42:10 -04:00
sinn3r 0ad548a777 I expect people to know what a share is. 2013-02-07 19:16:44 -06:00
sinn3r 9415e55211 Merge branch 'feature/rm5455-patch-smb_relay' of github.com:lmercer-r7/metasploit-framework into lmercer-r7-feature/rm5455-patch-smb_relay 2013-02-07 19:12:58 -06:00
Carlos Perez c131b7ef0e Added exception handing and return checking as requested by Sinn3r 2013-02-07 21:06:05 -04:00
Carlos Perez 19e989dff9 Initial commit fo the migrated module 2013-02-07 19:11:44 -04:00
James Lee 1095fe198b Merge branch 'rapid7' into dmaloney-r7-http/auth_methods 2013-02-06 16:57:50 -06:00
sinn3r 0186e290d3 Merge branch 'ovftool_format_string_fileformat' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_fileformat 2013-02-05 15:13:51 -06:00
sinn3r b706af54a0 Merge branch 'ovftool_format_string_browser' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_browser 2013-02-05 15:12:24 -06:00
RageLtMan 92ef462c34 This commit completes powershell based psexec
The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
2013-02-04 20:39:05 -05:00
David Maloney 44d4e298dc Attempting to cleanup winrm auth 2013-02-04 15:48:31 -06:00
David Maloney 4c1e630bf3 BasicAuth datastore cleanup
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
David Maloney 2c3de43f4b datastore opts cleanup
cleanuo digestauth datastore options in modules
2013-02-04 12:10:44 -06:00
jvazquez-r7 9ce5f39bc6 added migrate as initial script 2013-02-04 16:42:56 +01:00
jvazquez-r7 e0d4bb5799 Added module for cve-2012-3569, browser version 2013-02-04 16:37:42 +01:00
jvazquez-r7 135718a97b Added module for cve-2012-3569, fileformat version 2013-02-04 16:36:33 +01:00
Tod Beardsley e8def29b4f Dropping all twitter handles
Also adds "pbot" as an accepted lowercase word. This will come up pretty
routinley for functions and stuff.
2013-02-01 16:33:52 -06:00
sinn3r 1a01d6d033 Fix scrutinizer checks 2013-01-31 14:48:54 -06:00
egypt 5332e80ae9 Fix errant use of .to_s instead of .path 2013-01-31 14:18:42 -06:00
sinn3r 4de5e475c3 Fix check 2013-01-31 02:15:50 -06:00
sinn3r c174e6a208 Correctly use normalize_uri()
normalize_uri() should be used when you're joining URIs.  Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
RageLtMan 6ba85d4c06 add libs from #1379 and allow psh 1.0 exec against older hosts 2013-01-30 12:38:53 -05:00
Tod Beardsley aaf18f0257 EOL whitespace, yo. 2013-01-29 14:22:30 -06:00
lmercer deb9385181 Patch for smb_relay.rb to allow the share written to, to be defined in an option
As described in Redmine Feature #5455
2013-01-29 15:19:35 -05:00
sinn3r 690ef85ac1 Fix trailing slash problem
These modules require the target URI to be a directory path. So
if you remove the trailing slash, the web server might return a
301 or 404 instead of 200.

Related to: [SeeRM: #7727]
2013-01-28 13:19:31 -06:00
RageLtMan 61cd3b55fc hide window 2013-01-24 14:43:07 -05:00
jvazquez-r7 3faf4b3aca adding sinn3r as author 2013-01-24 18:13:30 +01:00
sinn3r 2cedcad810 Check PID 2013-01-24 10:46:23 -06:00
sinn3r ad108900d5 Why yes I know it's a module 2013-01-23 16:23:41 -06:00
sinn3r 22f7619892 Improve Carlos' payload injection module - See #1201
Lots of changes, mainly:
* Description update
* Avoid accessing protected methods
* More careful exception & return value handling
2013-01-23 16:15:14 -06:00
sinn3r e93b7ffcaf Add Carlos Perez's payload injection module
See #1201
2013-01-23 14:07:48 -06:00
RageLtMan e6ebf772de allow psh to run in background via cmd start 2013-01-21 08:12:56 -05:00
RageLtMan 43a5322bd4 psexec_psh cleanup 2013-01-20 22:15:55 -05:00
RageLtMan cae0362aa3 Add disk-less AV bypass PSExec module using PSH
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.

