sinn3r
6b9742b444
Land #3966 - Add exploit for CVE-2014-4872 BMC / Numara Track-It!
2014-10-20 11:23:23 -05:00
Tod Beardsley
6812b8fa82
Typo and grammar
2014-10-20 11:02:09 -05:00
jvazquez-r7
052a9fec86
Delete return
2014-10-20 10:52:33 -05:00
jvazquez-r7
199f6eba76
Fix check method
2014-10-20 10:46:40 -05:00
James Lee
3051b6c5ba
Clean up exceptions
...
Of particular note is mysql, who was rescuing Rex::ConnectionTimeout
*after* Rex::ConnectionError, which never would have fired anyway.
2014-10-20 10:27:02 -05:00
us3r777
16101612a4
Some changes to use primer
...
Follow wiki How-to-write-a-module-using-HttpServer-and-HttpClient
2014-10-20 17:26:16 +02:00
James Lee
b7d69bec83
Restore proxies to ssh scanners
2014-10-20 10:19:06 -05:00
us3r777
1e143fa300
Removed unused variables
2014-10-20 16:58:41 +02:00
jvazquez-r7
57fe829f96
Switch generic_sh's rank to ManualRanking
2014-10-20 09:34:19 -05:00
jvazquez-r7
c991c5e377
Readd generic_sh encoder
2014-10-20 09:33:34 -05:00
nullbind
036d43ba37
fixed logic bug
2014-10-19 20:56:29 -05:00
Jon Hart
2985b39267
Land #3980 , @wchen-r7 fixed #3975
2014-10-19 17:11:06 -07:00
Jon Hart
88c1647c80
Loot the passwords, obviously
2014-10-19 13:11:10 -07:00
Jon Hart
0971d7c3ac
Remove ... from prints, only map a browser if we found something
2014-10-19 13:05:11 -07:00
Jon Hart
967800eed0
Track account name for more useful table and prints
2014-10-19 12:59:51 -07:00
Jon Hart
5a05246682
Consistent case in *print_*
2014-10-19 12:30:50 -07:00
Spencer McIntyre
005baa7f7e
Retry the script page request to get the token
...
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
2014-10-19 14:04:16 -04:00
Brendan Coles
0ede70e7f6
Add exploit module for CUPS shellshock
2014-10-19 17:58:49 +00:00
ikkini
c2174c7910
return if no version response received
2014-10-19 00:29:36 +02:00
nullbind
1e2f1eaee0
cleaning up
2014-10-18 12:00:11 -05:00
sinn3r
d1523c59a9
Land #3965 - BMC Track-It! Arbitrary File Upload
2014-10-17 19:47:42 -05:00
Jon Hart
a30663e412
Fix multiuser LastPass extraction, print/vprint cleanup
2014-10-17 17:40:19 -07:00
James Lee
329a600b84
Add tcp evasion options to mssql_login
2014-10-17 17:40:21 -05:00
sinn3r
8b5a33c23f
Land #4044 - MS14-060 "Sandworm"
2014-10-17 16:46:32 -05:00
William Vu
d5b698bf2d
Land #3944 , pkexec exploit
2014-10-17 16:30:55 -05:00
jvazquez-r7
70f8e8d306
Update description
2014-10-17 16:17:00 -05:00
jvazquez-r7
e52241bfe3
Update target info
2014-10-17 16:14:54 -05:00
jvazquez-r7
7652b580cd
Beautify description
2014-10-17 15:31:37 -05:00
jvazquez-r7
d831a20629
Add references and fix typos
2014-10-17 15:29:28 -05:00
Jon Hart
d2a00b208e
Minor style cleanup to appease Rubocop
2014-10-17 12:50:18 -07:00
sinn3r
ef1556eb62
Another update
2014-10-17 13:56:37 -05:00
jvazquez-r7
8fa648744c
Add @wchen-r7's unc regex
2014-10-17 13:46:13 -05:00
William Vu
10f3969079
Land #4043 , s/http/http:/ splat
...
What is a splat?
2014-10-17 13:41:07 -05:00
Jon Hart
d97fe548b9
Store the browser name in LastPass loot
2014-10-17 11:33:31 -07:00
Jon Hart
43238c7324
Simplify LastPass extraction. Track what browser that puked creds
2014-10-17 11:19:36 -07:00
William Vu
dbfe398e35
Land #4037 , Drupageddon exploit
2014-10-17 12:39:59 -05:00
William Vu
a514e3ea16
Fix bad indent (should be spaces)
...
msftidy is happy now.
2014-10-17 12:39:25 -05:00
William Vu
f2328e679f
Land #4034 , POODLE scanner
2014-10-17 12:36:48 -05:00
William Vu
367ea5d3db
Add disclosure date
2014-10-17 12:35:28 -05:00
Tod Beardsley
ccdaf2b576
Fix the banner
...
