infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
34,522 Commits
7 Branches
556 Tags
419 MiB
Commit Graph

303 Commits (5d6c15a43dde66f14480532c35bc9a2e0eb6a9ea)

Author SHA1 Message Date
us3r777 ae2cd63391 Refactored Jboss mixin 
Moved TARGETURI option to the JBoss mixin. The mixin now includes
Msf::Exploit::Remote::HttpClient which provides USERNAME and PASSWORD
 2014-07-21 23:41:58 +02:00
us3r777 088f208c7c Added auxiliary module jboss_bshdeployer 
The module allows to deploy a WAR (a webshell for instance) using the
BSHDeployer.
Also refactored modules/exploits/multi/http/jboss_bshdeployer.rb to
use the new Mixin (lib/msf/http/jboss).
 2014-07-18 11:51:46 +02:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
jvazquez-r7 d83f665466 Delete commas 2014-03-25 13:34:02 -05:00
Ramon de C Valle e27adf6366 Fix msftidy warnings 2014-03-25 10:39:40 -03:00
Ramon de C Valle 473f745c3c Add katello_satellite_priv_esc.rb 
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
 2014-03-24 23:44:44 -03:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
jvazquez-r7 6ba26bf743 Use normalize_uri 2014-02-26 09:35:42 -06:00
jvazquez-r7 582372ec3e Do minor cleanup 2014-02-26 09:32:11 -06:00
Michael Messner b79197b8ab feedback included, cleanup, login check 2014-02-26 13:44:36 +01:00
Michael Messner ec8e1e3d6f small fixes 2014-02-21 21:59:45 +01:00
Michael Messner 1384150b7a make msftidy happy 2014-02-21 21:56:46 +01:00
Michael Messner c77fc034da linksys wrt120 admin reset exploit 2014-02-21 21:53:56 +01:00
sinn3r 81a3b2934e Fix prints 2014-01-23 15:33:24 -06:00
Niel Nielsen 1479ef3903 Update typo3_winstaller_default_enc_keys.rb 
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
 2014-01-07 22:08:10 +01:00
jvazquez-r7 0eac17083a Clean cfme_manageiq_evm_pass_reset 2013-12-18 16:16:32 -06:00
Ramon de C Valle b9a9b90088 Update module to use added bcrypt gem 2013-12-18 16:15:35 -02:00
Ramon de C Valle e20569181b Remove EzCrypto-related code as per review 2013-12-18 16:15:22 -02:00
Ramon de C Valle ef081cec49 Add missing disclosure date as per review 2013-12-18 15:47:23 -02:00
Ramon de C Valle 37826688ce Add cfme_manageiq_evm_pass_reset.rb 
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier)
by changing the password of the target account to the specified
password.
 2013-12-09 16:49:07 -02:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient 
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
 2013-12-03 12:58:16 -06:00
Tod Beardsley 55847ce074
Fixup for release 
Notably, adds a description for the module landed in #2709.
 2013-12-02 16:19:05 -06:00
sinn3r 20e0a7dcfb
Land #2709 - ZyXEL GS1510-16 Password Extractor 2013-12-02 13:13:01 -06:00
Sven Vetsch / Disenchant 39fbb59ba9 re-added the reference I accidentally deleted 2013-12-02 19:06:19 +01:00
Sven Vetsch / Disenchant cb98d68e47 added @wchen-r7's code to store the password into the database 2013-12-02 18:35:59 +01:00
Sven Vetsch / Disenchant 8e73023baa and now in the correct data structure 2013-12-01 17:38:35 +01:00
Sven Vetsch / Disenchant ef77b7fbbf added reference as requested at https://github.com/rapid7/metasploit-framework/pull/2709 2013-12-01 17:36:15 +01:00
Sven Vetsch / Disenchant aa62800184 added ZyXEL GS1510-16 Password Extractor 2013-11-29 10:42:17 +01:00
Jeff Jarmoc 03838aaa79 Update rails_devise_pass_reset.rb 
Fixed erroneous status if FLUSHTOKENS is false.