In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.

This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.

Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-20 21:46:26 -05:00
jvazquez-r7 51ba500b9f msftidy compliant 2013-01-16 12:28:09 +01:00
sinn3r 0f24671cf7 Changes how the usernames are loaded.
Allows usernames to be loaded as a file (wordlist), that way the
it's much easier to manage.  It defaults to unix_users.txt,
because these usernames are common in any SSH hosts out there.
If the user only wants to try a specific user (which is better,
because you reduce traffic noise that way), then he/she can set
the USERNAME option, and that should be the only one tried --
similar to how AuthBrute behaves.

I also fixed the regex in check().
2013-01-16 02:14:52 -06:00
sinn3r 04b35a38ff Update MSB ref 2013-01-14 14:59:32 -06:00
jvazquez-r7 c6c59ace46 final cleanup 2013-01-14 20:53:19 +01:00
jvazquez-r7 5ecb0701ea Merge branch 'freesshd_authbypass' of https://github.com/danielemartini/metasploit-framework into danielemartini-freesshd_authbypass 2013-01-14 20:52:45 +01:00
Daniele Martini 04fe1dae11 Added module for Freesshd Authentication Bypass (CVE-2012-6066)
This module works against FreeSSHD <= 1.2.6. Tested against
password and public key authentication methods. It will generate
a random key and password.

To use it you need to know a valid username. The module contains
a basic bruteforce methods, so you can specify more than one to try.
2013-01-13 17:08:04 +01:00
jvazquez-r7 5901058a61 Merge branch 'ms11_081' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_081 2013-01-09 23:24:14 +01:00
sinn3r fe8b9c24cf Merge branch 'jvazquez-r7-honeywell_tema_exec' 2013-01-09 16:08:19 -06:00
sinn3r f3b88d34c1 Add MS11-081 2013-01-09 15:52:33 -06:00
jvazquez-r7 736f8db6c0 Deleting from browser autopwn 2013-01-09 09:58:20 +01:00
jvazquez-r7 377905be7f Avoid FileDropper in this case 2013-01-09 09:15:38 +01:00
jvazquez-r7 52982c0785 Added BrowserAutopwn info 2013-01-08 19:53:34 +01:00
jvazquez-r7 0e475dfce1 improvements and testing 2013-01-08 19:43:58 +01:00
jvazquez-r7 b2575f0526 Added module for OSVDB 76681 2013-01-08 17:46:31 +01:00
sinn3r 5bc1066c69 Change how modules use the mysql login functions 2013-01-07 16:12:10 -06:00
sinn3r a59c474e3e Merge branch 'jvazquez-r7-ibm_cognos_tm1admsd_bof' 2013-01-07 13:34:52 -06:00
Tod Beardsley 33751c7ce4 Merges and resolves CJR's normalize_uri fixes
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules

Note that this trips all kinds of msftidy warnings, but that's for another
day.