Turns out these will be broken in outstanding PRs for a while. At least
they won't be merge conflicts.
2014-10-17 12:23:23 -05:00
Jon Hart
9177b931fd
Refactoring of LastPass module to use correct Firefox path on *nix
2014-10-17 10:20:55 -07:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley
ad501b25e4
Filename move to be less redundant
2014-10-17 11:25:14 -05:00
jvazquez-r7
e5903562ee
Delete bad/incomplete validation method
2014-10-17 10:36:01 -05:00
nullbind
bf92769ba2
added mssql_escalate_dbowner_sqli
2014-10-17 10:25:20 -05:00
sinn3r
a79427a659
I shoulda checked before git commit
2014-10-17 00:54:45 -05:00
sinn3r
4c0048f26a
Update description
2014-10-17 00:46:17 -05:00
sinn3r
3a63fa12b8
'ppsx_module_smaller' to branch cve_2014_4114
2014-10-17 00:10:57 -05:00
William Vu
e242bf914f
Land #4031 , fixes for pureftpd_bash_env_exec
2014-10-16 19:55:09 -05:00
jvazquez-r7
1d16bd5c77
Fix vulnerability discoverer
2014-10-16 18:01:45 -05:00
jvazquez-r7
807f1e3560
Fix target name
2014-10-16 17:58:45 -05:00
jvazquez-r7
c1f9ccda64
Fix ruby
2014-10-16 17:55:00 -05:00
jvazquez-r7
e40642799e
Add sandworm module
2014-10-16 16:37:37 -05:00
Jon Hart
8fdae8fbfb
Move protocol and lifetime to mixin, use correct map_target if CHOST
2014-10-16 13:24:17 -07:00
Brandon Perry
353d2f79cc
tweak pw generation
2014-10-16 12:06:19 -07:00
Brandon Perry
5f8c0cb4f3
Merge branch 'drupal' of https://github.com/FireFart/metasploit-framework into drupageddon
2014-10-16 11:53:54 -07:00
Christian Mehlmauer
c8dd08f605
password hashing
2014-10-17 15:52:47 +02:00
Brandon Perry
23b7b8e400
fix for version 7.0-7.31
2014-10-16 11:53:48 -07:00
James Lee
40b360555f
Make the error message a little more useful
2014-10-16 12:47:13 -05:00
Brandon Perry
9bab77ece6
add urls
2014-10-16 10:36:37 -07:00
Brandon Perry
b031ce4df3
Create drupal_drupageddon.rb
2014-10-16 16:42:47 -05:00
Brandon Perry
5c4ac48db7
update the drupal module a bit with error checking
2014-10-16 10:32:39 -07:00
Tod Beardsley
8cf10be779
Don't assume SSLv3 is set (kill FP+s)
2014-10-16 10:43:58 -05:00
Tod Beardsley
0b67efd51e
Add a POODLE scanner and general SSL version scan
2014-10-16 10:27:37 -05:00
Spencer McIntyre
09069f75c2
Fix #4019 , fix NameError peer and disconnect in check
2014-10-16 08:32:20 -04:00
Martin Vigo
36d6220f8f
Make use of Rex::Ui::Text::Table
2014-10-15 23:13:53 -07:00
Martin Vigo
bb421859d3
Refactor code and add support for all Windows
2014-10-15 22:15:54 -07:00
Martin Vigo
c7e0ced02b
Remove useless conditions
2014-10-15 21:29:47 -07:00
Martin Vigo
2bdc703930
Remove useless condition
2014-10-15 21:16:06 -07:00
Martin Vigo
5fa39782b8
Fix unused variable
2014-10-15 21:10:50 -07:00
Martin Vigo
8fc0f0955e
Add support for Firefox
2014-10-15 20:44:20 -07:00
Martin Vigo
47794510c3
Add support for Firefox in XP
2014-10-15 20:44:19 -07:00
Martin Vigo
484d98d0a8
Meet rubocop and msftify rules
2014-10-15 20:17:36 -07:00
Martin Vigo
85e6febe09
Add module to extract/decrypt LastPass credentials
2014-10-15 20:17:36 -07:00
James Lee
41a57b7ba5
Re-enable proxies for HTTP-based login scanners
2014-10-15 17:00:44 -05:00
Jon Hart
07f2d4dafe
Further improvements to NAT-PMP. Faster, more useful, less not useful
2014-10-15 06:39:38 -07:00
Fernando Munoz
4c2ae1a753
Fix jenkins when CSRF is enabled
2014-10-14 19:33:23 -05:00
Tod Beardsley
592f1e9893
Land #3999 , errors on login suppressed by default
...
This also solved the merge conflict on:
modules/auxiliary/scanner/http/jenkins_login.rb
Fixes #3995 .