 2013-11-27 22:27:45 -06:00
Jeff Jarmoc 7f8baf979d Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise. 
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit

[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
 2013-11-27 15:35:43 -06:00
Tod Beardsley 84572c58a8
Minor fixup for release 
* Adds some new refs.
  * Fixes a typo in a module desc.
  * Fixes a weird slash continuation for string building (See #2589)
 2013-11-04 12:10:38 -06:00
Tod Beardsley 344413b74d
Reorder refs for some reason. 2013-10-30 12:25:55 -05:00
Tod Beardsley 32794f9d37
Move OpenBravo to aux module land 2013-10-30 12:20:04 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict 
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
 2013-10-17 13:29:24 -05:00
Tod Beardsley 2833d58387
Add OSVDB for vbulletin exploit 2013-10-16 15:01:28 -05:00
Tod Beardsley 3c2dddd7aa
Update reference with a non-plagarised source 2013-10-16 14:44:18 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat 
[SeeRM #8496]
 2013-10-15 13:51:57 -05:00
Tod Beardsley cad7329f2d
Minor updates to vbulletin admin exploit 2013-10-10 22:09:38 -05:00
jvazquez-r7 4f3bbaffd1 Clean module and add reporting 2013-10-09 13:54:28 -05:00
jvazquez-r7 5c36533742 Add module for the vbulletin exploit in the wild 2013-10-09 13:12:57 -05:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
jvazquez-r7 02a073a8fe Change module filename 2013-09-09 23:30:37 -05:00
jvazquez-r7 64348dc020 Update information 2013-09-09 23:29:48 -05:00
jvazquez-r7 ce769b0c78 Add module for CVE-2013-2641 2013-09-09 13:56:45 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
jvazquez-r7 b9360b9de6 Land #2286, @wchen-r7's patch for undefined method errors 2013-08-26 20:46:05 -05:00
sinn3r 7fad26968c More fix to jboss_seam_exec 2013-08-26 17:16:15 -05:00
Tod Beardsley 5b4890f5b9 Fix caps on typo3_winstaller module 2013-08-26 14:47:42 -05:00
sinn3r 5993cbe3a8 Fix undefined method error 
[FixRM #8348]
 2013-08-21 00:40:38 -05:00
sinn3r 9f98d4afe6 Fix undefined method error 
[FixRM #8349]
 2013-08-21 00:38:35 -05:00
jvazquez-r7 4790d8de50 Land #2256, @wchen-r7's patch for [FixRM #8316] 2013-08-19 23:23:57 -05:00
sinn3r 5366453031 [FixRM #8316] - Escape characters correctly 
dots need to be escaped
 2013-08-19 16:51:19 -05:00
sinn3r 7fc37231e0 Fix email format 
Correct email format
 2013-08-19 16:34:14 -05:00
jvazquez-r7 f42797fc5c Fix indentation 2013-08-16 14:19:37 -05:00
Tod Beardsley f7339f4f77 Cleanup various style issues 
* Unset default username and password
  * Register SSL as a DefaultOption instead of redefining it
  * Use the HttpClient mixin `ssl` instead of datastore.
  * Unless is better than if !
  * Try to store loot even if you can't cleanup the site ID.