Conflicts:
	modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
	modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
jvazquez-r7 883b3446f3 license text 2013-01-05 08:03:25 +01:00
jvazquez-r7 0a13f01f23 Added module for ZDI-12-101 2013-01-05 07:40:32 +01:00
Christian Mehlmauer 6654faf55e Msftidy fixes 2013-01-04 09:29:34 +01:00
sinn3r 6d4abe947d Merge branch 'id_revision' of github.com:FireFart/metasploit-framework into FireFart-id_revision 2013-01-04 00:23:03 -06:00
sinn3r 38de5d63d8 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-01-03 17:49:24 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
sinn3r b061a0f9c1 Merge branch 'enterasys_netsight_syslog_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-enterasys_netsight_syslog_bof 2013-01-03 17:45:24 -06:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
jvazquez-r7 a0b4045b4b trying to fix the variable offset length 2013-01-04 00:25:34 +01:00
sinn3r 724fa62019 Merge branch 'enterasys_netsight_syslog_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-enterasys_netsight_syslog_bof 2013-01-03 15:35:29 -06:00
sinn3r 6fd35482cc This exploit should be in browser auto pwn 2013-01-03 14:45:00 -06:00
jvazquez-r7 9cea2d9af9 reference updated 2013-01-03 19:39:18 +01:00
jvazquez-r7 45808a3a44 Added module for ZDI-11-350 2013-01-03 19:17:45 +01:00
sinn3r 06b937ec11 Implements WTFUzz's no-spray technique
Do not try to bend the spoon, that is impossible. Instead, only
try to realize the truth: there is no spoon.
2013-01-03 11:57:47 -06:00
sinn3r 38157b86a9 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-31 11:15:44 -06:00
sinn3r f7543e18fe Your def of commit apparently is a little different than mine, git. 2012-12-31 00:35:13 -06:00
sinn3r 2b3f7c4430 Module rename
Sorry, Tod, this must be done.
2012-12-31 00:29:19 -06:00
sinn3r 5703274bc4 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-30 20:34:57 -06:00
sinn3r 1084334d5e Randomness 2012-12-30 20:34:14 -06:00
sinn3r 7cb42a5eb4 Add BID ref 2012-12-30 18:14:22 -06:00
sinn3r cc52e2c533 Where's Juan's name? 2012-12-30 12:58:16 -06:00
jvazquez-r7 14f21c0a29 using the rop as expected 2012-12-30 16:13:48 +01:00
jvazquez-r7 eed5a74f32 description updated and reference added 2012-12-30 16:08:01 +01:00
Christian Mehlmauer f7d6594314 re-deleted comma 2012-12-30 13:39:14 +01:00
jvazquez-r7 6be8ed6168 readd fix for #1219 2012-12-30 13:25:42 +01:00
jvazquez-r7 cd58cc73d9 fixed rop chain for w2003 2012-12-30 13:12:55 +01:00
Christian Mehlmauer cab84b5c27 Fix for issue #1219 2012-12-30 13:02:13 +01:00
Christian Mehlmauer dcf018c339 Comma 2012-12-30 12:54:44 +01:00
Christian Mehlmauer 14d197eeb2 Added Windows Server 2003 2012-12-30 11:35:29 +01:00
jvazquez-r7 6cb9106218 Added module for CVE-2012-4792 2012-12-30 01:46:56 +01:00
sinn3r eb2037bdba Merge branch 'inotes_dwa85w_bof' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-inotes_dwa85w_bof 2012-12-28 12:16:06 -06:00
jvazquez-r7 9ffb0dcf79 switch to some random data 2012-12-28 12:48:36 +01:00
jvazquez-r7 8f62cd5561 swith to some random data 2012-12-28 12:47:20 +01:00
jvazquez-r7 af61438b0b added module for zdi-12-132 2012-12-28 11:45:32 +01:00
jvazquez-r7 8ea5c993a2 added module for zdi-12-134 2012-12-28 11:44:30 +01:00
sinn3r 771460fa4c Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-26 11:35:52 -06:00
sinn3r d2dc7ebc2d Merge branch 'feature/windows-postgres-payload-dll' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/windows-postgres-payload-dll 2012-12-26 11:18:21 -06:00
sinn3r 8223df375d Avoid making the title sound too generic. 2012-12-26 11:15:37 -06:00
sinn3r 0b2ea3e55e Fix weird tabs vs spaces prob 2012-12-26 11:14:48 -06:00
jvazquez-r7 e895ccb6b1 added random string functions 2012-12-25 18:13:02 +01:00
jvazquez-r7 fec989026f Added module for CVE-2012-5691 2012-12-25 18:05:10 +01:00
sinn3r 6a3bf6a2a6 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-24 17:57:02 -06:00
sinn3r 38f0886058 James has more modules that need to be updated.
e-mail update.
2012-12-24 17:51:58 -06:00
sinn3r 076c8aa995 Merge branch 'nullbind-mssql_linkcrawler' 2012-12-24 11:14:28 -06:00
sinn3r 677b9718da Finalizing module 2012-12-24 11:13:51 -06:00
jvazquez-r7 4c897c5181 added module for ZDI-12-154 2012-12-24 16:23:19 +01:00
James Lee 20cc2fa38d Make Windows postgres_payload more generic
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
  the ability to use generate_payload_dll() which generates a generic dll
  that spawns rundll32 and runs the shellcode in that process. This is
  basically what the linux version accomplishes by compiling the .so on
  the fly. On major advantage of this is that the resulting DLL will
  work on pretty much any version of postgres