2014-10-14 16:35:09 -05:00
Jon Hart
ea6824c46f
WIP of NAT-PMP rework
2014-10-14 14:20:24 -07:00
William Vu
bdbad5a81d
Fix misaligned bracket
2014-10-14 13:43:59 -05:00
Tod Beardsley
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
Tod Beardsley
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Tod Beardsley
56534e7ad3
Changed a login failed to vprint instead of print
...
People often like to supress failed attempts. Note that this change may
or may not have any effect, given the status of #3995 .
This module was introduced in PR #3947 .
2014-10-14 12:01:09 -05:00
Tod Beardsley
b1223165d4
Trivial grammar fixes
2014-10-14 12:00:50 -05:00
Tod Beardsley
6ea3a78b47
Clarify the description on HP perfd module
...
Introduced in #3992
2014-10-14 11:58:52 -05:00
jvazquez-r7
39a09ad750
Use ARCH_CMD on Windows target
2014-10-14 10:24:32 -05:00
jvazquez-r7
a0fc0cf87f
Update ranking
2014-10-13 17:44:00 -05:00
Nikita
621b9523b1
Update tnspoison_checker.rb
2014-10-13 22:05:08 +04:00
Nikita
1996886ae9
Update tnspoison_checker.rb
2014-10-13 12:53:39 +04:00
Nikita
22aabc7805
Add new module to test TNS poison
...
This module simply checks the server for vulnerabilities like TNS Poison
2014-10-13 12:21:07 +04:00
Jon Hart
d51d2bf5a0
Land #3990 , @wchen-r7's fix for #3984 , a busted check in drupal_views_user_enum
2014-10-12 19:38:55 -07:00
Jon Hart
76275a259a
Minor style cleanup of help and a failure message
2014-10-12 18:34:13 -07:00
jvazquez-r7
ca05c4c2f4
Fix @wchen-r7's feedback
...
* use vprint_* on check
* rescue get_once
2014-10-12 17:44:33 -05:00
us3r777
444b01c4b0
Typo + shorten php serialized object
2014-10-12 21:29:04 +02:00
jvazquez-r7
46bf8f28e0
Fix regex
2014-10-11 21:37:05 -05:00
jvazquez-r7
6092e84067
Add module for ZDI-14-344
2014-10-11 21:33:23 -05:00
Jon Hart
c3a58cec9e
Make note of other commands to investigate
2014-10-11 13:07:52 -07:00
Jon Hart
c80a5b5796
List commands in sorted order
2014-10-11 13:00:30 -07:00
Jon Hart
4ffc8b153c
Support running more than one perfd command in a single pass
2014-10-11 11:38:00 -07:00
Jon Hart
c72593fae4
Store just banner for service, loot the rest. Also, minor style.
2014-10-11 11:12:49 -07:00
Jon Hart
9550c54cd2
Correct indentation and whitespace
2014-10-11 10:39:12 -07:00
sinn3r
9500038695
Fix #3995 - Make negative messages less verbose
...
As an user testing against a large network, I only want to see
good news, not bad news.
2014-10-11 11:11:09 -05:00
Roberto Soares Espreto
7bd0f2c114
Changed Name, array in OptEnum and operator
2014-10-11 09:03:18 -03:00
Roberto Soares Espreto
cbde2e8cd1
Variable cmd now with interpolation
2014-10-10 18:21:16 -03:00
Roberto Soares Espreto
291bfed47e
Using Rex.sleep instead of select
2014-10-10 15:17:40 -03:00
Roberto Soares Espreto
bd315d7655
Changed print_good and OptEnum
2014-10-10 13:54:42 -03:00
Roberto Soares Espreto
08fdb4fab2
Add module to enumerate environment HP via perfd daemon
2014-10-10 13:09:36 -03:00
sinn3r
260aa8dc22
Fix #3984 - Fix broken check for drupal_views_user_enum
2014-10-10 10:23:20 -05:00
0a2940
e689a0626d
Use Rex.sleep :-)
...
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"
user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
nstarke
472985a8a8
Adding Buffalo Linkstation NAS Login Scanner
...
I have added a login scanner for the Buffalo Linkstation
NAS. I have been testing against version 1.68 of the
firmware. Also included are some specs for this module.
2014-10-10 03:16:48 +00:00
Tod Beardsley
aefd15c185
Land #3376 , ARRIS SNMP enumerator from @inokii
2014-10-09 15:28:06 -05:00
jvazquez-r7
520e1bccca
Land #3692 , @TomSellers's support for Metasploit Credential on enum_snmp
2014-10-09 15:18:44 -05:00
sinn3r
7d8eadada6
Fix #3974 - Validate and normalize URI for axis_login
2014-10-09 14:33:39 -05:00
sinn3r
c9c34beafa
Fix #3975 - Register TARGETURI, not URI
...
The module should register TARGETURI and call #target_uri for
URI validation.
