jvazquez-r7
807f1e3560
Fix target name
2014-10-16 17:58:45 -05:00
jvazquez-r7
c1f9ccda64
Fix ruby
2014-10-16 17:55:00 -05:00
jvazquez-r7
e40642799e
Add sandworm module
2014-10-16 16:37:37 -05:00
Jon Hart
8fdae8fbfb
Move protocol and lifetime to mixin, use correct map_target if CHOST
2014-10-16 13:24:17 -07:00
Brandon Perry
353d2f79cc
tweak pw generation
2014-10-16 12:06:19 -07:00
Brandon Perry
5f8c0cb4f3
Merge branch 'drupal' of https://github.com/FireFart/metasploit-framework into drupageddon
2014-10-16 11:53:54 -07:00
Christian Mehlmauer
c8dd08f605
password hashing
2014-10-17 15:52:47 +02:00
Brandon Perry
23b7b8e400
fix for version 7.0-7.31
2014-10-16 11:53:48 -07:00
James Lee
40b360555f
Make the error message a little more useful
2014-10-16 12:47:13 -05:00
Brandon Perry
9bab77ece6
add urls
2014-10-16 10:36:37 -07:00
Brandon Perry
b031ce4df3
Create drupal_drupageddon.rb
2014-10-16 16:42:47 -05:00
Brandon Perry
5c4ac48db7
update the drupal module a bit with error checking
2014-10-16 10:32:39 -07:00
Tod Beardsley
8cf10be779
Don't assume SSLv3 is set (kill FP+s)
2014-10-16 10:43:58 -05:00
Tod Beardsley
0b67efd51e
Add a POODLE scanner and general SSL version scan
2014-10-16 10:27:37 -05:00
Spencer McIntyre
09069f75c2
Fix #4019 , fix NameError peer and disconnect in check
2014-10-16 08:32:20 -04:00
Martin Vigo
36d6220f8f
Make use of Rex::Ui::Text::Table
2014-10-15 23:13:53 -07:00
Martin Vigo
bb421859d3
Refactor code and add support for all Windows
2014-10-15 22:15:54 -07:00
Martin Vigo
c7e0ced02b
Remove useless conditions
2014-10-15 21:29:47 -07:00
Martin Vigo
2bdc703930
Remove useless condition
2014-10-15 21:16:06 -07:00
Martin Vigo
5fa39782b8
Fix unused variable
2014-10-15 21:10:50 -07:00
Martin Vigo
8fc0f0955e
Add support for Firefox
2014-10-15 20:44:20 -07:00
Martin Vigo
47794510c3
Add support for Firefox in XP
2014-10-15 20:44:19 -07:00
Martin Vigo
484d98d0a8
Meet rubocop and msftify rules
2014-10-15 20:17:36 -07:00
Martin Vigo
85e6febe09
Add module to extract/decrypt LastPass credentials
2014-10-15 20:17:36 -07:00
James Lee
41a57b7ba5
Re-enable proxies for HTTP-based login scanners
2014-10-15 17:00:44 -05:00
Jon Hart
07f2d4dafe
Further improvements to NAT-PMP. Faster, more useful, less not useful
2014-10-15 06:39:38 -07:00
Fernando Munoz
4c2ae1a753
Fix jenkins when CSRF is enabled
2014-10-14 19:33:23 -05:00
Tod Beardsley
592f1e9893
Land #3999 , errors on login suppressed by default
...
This also solved the merge conflict on:
modules/auxiliary/scanner/http/jenkins_login.rb
Fixes #3995 .
2014-10-14 16:35:09 -05:00
Jon Hart
ea6824c46f
WIP of NAT-PMP rework
2014-10-14 14:20:24 -07:00
William Vu
bdbad5a81d
Fix misaligned bracket
2014-10-14 13:43:59 -05:00
Tod Beardsley
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
Tod Beardsley
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Tod Beardsley
56534e7ad3
Changed a login failed to vprint instead of print
...
People often like to supress failed attempts. Note that this change may
or may not have any effect, given the status of #3995 .
This module was introduced in PR #3947 .
2014-10-14 12:01:09 -05:00
Tod Beardsley
b1223165d4
Trivial grammar fixes
2014-10-14 12:00:50 -05:00
Tod Beardsley
6ea3a78b47
Clarify the description on HP perfd module
...
Introduced in #3992
2014-10-14 11:58:52 -05:00
jvazquez-r7
39a09ad750
Use ARCH_CMD on Windows target
2014-10-14 10:24:32 -05:00
jvazquez-r7
a0fc0cf87f
Update ranking
2014-10-13 17:44:00 -05:00
Nikita
621b9523b1
Update tnspoison_checker.rb
2014-10-13 22:05:08 +04:00
Nikita
1996886ae9
Update tnspoison_checker.rb
2014-10-13 12:53:39 +04:00
Nikita
22aabc7805
Add new module to test TNS poison
...
This module simply checks the server for vulnerabilities like TNS Poison
2014-10-13 12:21:07 +04:00
Jon Hart
d51d2bf5a0
Land #3990 , @wchen-r7's fix for #3984 , a busted check in drupal_views_user_enum
2014-10-12 19:38:55 -07:00
Jon Hart
76275a259a
Minor style cleanup of help and a failure message
2014-10-12 18:34:13 -07:00
jvazquez-r7
ca05c4c2f4
Fix @wchen-r7's feedback
...