* Adds Exploit::FileDropper to windows version as well. This gives us
  the ability to delete the dll via the resulting session, which works
  because the template dll contains code to shove the shellcode into a
  new rundll32 process and exit, thus leaving the file closed after
  Postgres calls FreeLibrary.

* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
  Windows

* Adds a check method to both Windows and Linux versions that simply
  makes sure that the given credentials work against the target service.

* Replaces the version-specific lo_create method with a generic
  technique that works on both 9.x and 8.x

* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
  gets downcased and subsequently causes postgres to error out before
  opening the DLL

* Cleans up lots of rdoc in Exploit::Postgres
2012-12-22 00:30:09 -06:00
sinn3r 9b768a2c62 Merge branch 'cleanup/post-windows-services' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-cleanup/post-windows-services 2012-12-21 23:42:17 -06:00
jvazquez-r7 02782258eb fix eol for ms12_004_midi 2012-12-21 21:01:39 +01:00
sinn3r 3c398d0e62 Final cleanup 2012-12-21 10:46:36 -06:00
sinn3r 4c58991c89 Cleanup ROP a little 2012-12-21 10:35:28 -06:00
sinn3r e95f0267c6 Update for some leaky icky 2012-12-21 10:03:38 -06:00
HD Moore b3c0c6175d FixRM #3398 by removing double user-agent headers 2012-12-20 14:45:18 -06:00
jvazquez-r7 f820ffb32d update authors 2012-12-18 23:57:29 +01:00
jvazquez-r7 8a07d2e53d Added module for ZDI-12-168 2012-12-18 23:48:53 +01:00
sinn3r 0344c568fd Merge branch 'smb_fixes' of git://github.com/alexmaloteaux/metasploit-framework into alexmaloteaux-smb_fixes 2012-12-18 11:38:14 -06:00
sinn3r 88f02e0016 Merge branch 'jvazquez-r7-crystal_reports_printcontrol' 2012-12-17 13:52:11 -06:00
Tod Beardsley 10511e8281 Merge remote branch 'origin/bug/fix-double-slashes'
Ran the new normalize_uri() specs, all passes, so I'm quite confident in
this change.
2012-12-17 13:29:19 -06:00
jvazquez-r7 3ed36bd66a trying to fix stability issues on w7 2012-12-17 19:17:36 +01:00
jvazquez-r7 bce7d48931 comment updated 2012-12-14 23:55:12 +01:00
jvazquez-r7 0a0b26dc2c after study the crash after the overflow... 2012-12-14 23:54:44 +01:00
sinn3r 53a2fda608 Merge branch 'mssql_linkcrawler' of git://github.com/nullbind/metasploit-framework into nullbind-mssql_linkcrawler 2012-12-14 15:23:25 -06:00
jvazquez-r7 3e3f35419b Added module for CVE-2010-2590 2012-12-14 12:50:29 +01:00
sinn3r d2885d9045 Correct US Cert references 2012-12-13 14:19:53 -06:00
nullbind 67829756f8 fixed errors 2012-12-12 17:45:02 -06:00
sinn3r a69a4fbbce Extra spaces, be gone. 2012-12-12 14:38:00 -06:00
sinn3r 3a481c8e42 Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode 2012-12-12 14:31:04 -06:00
David Maloney 5856874cea Login check fixes for exploit 2012-12-12 14:18:41 -06:00