2014-10-09 14:10:29 -05:00
Pedro Ribeiro
4b7a446547
... and restore use of the complicated socket
2014-10-09 18:30:45 +01:00
Pedro Ribeiro
c78651fccc
Use numbers for version tracking
2014-10-09 18:29:27 +01:00
Pedro Ribeiro
8163b7de96
Thanks for helping me clean up Todd!
2014-10-09 18:20:31 +01:00
sinn3r
d366cdcd6e
Fix #3976 - validate and normalize user-supplied URI for http_login.rb
...
URI should be validated and normalized before being used in an HTTP
request.
2014-10-09 12:14:33 -05:00
Pedro Ribeiro
9d1e206e43
Incorporate cred changes and other minor fixes
2014-10-09 17:59:38 +01:00
Spencer McIntyre
a535d236f6
Land #3947 , login scanner for jenkins by @nstarke
2014-10-09 12:59:02 -04:00
Spencer McIntyre
6ea530988e
Apply rubocop changes and remove multiline print
2014-10-09 12:57:39 -04:00
us3r777
2428688565
CVE-2014-7228 Joomla/Akeeba Kickstart RCE
...
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
jvazquez-r7
3305b1e9c3
Land #3984 , @nullbind's MSSQL privilege escalation module
2014-10-09 11:39:15 -05:00
jvazquez-r7
10b160bedd
Do final cleanup
2014-10-09 11:38:45 -05:00
jvazquez-r7
bbe435f5c9
Don't rescue everything
2014-10-09 11:25:13 -05:00
jvazquez-r7
0cd7454a64
Use default value for doprint
2014-10-09 11:04:42 -05:00
jvazquez-r7
db6f6d4559
Reduce code complexity
2014-10-09 10:59:14 -05:00
jvazquez-r7
615b8e5f4a
Make easy method comments
2014-10-09 10:48:00 -05:00
jvazquez-r7
dd03e5fd7d
Make just one connection
2014-10-09 10:46:51 -05:00
jvazquez-r7
ccf677aad6
land #3978 , Fixes #3973 , Wrong datastore option URI in glassfish_login
2014-10-09 09:53:01 -05:00
sinn3r
df0d4f9fb2
Fix #3973 - Unneeded datastore option URI
...
When Glassfish is installed, the web root is always /, so there is
no point to make this arbitrary.
2014-10-09 00:06:15 -05:00
Christian Mehlmauer
1584c4781c
Add reference
2014-10-09 06:58:15 +02:00
nullbind
168f1e559c
fixed status
2014-10-08 21:19:50 -05:00
nullbind
3ebcaa16a1
removed scanner
2014-10-08 21:18:56 -05:00
nstarke
328be3cf34
Fine Tuning Jenkins Login Module
...
At the request of the maintainers, I have deregistered the
RHOST option and made the failure proof a verbose only
print.
2014-10-08 17:53:21 -05:00
jvazquez-r7
4f96d88a2f
Land #3949 , @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload
2014-10-08 16:35:49 -05:00
jvazquez-r7
66a8e7481b
Fix description
2014-10-08 16:35:14 -05:00
jvazquez-r7
8ba8402be3
Update timeout
2014-10-08 16:32:05 -05:00
jvazquez-r7
bbf180997a
Do minor cleanup
2014-10-08 16:29:11 -05:00
Pedro Ribeiro
4817e1e953
Update trackit_sql_domain_creds.rb
2014-10-08 21:41:04 +01:00
William Vu
f86c0c2bb5
Land #3970 , rm jtr_unshadow
2014-10-08 14:55:15 -05:00
Jay Smith
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
jvazquez-r7
411f6c8b2d
Land #3793 , @mfadzilr's exploit for CVE-2014-6287, HFS remote code execution
2014-10-08 12:16:09 -05:00
jvazquez-r7
98b69e095c
Use %TEMP% and update ranking
2014-10-08 12:12:00 -05:00
jvazquez-r7
d90fe4f724
Improve check method
2014-10-08 12:03:16 -05:00
jvazquez-r7
25344aeb6a
Change filename
2014-10-08 11:55:33 -05:00
jvazquez-r7
909f88680b
Make exploit aggressive
2014-10-08 11:08:01 -05:00
jvazquez-r7
d02f0dc4b9
Make minor cleanup
2014-10-08 10:36:56 -05:00
jvazquez-r7
d913bf1c35
Fix metadata
2014-10-08 10:29:59 -05:00
Tod Beardsley
a901916b0b
Remove nonfunctional jtr_unshadow
...
This module hasn't been doing anything but print_error a go away message
since June, so may as well get rid of it.
2014-10-08 10:23:29 -05:00
Brendan Coles
e0016d4af3
Remove hash rocket from refs array #3766
...
[SeeRM #8776 ]
2014-10-08 09:16:38 +00:00
Brendan Coles
3c7be9c4c5
Remove hash rockets from references #3766
...