 2013-08-16 14:03:59 -05:00
jvazquez-r7 dfa1310304 Commas in the author array 2013-08-16 13:54:46 -05:00
Tod Beardsley 24b8fb0d7b Whitespace retab, add rport 3780 as default 2013-08-16 13:31:05 -05:00
Tod Beardsley e436d31d23 Use SSL by defailt 2013-08-16 11:32:10 -05:00
Tod Beardsley 60a229c71a Use rhost and rport, not local host and port 2013-08-16 11:12:39 -05:00
Tod Beardsley 646d55b638 Description should be present tense 2013-08-16 11:06:34 -05:00
Tod Beardsley f0237f07d6 Correct author and references 2013-08-16 11:04:51 -05:00
Brandon Perry 46d6fb3b42 Add module for xxe 2013-08-16 10:51:05 -05:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff 
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
 2013-07-29 21:47:52 -05:00
jvazquez-r7 47c21dfe85 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-24 11:42:11 -05:00
Tod Beardsley 147d432b1d Move from DLink to D-Link 2013-07-23 14:11:16 -05:00
jvazquez-r7 4367a9ae49 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-22 15:09:35 -05:00
jvazquez-r7 70900cfe5e Final cleanup for foreman_openstack_satellite_priv_esc 2013-07-22 14:59:23 -05:00
Ramon de C Valle b6c9fd4723 Add foreman_openstack_satellite_priv_esc.rb 
This module exploits a mass assignment vulnerability in the 'create'
action of 'users' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator
account.
 2013-07-22 15:24:25 -03:00
jvazquez-r7 7ab4d4dcc4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 17:34:29 -05:00
jvazquez-r7 5c265c99d2 Clean jboss_seam_exec @cmaruti's collab 2013-06-25 14:09:30 -05:00
Cristiano Maruti f78b4d8874 modified according to jvazquez-r7 feedback 2013-06-20 16:29:42 +02:00
Cristiano Maruti 4846a680db modified according to jvazquez-r7 feedback 2013-06-20 16:19:43 +02:00
Cristiano Maruti 8e64bf3d16 modified according to jvazquez-r7 feedback 2013-06-20 16:15:28 +02:00
Cristiano Maruti a5332e5ed2 Module was updated to support WebSphere AS running seam-2. 
msf auxiliary(jboss_seam_exec) > run

[*] Found right index at [0] - getRuntime
[*] Index [1]
[*] Index [2]
[*] Index [3]
[*] Index [4]
[*] Index [5]
[*] Found right index at [6] - exec
[*] Index [7]
[*] Index [8]
[*] Index [9]
[*] Index [10]
[*] Index [11]
[*] Index [12]
[*] Index [13]
[*] Index [14]
[*] Index [15]
[*] Index [16]
[*] Index [17]
[*] Index [18]
[*] Index [19]
[*] Index [20]
[*] Index [21]
[*] Index [22]
[*] Index [23]
[*] Index [24]
[*] Target appears VULNERABLE!
[*] Sending remote command:pwd
[*] Exploited successfully
[*] Auxiliary module execution completed
 2013-06-20 12:17:07 +02:00
jvazquez-r7 011b0bb741 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-15 09:07:47 -05:00
jvazquez-r7 649a8829d3 Add modules for Mutiny vulnerabilities 2013-05-15 09:02:25 -05:00
jvazquez-r7 51a532e8b4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-12 17:39:58 -05:00
jvazquez-r7 feac292d85 Clean up for dlink_dsl320b_password_extractor 2013-05-12 17:35:59 -05:00
jvazquez-r7 ee46771de5 Land #1799, @m-1-k-3's auth bypass module for Dlink DSL320 2013-05-12 17:34:08 -05:00
m-1-k-3 e3582887cf OSVDB, Base64 2013-05-07 08:28:48 +02:00
m-1-k-3 0f2a3fc2d4 dsl320b authentication bypass - password extract 2013-05-06 14:31:47 +02:00
jvazquez-r7 070fd399f2 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-31 20:23:08 +02:00
m-1-k-3 587170ae52 fixed author details - next try 2013-03-30 12:43:55 +01:00
m-1-k-3 1d6184cd63 fixed author details 2013-03-30 12:41:31 +01:00
jvazquez-r7 393d5d8bf5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 19:09:42 +01:00
jvazquez-r7 fdd06c923a cleanup for dlink_dir_645_password_extractor 2013-03-25 18:04:12 +01:00
jvazquez-r7 a9a5a3f64f Merge branch 'dlink-dir645-password-extractor' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink-dir645-password-extractor 2013-03-25 18:02:51 +01:00