sinn3r b465d20d61 Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode 2012-12-12 11:59:23 -06:00
David Maloney 5e8b9a20a4 Fix boneheaded mistake 2012-12-12 09:18:03 -06:00
sinn3r 343a785420 Add OSVDB references 2012-12-11 12:47:08 -06:00
jvazquez-r7 2eb4de815d added c# code by Nicolas Gregoire 2012-12-11 16:33:41 +01:00
jvazquez-r7 44633c4f5b deleted incorrect cve ref 2012-12-11 12:16:47 +01:00
jvazquez-r7 fdb457d82b Merge branch 'refs_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-refs_update 2012-12-11 12:16:06 +01:00
sinn3r b315a4eee4 Grammar 2012-12-11 00:19:15 -06:00
jvazquez-r7 e3a126aa75 Added module for ZDI-10-174 2012-12-11 01:37:44 +01:00
sinn3r 31e2a164a9 MySQL file priv gets a ref from OSVDB 2012-12-10 12:15:44 -06:00
sinn3r f5193b595c Update references 2012-12-10 11:42:21 -06:00
David Maloney e448431c8a Add 32bit comapt mode for 64 bit targets on wirnm
When a 32 bit payload is selected for an x64 target using the powershell
2.0 method,
it will try to invoke the 32bit version of pwoershell to sue instead
allowing us to still get a session even with the wrong payload arch
2012-12-10 11:39:24 -06:00
Tod Beardsley 7ea188e02d Merge pull request #1147 from wchen-r7/cve_text_consistency
Change CVE text format
2012-12-09 14:48:08 -08:00
sinn3r 23d0ffa3ab Dang it, grammar fail. 2012-12-09 01:39:24 -06:00
sinn3r 64a8b59ff9 Change CVE forma
Although the original text should work perfectly, for better
consistency, it's best to remove the "CVE" part. This may not
be a big deal in framework, but stands out a lot in Pro.
2012-12-09 01:09:21 -06:00
sinn3r 811bc49bfd Merge branch 'bug/rm7593-flash-otf' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-bug/rm7593-flash-otf 2012-12-08 17:16:14 -06:00
sinn3r e989142d9d Merge branch 'freefloat' of git://github.com/wchen-r7/metasploit-framework into wchen-r7-freefloat 2012-12-07 14:48:01 -06:00
sinn3r 78b4233b56 Final changes 2012-12-07 14:44:41 -06:00
jvazquez-r7 bae5442ca6 working... 2012-12-07 21:38:17 +01:00
sinn3r 3f1cfcc184 More changes 2012-12-07 13:47:07 -06:00
jvazquez-r7 1aaecbcf0c cleanup and user agent check 2012-12-07 20:38:08 +01:00
sinn3r a1336c7b5a Some more changes 2012-12-07 13:32:44 -06:00
sinn3r 403ac1dc37 I would do anything for a cake. 2012-12-07 13:15:27 -06:00
sinn3r 9838a2c75f This never works for us. Gonna ditch it. 2012-12-07 13:02:26 -06:00
jvazquez-r7 b0be8dc4df history exploit cleanup 2012-12-07 19:23:00 +01:00
sinn3r 38f2348c33 First changes 2012-12-07 11:27:09 -06:00
sinn3r a872362a65 Merge branch 'maxthon3' of git://github.com/malerisch/metasploit-framework into maxthon 2012-12-07 11:17:15 -06:00
James Lee 8812285678 Move print of my_target.name to after nil check
Avoids
  "Exception handling request: undefined method `name' for nil:NilClass"
when we don't have a target for the connecting browser.