[SeeRM #8776 ]
2014-10-08 09:01:19 +00:00
Pedro Ribeiro
6af6b502c3
Remove spaces at EOL
2014-10-08 08:30:30 +01:00
Pedro Ribeiro
0a9795216a
Add OSVDB id and full disclosure URL
2014-10-08 08:25:41 +01:00
Pedro Ribeiro
713ff5134a
Add OSVDB id
2014-10-08 08:24:44 +01:00
Pedro Ribeiro
bd812c593c
Add full disclosure URL
2014-10-08 08:24:04 +01:00
Pedro Ribeiro
bbac61397d
Restore :address to rhost and explain why
2014-10-08 08:23:43 +01:00
sinn3r
c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution
2014-10-08 00:30:07 -05:00
Pedro Ribeiro
9cb0ad1ac2
Change the reporting address to the real value
2014-10-08 01:18:17 +01:00
Pedro Ribeiro
6e9bebdaf9
Fix noob mistake in assignment
2014-10-08 01:04:15 +01:00
Pedro Ribeiro
7dbfa19e65
Add exploit for Track-It! domain/sql creds vuln
2014-10-07 23:54:43 +01:00
Pedro Ribeiro
d328b2c29d
Add exploit for Track-It! file upload vuln
2014-10-07 23:50:10 +01:00
jvazquez-r7
299d9afa6f
Add module for centreon vulnerabilities
2014-10-07 14:40:51 -05:00
jvazquez-r7
3daa1ed4c5
Avoid changing modules indentation in this pull request
2014-10-07 10:41:25 -05:00
jvazquez-r7
341d8b01cc
Favor echo encoder for back compatibility
2014-10-07 10:24:32 -05:00
jvazquez-r7
3628f73235
Fix ARCH_CMD perl encoding
2014-10-07 10:21:30 -05:00
jvazquez-r7
e63b389713
Add @jlee-r7's changes to perl encoding
2014-10-07 00:16:16 -05:00
nullbind
031fb19153
requested updates
2014-10-06 23:52:30 -05:00
William Vu
399a61d52e
Land #3946 , ntp_readvar updates
2014-10-06 21:57:57 -05:00
nstarke
e1b0ba5d3d
Removing 'require pry'
...
I accidentally left a reference to pry in my code.
Removing
2014-10-06 21:40:39 -05:00
nstarke
b8c2643d56
Converting Module to LoginScanner w/ Specs
...
The previous commits for this Jenkins CI module relied on an
obsolete pattern. Consequently, it was necessary to write
this module as a LoginScanner and incorporate the appropriate
specs so that the tests will run properly.
2014-10-06 21:14:10 -05:00
jvazquez-r7
0089810026
Merge to update
2014-10-06 19:09:31 -05:00
jvazquez-r7
6f174a9996
Fix obvious introduced bug
2014-10-06 18:56:25 -05:00
jvazquez-r7
6b52ce9101
Delete 'old' generic_sh unix cmd encoder, favor splitting
2014-10-06 18:45:10 -05:00
jvazquez-r7
212762e1d6
Delete RequiredCmd for unix cmd encoders, favor EncoderType
2014-10-06 18:42:21 -05:00
sinn3r
d3354d01f0
Fix #3808 - NoMethodError undefined method `map'
...
NoMethodError undefined method `map' due to an incorrect use of
load_password_vars
2014-10-06 15:42:51 -05:00
Jon Hart
8c8ccc1d54
Update Authors
2014-10-06 11:30:39 -07:00
us3r777
03888bc97b
Change the check function
...
Use regex based detection
2014-10-06 18:56:01 +02:00
us3r777
29111c516c
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
...
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
nstarke
69400cf280
Fixing Author Declaration
...
I had accidentally listed myself three times as the author.
Fixing that issue so that I am only declaring myself once.
2014-10-05 23:17:28 -05:00
nstarke
c0a3691817
Adding Jenkins-CI Login Scanner
...
Per Github issue #3871 (RM8774), I have added a
login scanner module for Jenkins-CI installations.
2014-10-05 22:08:34 -05:00
James Lee
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Jon Hart
a341756e83
Support spoofing source IPs for NTP readvar, include status messages
2014-10-03 14:05:57 -07:00
Jon Hart
fa4414155a
Only include the exact readvar payload, not any padding
2014-10-03 13:58:13 -07:00
Jon Hart
65c1a8230a
Address most Rubocop complaints
2014-10-03 13:47:29 -07:00
Jon Hart
0715c671c6
Update NTP readvar module to detect DRDoS, UDPScanner to be faster
2014-10-03 13:28:30 -07:00
William Vu
f7e709dcb3
Land #3941 , new WPVDB reference
2014-10-03 10:17:02 -05:00
Christian Mehlmauer
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
0a2940
f2b9aeed74
typo
2014-10-03 11:02:56 +01:00
0a2940
f60f6d9c92
add exploit for CVE-2011-1485
2014-10-03 10:54:43 +01:00
Brandon Perry
2c9446e6a8
Update f5_icontrol_exec.rb
2014-10-02 17:56:24 -05:00
Christian Mehlmauer
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
Joe Vennix
5a8eca8946
Adds a :vuln_test option to BES, just like in BAP.