sinn3r 0d56da0511 Merge branch 'netgear-sph200d' of github.com:m-1-k-3/metasploit-framework into m-1-k-3-netgear-sph200d 2013-03-25 11:45:40 -05:00
jvazquez-r7 2d5a0d6916 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 17:08:23 +01:00
m-1-k-3 98ac6e8090 feedback included 2013-03-24 21:01:30 +01:00
m-1-k-3 d90de54891 reporting and feedback 2013-03-24 15:00:18 +01:00
m-1-k-3 9f8ec37060 store loot 2013-03-24 11:48:49 +01:00
m-1-k-3 71708c4bc3 dir 645 password extractor - initial commit 2013-03-24 11:44:24 +01:00
jvazquez-r7 49ac3ac1a3 cleanup for linksys_e1500_e2500_exec 2013-03-23 23:30:49 +01:00
jvazquez-r7 98be5d97b8 Merge branch 'linksys-e1500-e2500-exec' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys-e1500-e2500-exec 2013-03-23 23:30:14 +01:00
m-1-k-3 b2bf1df098 fixed encoding and set telnetd as default cmd 2013-03-23 22:56:15 +01:00
m-1-k-3 47d458a294 replacement of the netgear-sph200d module 2013-03-23 22:40:32 +01:00
m-1-k-3 270f64acc2 feedback included 2013-03-23 15:54:34 +01:00
m-1-k-3 dcd2aebdcd feedback included 2013-03-20 21:34:30 +01:00
jvazquez-r7 44f07cef19 Merge branch 'linksys-e1500-e2500-exec' of https://github.com/m-1-k-3/metasploit-framework 2013-03-20 00:47:31 +01:00
jvazquez-r7 80d218b284 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-19 19:55:51 +01:00
m-1-k-3 9fc0f9a927 initial commit 2013-03-19 17:31:01 +01:00
jvazquez-r7 e5f7c08d6f Added module for CVE-2012-4940 2013-03-13 11:52:54 +01:00
jvazquez-r7 91fbeda062 up to date 2013-03-12 17:04:27 +01:00
jvazquez-r7 6055438476 up to date 2013-03-12 17:04:27 +01:00
David Maloney 4212c36566 Fix up basic auth madness 2013-03-01 11:59:02 -06:00
jvazquez-r7 ec5c8e3a88 Merge branch 'dlink-dir300-600-execution' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink-dir300-600-execution 2013-02-16 19:12:42 +01:00
Jeff Jarmoc c2f8e4adbd Minor - Note Rails 3.1.11 patch in Description. 2013-02-13 22:30:54 -06:00
jvazquez-r7 d1784babea little cleanup plus msftidy compliant 2013-02-13 20:24:49 +01:00
jvazquez-r7 0ae473b010 info updated with rails information 2013-02-13 09:52:17 +01:00
jvazquez-r7 f46eda2fa9 Merge branch 'rails_devise_pw_reset' of https://github.com/jjarmoc/metasploit-framework into jjarmoc-rails_devise_pw_reset 2013-02-13 09:51:37 +01:00
jvazquez-r7 799beb5adc minor cleanup 2013-02-13 01:00:25 +01:00
Jeff Jarmoc 1d5d33f306 use normalize_uri() 2013-02-12 14:58:07 -06:00
Jeff Jarmoc c6a7a4e68d /URIPATH/TARGETURI/g 2013-02-12 14:50:10 -06:00
Jeff Jarmoc c7719bf4cb Verify response is non-nil. 2013-02-12 13:41:21 -06:00
Jeff Jarmoc 9e1f106a87 msftidy cleanup 2013-02-12 13:38:58 -06:00
jvazquez-r7 766257d26a pointed by @m-1-k-3 while working on #1472 2013-02-11 21:21:43 +01:00
Jeff Jarmoc 5f0a3c6b9e Removes pry, oops. 2013-02-11 14:02:46 -06:00
Jeff Jarmoc 753fa2c853 Handles error when TARGETEMAIL is invalid. 2013-02-11 13:58:56 -06:00
Jeff Jarmoc 61ffcedbfd Address HD's other comments, fixes mismatched var name in last commit. 2013-02-11 11:17:26 -06:00
Jeff Jarmoc e72dc47448 Uses REXML for encoding of password. 2013-02-11 11:12:29 -06:00
Jeff Jarmoc 43a1fbb6f2 Make msftiday happy. 2013-02-10 21:13:18 -06:00
Jeff Jarmoc 55cba56591 Aux module for joernchen's devise vuln - CVE-2013-0233 2013-02-10 21:10:00 -06:00
m-1-k-3 63c6791473 return 2013-02-09 11:17:02 +01:00
m-1-k-3 6cccf86a00 Merge branch 'master' of git://github.com/rapid7/metasploit-framework into dlink-dir300-600-execution 2013-02-09 11:09:56 +01:00
Tod Beardsley 5357e23675 Fixups to the Linksys module 
Professionalizes the description a little, but more importantly, handles
LANIP better, I think. Instead of faking a 1.1.1.1 address, just detect
if it's set or not in a method and return the right thing accordingly.