[FixRM #7593]
2012-12-07 11:00:24 -06:00
sinn3r fafdcbaae1 Vuln discovered by Rich.
See: https://twitter.com/webstersprodigy/status/277087755073380353
2012-12-07 10:42:45 -06:00
sinn3r cddda9eab7 Merge branch 'master' into nullbind-mssql_linkcrawler 2012-12-06 23:51:06 -06:00
sinn3r 88c97cd2b5 Merge branch 'mssql_linkcrawler' of git://github.com/nullbind/metasploit-framework into nullbind-mssql_linkcrawler 2012-12-06 18:08:13 -06:00
sinn3r bf47eaaa41 Remove code that's commented out. Clearly not needed anymore. 2012-12-06 12:57:41 -06:00
sinn3r 0ea5c781c1 Tabs and spaces don't mix 2012-12-06 12:53:22 -06:00
jvazquez-r7 fd20998f40 using the primer callback as pointed by egypt 2012-12-06 18:59:46 +01:00
jvazquez-r7 8e21d9e235 fix source_address param 2012-12-06 18:34:22 +01:00
jvazquez-r7 fc8b08f10f trailing comma 2012-12-06 17:32:58 +01:00
jvazquez-r7 532afc2919 Added module for CVE-2009-0880 2012-12-06 16:43:07 +01:00
jvazquez-r7 6d3d4c1d84 Added support for FileDropper 2012-12-06 12:03:17 +01:00
sinn3r 18f4df0a38 Fix weird indent prob 2012-12-06 03:58:16 -06:00
sinn3r a90ed82413 Correct CVE format 2012-12-06 03:57:46 -06:00
sinn3r 2b96c4e2a5 Add Kingcope's MySQL 'Stuxnet' technique exploit
Because why not.  One more trick to a pentest + coverage = better.
2012-12-06 03:56:23 -06:00
malerisch 5e28563e4e Advisories URLs changed 2012-12-05 14:33:25 -08:00
jvazquez-r7 5548bebb16 embeding payload on the c# script 2012-12-04 17:44:55 +01:00
jvazquez-r7 3f3bdb8473 my editor... 2012-12-03 21:45:26 +01:00
jvazquez-r7 8a9ad4253a comment about the original discoverer updated 2012-12-03 21:44:35 +01:00
jvazquez-r7 2cb824d62d Added module for CVE-2012-5357 2012-12-03 20:12:02 +01:00
James Lee bc63ee9c46 Merge branch 'jvazquez-r7-file_dropper_support_local' into rapid7 2012-11-30 13:43:02 -06:00
sinn3r 9d52048d7f Forgot to remove this after badchar analysis 2012-11-30 02:17:08 -06:00
sinn3r 37f731fe7d Add OSVDB-80896 BlazeVideo HDTV Player Pro 6.6 Buffer Overflow 2012-11-30 02:14:22 -06:00
HD Moore 93a69ea62e Fix instances of invalid lower-case datastore use 2012-11-29 00:05:36 -06:00
Alexandre Maloteaux c0c3dff4e6 Several fixes for smb, mainly win 8 compatibility 2012-11-28 22:49:40 +01:00
jvazquez-r7 17518f035c support for local exploits on file_dropper 2012-11-28 22:17:27 +01:00
jvazquez-r7 85ed074674 Final cleanup on always_install_elevated 2012-11-28 21:50:08 +01:00
jvazquez-r7 fd1557b6d2 Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated 2012-11-28 21:49:36 +01:00
Meatballs1 7fea0d4af6 Add initial auto run script 2012-11-28 16:38:31 +00:00
Meatballs1 a3fbf276f9 Reinstated cleanup 2012-11-28 11:23:08 +00:00
Meatballs1 b5b47152fc Changed to static msi filename 2012-11-28 11:21:02 +00:00
Meatballs1 76f7abe5b6 Little tidy up 2012-11-27 23:58:58 +00:00
Meatballs1 81c2182424 Msftidy 2012-11-27 23:33:07 +00:00
Meatballs1 9741d55724 Moved to agnostic post module commands 2012-11-27 23:26:19 +00:00
Meatballs1 6fe378b594 Minor changes to description 2012-11-27 20:56:52 +00:00
Meatballs1 d067b040a0 Minor changes to description 2012-11-27 20:55:36 +00:00
Meatballs1 7727f3d6e8 Msftidy 2012-11-27 18:31:54 +00:00
Meatballs1 889c8ac12d Add build instructions and removed binary 2012-11-27 18:18:20 +00:00