...
I needed this to run a custom JS check for the Android
webview vuln when the exploit is served straight
through BES. The check already existed when using BAP,
so I tried to preserve that syntax, and also added a
:vuln_test_error as an optional error message.
This commit also does some mild refactoring of un-
useful behavior in BES.
2014-10-01 23:34:31 -05:00
HD Moore
0380c5e887
Add CVE-2014-6278 support, lands #3932
2014-10-01 18:25:41 -05:00
William Vu
c1b0acf460
Add CVE-2014-6278 support to the exploit module
...
Same thing.
2014-10-01 17:58:25 -05:00
William Vu
5df614d39b
Land #3928 , release fixes
2014-10-01 17:21:08 -05:00
HD Moore
77bb2df215
Adds support for both CVEs, lands #3931
2014-10-01 17:06:59 -05:00
William Vu
51bc5f52c1
Add CVE-2014-6278 support
...
Going with an OptEnum to simplify the code for now...
2014-10-01 16:40:55 -05:00
Spencer McIntyre
8cf718e891
Update pureftpd bash module rank and description
2014-10-01 17:19:31 -04:00
James Lee
7e05ff343e
Fix smbdirect
...
Also some whitespace and a typo in output message
2014-10-01 16:02:59 -05:00
James Lee
a21752bc9c
Fix NoMethodError on os, mark DCs as 'server'
2014-10-01 16:02:46 -05:00
Tod Beardsley
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
Spencer McIntyre
cf6029b2cf
Remove the less stable echo stager from the exploit
2014-10-01 15:15:07 -04:00
Spencer McIntyre
632edcbf89
Add CVE-2014-6271 exploit via Pure-FTPd ext-auth
2014-10-01 14:57:40 -04:00
William Vu
9bfd013e10
Land #3923 , mv misc/pxexploit to local/pxeexploit
...
Also renamed typo'd pxexploit -> pxeexploit.
2014-09-30 17:48:06 -05:00
William Vu
039e544ffa
Land #3925 , rm indeces_enum
...
Deprecated.
2014-09-30 17:45:38 -05:00
sinn3r
be1df68563
Remove auxiliary/scanner/elasticsearch/indeces_enum.rb
...
Time is up, so good bye.
2014-09-30 17:24:21 -05:00
sinn3r
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
William Vu
5ea968f3ee
Update description to prefer the exploit module
2014-09-30 11:34:28 -05:00
William Vu
162e42080a
Update title to reflect scanner status
2014-09-30 11:04:17 -05:00
William Vu
de65ab0519
Fix broken check in exploit module
...
See 71d6b37088
.
2014-09-29 23:03:09 -05:00
William Vu
12d7073086
Use idiomatic Ruby for the marker
2014-09-29 22:32:07 -05:00
William Vu
71d6b37088
Fix bad header error from pure Bash CGI script
2014-09-29 22:25:42 -05:00
William Vu
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
sinn3r
b2d2101be2
Land #3913 - Change hardcoded table prefixes
2014-09-29 17:55:45 -05:00
sinn3r
8f3e03d4f2
Land #3903 - ManageEngine OpManager / Social IT Arbitrary File Upload
2014-09-29 17:53:43 -05:00
Christian Mehlmauer
b266233e95
fix bug
2014-09-30 00:21:52 +02:00
Pedro Ribeiro
533b807bdc
Add OSVDB id
2014-09-29 21:52:44 +01:00
HD Moore
878f3d12cd
Remove kind_of? per @trosen-r7
2014-09-29 15:39:10 -05:00
HD Moore
77efa7c19a
Change if/else to case statement
2014-09-29 15:37:58 -05:00
HD Moore
bfadfda581
Fix typo on match string for opera_configoverwrite
2014-09-29 15:34:35 -05:00
sinn3r
ffe5aafb2f
Land #3905 - Update exploits/multi/http/apache_mod_cgi_bash_env_exec
2014-09-29 15:19:35 -05:00
sinn3r
21b2d9eb3f
Land #3899 - WordPress custom-contact-forms Plugin SQL Upload
2014-09-29 14:40:28 -05:00
sinn3r
9e5826c4eb
Land #3844 - Add the JSObfu mixin to Firefox exploits
2014-09-29 11:15:14 -05:00
sinn3r
ababc3d8ff
Land #3869 - HP Network Node Manager I PMD Buffer Overflow
2014-09-29 11:00:12 -05:00
Meatballs
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
Spencer McIntyre
fe12ed02de
Support a user defined header in the exploit too
2014-09-27 18:58:53 -04:00
Pedro Ribeiro
f20610a657
Added full disclosure URL
2014-09-27 21:34:57 +01:00
Pedro Ribeiro
030aaa4723
Add exploit for CVE-2014-6034
2014-09-27 19:33:49 +01:00
HD Moore
64dbc396dd
Add header specification to check module, lands #3902
2014-09-27 12:58:29 -05:00
William Vu
044eeb87a0
Add variable HTTP header
...