Please test this before landing, obviously. I think it's what's
intended.
 2013-02-06 12:46:50 -06:00
Tod Beardsley faeaa74a49 Msftidy whitespace 2013-02-06 11:06:13 -06:00
m-1-k-3 43f3bb4fe6 small updates 2013-02-05 13:54:10 +01:00
m-1-k-3 5ca0e45388 initial commit 2013-02-04 08:44:12 +01:00
jvazquez-r7 2bf2d4d8a4 Merge branch 'netgear_sph200d_traversal' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-netgear_sph200d_traversal 2013-02-03 23:35:29 +01:00
jvazquez-r7 c24c926ffa add aditional check to detect valid device 2013-02-01 20:55:06 +01:00
jvazquez-r7 996ee06b0f fix another print_ call 2013-02-01 20:43:54 +01:00
jvazquez-r7 152f397a1f first module cleanup 2013-02-01 20:38:11 +01:00
m-1-k-3 988761a6de more updates, BID, Exploit-DB 2013-02-01 20:18:53 +01:00
m-1-k-3 fdd5fe77c1 more updates ... 2013-02-01 19:59:19 +01:00
m-1-k-3 0e22ee73b5 updates ... 2013-02-01 19:26:34 +01:00
sinn3r c174e6a208 Correctly use normalize_uri() 
normalize_uri() should be used when you're joining URIs.  Because if
you're merging URIs after it's normalized, you could get double
slashes again.
 2013-01-30 23:23:41 -06:00
m-1-k-3 ea5e993bf3 initial 2013-01-29 22:02:29 +01:00
jvazquez-r7 1fc747994e cleanup for linksys_wrt54gl_exec 2013-01-24 17:50:14 +01:00
m-1-k-3 3a5e92ba6f hopefully all fixex included 2013-01-23 12:15:34 +01:00
m-1-k-3 11c13500be small fix 2013-01-21 13:41:42 +01:00
m-1-k-3 62ff52280a initial linksys OS command injection 2013-01-21 13:19:29 +01:00
Tod Beardsley 33751c7ce4 Merges and resolves CJR's normalize_uri fixes 
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules

Note that this trips all kinds of msftidy warnings, but that's for another
day.

Conflicts:
	modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
	modules/exploits/windows/http/xampp_webdav_upload_php.rb
 2013-01-07 11:16:58 -06:00
Christian Mehlmauer 95948b9d7c msftidy: remove $Revision$ 2013-01-03 00:58:09 +01:00
Christian Mehlmauer ca890369b1 msftidy: remove $Id$ 2013-01-03 00:54:48 +01:00
Chris John Riley f88ec5cbc8 Add normalize_uri to modules that may have 
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> https://github.com/rapid7/metasploit-framework/pull/1045
 2012-11-08 17:42:48 +01:00
Michael Schierl 910644400d References EDB cleanup 
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
 2012-10-23 21:02:09 +02:00