Meatballs1 bc9065ad42 Move MSI source and binary location 2012-11-27 18:12:49 +00:00
sinn3r b395f8f96d Only XP for target coverage 2012-11-27 10:48:20 -06:00
sinn3r 2e71fc740e No badchars, then no need to have the key 2012-11-27 10:46:20 -06:00
jvazquez-r7 8c53b275c6 Added module for cve-2012-3753 2012-11-27 12:10:00 +01:00
Tod Beardsley f1fedee63b EOL space, deleted 2012-11-26 14:19:40 -06:00
malerisch 6dfda6da37 Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 15:53:58 -08:00
sinn3r 89ddedf773 If no badchars, no need to specify. 2012-11-23 18:46:50 -06:00
jvazquez-r7 4c9b8d4567 targets updated 2012-11-23 18:48:59 +01:00
jvazquez-r7 52ff38ad8a add module for cve-2012-3752 2012-11-22 19:56:12 +01:00
Meatballs1 579126c777 Remove redundant sleep 2012-11-22 10:44:41 +00:00
Meatballs1 021e0f37e9 Cleanup s 2012-11-22 10:34:05 +00:00
Meatballs1 7936fce7cf Remove auto migrate - we probably dont want to migrate away from a SYSTEM process. 2012-11-22 10:29:58 +00:00
Meatballs1 128eafe22c Changed to Local Exploit 2012-11-22 10:26:23 +00:00
sinn3r 007dcd2dcb Module is good, except with a little grammar error 2012-11-21 10:30:28 -06:00
jvazquez-r7 04aae008ca fix to use pseudorandom exe name 2012-11-21 09:56:20 +01:00
jvazquez-r7 14cba22e64 changes requested by egypt 2012-11-21 09:46:22 +01:00
jvazquez-r7 99d32191c5 Added module for OSVDB 87334 2012-11-20 23:15:21 +01:00
Tod Beardsley 6b4c131cf5 Avoiding a future conflict with release 2012-11-20 13:24:19 -06:00
nullbind dc93bd7215 removed redundant file 2012-11-19 14:27:08 -06:00
sinn3r f784ea65af Merge branch 'master' into ms12-005_mod 2012-11-16 11:59:41 -06:00
sinn3r 8375bb8390 Merge branch 'bypassuac_admincheck' of git://github.com/mubix/metasploit-framework into mubix-bypassuac_admincheck 2012-11-16 11:29:09 -06:00
jvazquez-r7 e8fe6031e9 Let default timeout for send_request_cgi 2012-11-16 18:09:47 +01:00
jvazquez-r7 51f238ec38 up to date 2012-11-16 16:03:09 +01:00
David Maloney de016780b8 Rename the PAYLOAD_TYPE datastore option
This datastore option conflicts with a reserved option in Pro causing
this module to fail in Pro.
2012-11-15 14:42:31 -06:00
Rob Fuller e18acf2103 remove debugging code 2012-11-14 23:56:32 -05:00
Rob Fuller 7d41f1f9a0 add admin already and admin group checks 2012-11-14 23:54:01 -05:00
sinn3r 1546aa6a10 No need to repeat the default values 2012-11-13 18:38:17 -06:00
sinn3r 9054fafb15 Not sure why paths were repeated, but no more. 2012-11-13 18:32:32 -06:00
Chris John Riley f88ec5cbc8 Add normalize_uri to modules that may have
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
jvazquez-r7 21693831ae Added module for ZDI-11-018 2012-11-08 17:32:42 +01:00
HD Moore 36066f8c78 Catch a few stragglers for double slash 2012-11-08 07:21:37 -06:00
HD Moore 4d2147f392 Adds normalize_uri() and fixes double-slash typos 2012-11-08 07:16:51 -06:00
David Maloney 208e706307 Module title fixes 2012-11-07 10:33:14 -06:00
James Lee 34bc92584b Refactor WindowsServices
* Pulls common code up from several methods into #open_sc_manager
* Deprecates the name Windows::WindowsServices in favor of
  Windows::Services. The platform is already clear from the namespace.
* Makes the post/test/services test module actually work