Also switch from OptEnum to OptString for flexibility.
2014-09-27 12:39:24 -05:00
Brandon Perry
161a145ec2
Create f5_icontrol_exec.rb
2014-09-27 10:40:13 -05:00
Christian Mehlmauer
c51c19ca88
bugfix
2014-09-27 14:56:34 +02:00
Christian Mehlmauer
9a424a81bc
fixed bug
2014-09-27 13:46:55 +02:00
Christian Mehlmauer
1c30c35717
Added WordPress custom_contact_forms module
2014-09-27 13:42:49 +02:00
sinn3r
c75a0185ec
Land #3897 - Fix check for apache_mod_cgi_bash_env & apache_mod_cgi_bash_env_exec
2014-09-26 17:06:23 -05:00
jvazquez-r7
80d9af9b49
Fix spacing in description
2014-09-26 17:03:28 -05:00
jvazquez-r7
9e540637ba
Add module for CVE-2014-5377 ManageEngine DeviceExpert User Credentials
2014-09-26 17:02:27 -05:00
jvazquez-r7
3259509a9c
Use return
2014-09-26 16:04:15 -05:00
jvazquez-r7
0a3735fab4
Make it better
2014-09-26 16:01:10 -05:00
jvazquez-r7
3538b84693
Try to make a better check
2014-09-26 15:55:26 -05:00
jvazquez-r7
6e2d297e0c
Credit the original vuln discoverer
2014-09-26 13:45:09 -05:00
jvazquez-r7
e1f00a83bc
Fix Rex because domainname and domain_name were duplicated
2014-09-26 13:40:52 -05:00
jvazquez-r7
5044117a78
Refactor dhclient_bash_env to use the egypt's mixin mods
2014-09-26 13:34:44 -05:00
nullbind
ebf4e5452e
Added mssql_escalate_dbowner module
2014-09-26 10:29:35 -05:00
jvazquez-r7
a4bc17ef89
deregister options needed for exploitation
2014-09-26 10:15:46 -05:00
jvazquez-r7
54e6763990
Add injection to HOSTNAME and URL
2014-09-26 10:13:24 -05:00
jvazquez-r7
a31b4ecad9
Merge branch 'review_3893' into test_land_3893
2014-09-26 08:41:43 -05:00
James Lee
86f85a356d
Add DHCP server module for CVE-2014-6271
2014-09-26 01:24:42 -05:00
sinn3r
38c8d92131
Land #3888 - exploit module version of CVE-2014-6271
2014-09-26 00:31:41 -05:00
HD Moore
b878ad2b75
Add a module to exploit bash via DHCP, lands #3891
...
This module is just a starting point for folks to test their DHCP client implementations and we plan to significantly overhaul this once we get a bit of breathing room.
2014-09-25 23:38:40 -05:00
Ramon de C Valle
9c11d80968
Add dhclient_bash_env.rb (Bash exploit)
...
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
2014-09-26 01:37:00 -03:00
jvazquez-r7
ad864cc94b
Delete unnecessary code
2014-09-25 16:18:01 -05:00
Joe Vennix
2b02174999
Yank Android->jsobfu integration. Not really needed currently.
2014-09-25 16:00:37 -05:00
jvazquez-r7
9245bedf58
Make it more generic, add X86_64 target
2014-09-25 15:54:20 -05:00
Samuel Huckins
be6552dae7
Clarifying VMware priv esc via bash module name
2014-09-25 14:34:09 -05:00
jvazquez-r7
d8c03d612e
Avoid failures due to bad payload selection
2014-09-25 13:49:04 -05:00
jvazquez-r7
91e5dc38bd
Use datastore timeout
2014-09-25 13:36:05 -05:00
jvazquez-r7
8a43d635c3
Add exploit module for CVE-2014-6271
2014-09-25 13:26:57 -05:00
jvazquez-r7
e0fc30c040
Land #3884 , @wvu's check and reporting for apache_mod_cgi_bash_env
2014-09-25 09:52:17 -05:00
William Vu
f66c854ad6
Fix description to be less lulzy
2014-09-25 07:09:08 -05:00
William Vu
9ed28408e1
Favor check_host for a scanner
2014-09-25 07:06:12 -05:00
William Vu
62b74aeaed
Reimplement old check code I was testing before
...
I would like to credit @wchen-r7 for providing advice and feedback.
@jvazquez-r7, too! :)
2014-09-25 06:38:25 -05:00
William Vu
d9120cd586
Fix typo in description
...
Running on fumes here...
2014-09-25 01:22:08 -05:00
William Vu
790df96396
Fix missed var
2014-09-25 01:19:14 -05:00
Rob Fuller
f13289ab65
remove debugging
2014-09-25 02:16:19 -04:00
William Vu
e051cf020d
Add missed mixin
2014-09-25 01:14:58 -05:00
William Vu
27b8580f8d
Add protip to description
...
This gets you lots of shells.
2014-09-25 01:10:22 -05:00
Rob Fuller
8cb4ed4cb7
re-add quotes -oops
2014-09-25 02:09:12 -04:00
William Vu
b1e9b3664e
Improve false positive check
2014-09-25 01:01:11 -05:00
Rob Fuller
6fb587ef96
update to use vmware-vmx-stats
2014-09-25 01:55:04 -04:00
William Vu
8daf8d4339
Report vuln for apache_mod_cgi_bash_env
...
Now with fewer false positives! It's kinda like a check method.
2014-09-25 00:42:14 -05:00
jvazquez-r7
37753e656e
Land #3882 , @jvennix-r7's vmware/bash privilege escalation module
2014-09-25 00:42:12 -05:00
jvazquez-r7
456d731aa3
Fix processes check
2014-09-25 00:24:39 -05:00
William Vu
5a59b7cd89
Fix formatting
2014-09-24 23:12:11 -05:00
William Vu
e6f0736797
Add peer
2014-09-24 22:48:51 -05:00
William Vu
8b6519b5b4
Revert shortened reference
...
But it's so long. :(
2014-09-24 22:43:33 -05:00
William Vu
ecb10ebe28
Add variable HTTP method and other stuff
2014-09-24 22:41:01 -05:00
Joe Vennix
f6708b4d83
Check for running vmware processes first.
2014-09-24 19:11:38 -05:00
William Vu
a600a0655d
Scannerify the module
2014-09-24 18:58:39 -05:00
William Vu
abadf65d8d
Clean up title and formatting
2014-09-24 18:42:43 -05:00
William Vu
2562964581
Revert to my original code of using CMD
2014-09-24 18:00:13 -05:00
Joe Vennix
99da950734
Adds osx vmware/bash priv escalation.
2014-09-24 17:44:14 -05:00
William Vu
6ae578f80f
Add Stephane Chazelas as an author
2014-09-24 17:14:18 -05:00
William Vu
b2555408a4
Rename module
...
I don't think we're gonna make a supermodule like we had hoped.
2014-09-24 16:55:10 -05:00
William Vu
31e9e97146
Replace unnecessary reference with a better one
2014-09-24 16:52:43 -05:00
William Vu
fc04bf9d48
Update description
...
This is what I had when @todb-r7 beat me to the punch. >:P
2014-09-24 16:22:58 -05:00
Tod Beardsley
2f788c2e0c
Fix description
2014-09-24 16:13:05 -05:00
Joe Vennix
b96a7ed1d0
Install a global object in firefox payloads, bump jsobfu.
2014-09-24 16:05:00 -05:00
William Vu
ca63fe931d
Add CVE-2014-6271 PoC
2014-09-24 16:02:59 -05:00
Joe Vennix
5d234c0e01
Pass #send in this so jsobfu is not confused.
2014-09-24 15:07:14 -05:00
jvazquez-r7
0247e4a521
Change RequiredCmd for reverse_bash_telnet_ssl cmd payload
2014-09-24 00:40:14 -05:00
jvazquez-r7
f2cfbebbfb
Add module for ZDI-14-305
2014-09-24 00:22:16 -05:00
Brendan Coles
5f6e84580c
Clean up and use Metasploit::Credential
2014-09-24 01:00:23 +00:00
sinn3r
11b9a8a6ae
Land #3814 - Advantech WebAccess dvs.ocx GetColor BoF
2014-09-23 15:06:21 -05:00
jvazquez-r7
b021ff4399
Add noche tags
2014-09-23 13:11:06 -05:00
jvazquez-r7
5c6236e874
Fix rop chain to allow VirtualAlloc when end of stack is too close
2014-09-23 13:08:26 -05:00
sinn3r
31ecbfdc4e
Land #3756 - EMC AlphaStor Device Manager Opcode 0x75 Command Injection
2014-09-23 12:57:46 -05:00
Jon Hart
259a368577
Land #3841 , @jabra-'s modifications to ssdp_amp to support spoofing
2014-09-22 12:28:46 -07:00
Jon Hart
fc4c1907d3
Land #3839 , @jabra-'s updates to dns_amp to support spoofing
2014-09-22 12:14:39 -07:00