[See #1007]
[See #1012]
2012-11-06 17:30:04 -06:00
jvazquez-r7 9166d12179 Merge branch 'WinRM_piecemeal' of https://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-WinRM_piecemeal 2012-11-05 23:08:59 +01:00
Tod Beardsley 70d53b4e2d Merge remote branch 'jvazquez-r7/emc_networker_format_string' 2012-11-05 16:03:56 -06:00
jvazquez-r7 77b1e9e648 added comment about ropdb 2012-11-05 23:02:23 +01:00
Tod Beardsley e385aad9e5 Merge remote branch 'jvazquez-r7/emc_networker_format_string' 2012-11-05 16:02:18 -06:00
David Maloney 9d5ab5a66f Stupid typing error 2012-11-05 15:41:47 -06:00
David Maloney 314026ed0e Some error checking and fixups 2012-11-05 13:29:57 -06:00
nullbind 0246e921c5 style, ref, desc, and author updates 2012-11-05 12:45:54 -06:00
David Maloney 7c141e11c4 Hopefully final touches
Some smftidy cleanup, and added a method to check that the payload is
the correct arch when using the powershell method
2012-11-05 10:06:57 -06:00
jvazquez-r7 04668c7d61 fix response codes check to avoid second tries to fail 2012-11-05 09:26:26 +01:00
David Maloney 25a6e983a1 Remove the older modules 2012-11-04 14:48:34 -06:00
David Maloney fca8208171 Some minor code cleanup 2012-11-04 14:45:15 -06:00
David Maloney f69ccc779f Unified smarter module 2012-11-04 13:14:02 -06:00
David Maloney c30ada5eac Adds temp vbs mod and tweaked decoder stub 2012-11-04 12:49:15 -06:00
jvazquez-r7 88c99161b4 added universal target 2012-11-03 18:52:07 +01:00
jvazquez-r7 b8eea1007f Added module for CVE-2012-2288 EMC Networker Format String 2012-11-03 18:17:12 +01:00
sinn3r d4fc99e40c Merge branch 'ms10_104_100_continue_support' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ms10_104_100_continue_support 2012-11-02 15:16:35 -05:00
David Maloney ffca972075 Opps mispalced line 2012-11-02 09:34:32 -05:00
David Maloney 355bdbfa39 Add check for propper powershell version 2012-11-02 09:33:28 -05:00
nullbind 9158497fb4 msftidy updates 2012-11-01 20:59:37 -05:00
nullbind 8bb95e9f17 msftidy updates 2012-11-01 20:56:52 -05:00
David Maloney f843740fcb more fixes 2012-11-01 11:59:18 -05:00
jvazquez-r7 22fbfb3601 cleanup 2012-11-01 17:38:04 +01:00
jvazquez-r7 e720769747 Added module for ZDI-12-171 2012-11-01 17:17:45 +01:00
David Maloney aeb837838f typo 2012-11-01 11:03:50 -05:00
David Maloney 84c8660c96 Fix targets to be more specific 2012-11-01 11:00:45 -05:00
David Maloney 0eccfaf1bb Add a disclosure date 2012-11-01 10:24:28 -05:00