* use vprint_* on check
* rescue get_once
2014-10-12 17:44:33 -05:00
us3r777
444b01c4b0
Typo + shorten php serialized object
2014-10-12 21:29:04 +02:00
jvazquez-r7
46bf8f28e0
Fix regex
2014-10-11 21:37:05 -05:00
jvazquez-r7
6092e84067
Add module for ZDI-14-344
2014-10-11 21:33:23 -05:00
Jon Hart
c3a58cec9e
Make note of other commands to investigate
2014-10-11 13:07:52 -07:00
Jon Hart
c80a5b5796
List commands in sorted order
2014-10-11 13:00:30 -07:00
Jon Hart
4ffc8b153c
Support running more than one perfd command in a single pass
2014-10-11 11:38:00 -07:00
Jon Hart
c72593fae4
Store just banner for service, loot the rest. Also, minor style.
2014-10-11 11:12:49 -07:00
Jon Hart
9550c54cd2
Correct indentation and whitespace
2014-10-11 10:39:12 -07:00
sinn3r
9500038695
Fix #3995 - Make negative messages less verbose
...
As an user testing against a large network, I only want to see
good news, not bad news.
2014-10-11 11:11:09 -05:00
Roberto Soares Espreto
7bd0f2c114
Changed Name, array in OptEnum and operator
2014-10-11 09:03:18 -03:00
Roberto Soares Espreto
cbde2e8cd1
Variable cmd now with interpolation
2014-10-10 18:21:16 -03:00
Roberto Soares Espreto
291bfed47e
Using Rex.sleep instead of select
2014-10-10 15:17:40 -03:00
Roberto Soares Espreto
bd315d7655
Changed print_good and OptEnum
2014-10-10 13:54:42 -03:00
Roberto Soares Espreto
08fdb4fab2
Add module to enumerate environment HP via perfd daemon
2014-10-10 13:09:36 -03:00
sinn3r
260aa8dc22
Fix #3984 - Fix broken check for drupal_views_user_enum
2014-10-10 10:23:20 -05:00
0a2940
e689a0626d
Use Rex.sleep :-)
...
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"
user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
nstarke
472985a8a8
Adding Buffalo Linkstation NAS Login Scanner
...
I have added a login scanner for the Buffalo Linkstation
NAS. I have been testing against version 1.68 of the
firmware. Also included are some specs for this module.
2014-10-10 03:16:48 +00:00
Tod Beardsley
aefd15c185
Land #3376 , ARRIS SNMP enumerator from @inokii
2014-10-09 15:28:06 -05:00
jvazquez-r7
520e1bccca
Land #3692 , @TomSellers's support for Metasploit Credential on enum_snmp
2014-10-09 15:18:44 -05:00
sinn3r
7d8eadada6
Fix #3974 - Validate and normalize URI for axis_login
2014-10-09 14:33:39 -05:00
sinn3r
c9c34beafa
Fix #3975 - Register TARGETURI, not URI
...
The module should register TARGETURI and call #target_uri for
URI validation.
2014-10-09 14:10:29 -05:00
Pedro Ribeiro
4b7a446547
... and restore use of the complicated socket
2014-10-09 18:30:45 +01:00
Pedro Ribeiro
c78651fccc
Use numbers for version tracking
2014-10-09 18:29:27 +01:00
Pedro Ribeiro
8163b7de96
Thanks for helping me clean up Todd!
2014-10-09 18:20:31 +01:00
sinn3r
d366cdcd6e
Fix #3976 - validate and normalize user-supplied URI for http_login.rb
...
URI should be validated and normalized before being used in an HTTP
request.
2014-10-09 12:14:33 -05:00
Pedro Ribeiro
9d1e206e43
Incorporate cred changes and other minor fixes
2014-10-09 17:59:38 +01:00
Spencer McIntyre
a535d236f6
Land #3947 , login scanner for jenkins by @nstarke
2014-10-09 12:59:02 -04:00
Spencer McIntyre
6ea530988e
Apply rubocop changes and remove multiline print
2014-10-09 12:57:39 -04:00
us3r777
2428688565
CVE-2014-7228 Joomla/Akeeba Kickstart RCE
...
Exploit via serialiazed PHP object injection. The Joomla! must be
updating more precisely, the file $JOOMLA_WEBROOT/administrator/
components/com_joomlaupdate/restoration.php must be present
2014-10-09 18:51:24 +02:00
jvazquez-r7
3305b1e9c3
Land #3984 , @nullbind's MSSQL privilege escalation module
2014-10-09 11:39:15 -05:00
jvazquez-r7
10b160bedd
Do final cleanup
2014-10-09 11:38:45 -05:00
jvazquez-r7
bbe435f5c9
Don't rescue everything
2014-10-09 11:25:13 -05:00
jvazquez-r7
0cd7454a64
Use default value for doprint
2014-10-09 11:04:42 -05:00
jvazquez-r7
db6f6d4559
Reduce code complexity
2014-10-09 10:59:14 -05:00
jvazquez-r7
615b8e5f4a
Make easy method comments
2014-10-09 10:48:00 -05:00
jvazquez-r7
dd03e5fd7d
Make just one connection
2014-10-09 10:46:51 -05:00
jvazquez-r7
ccf677aad6
land #3978 , Fixes #3973 , Wrong datastore option URI in glassfish_login
2014-10-09 09:53:01 -05:00
sinn3r
df0d4f9fb2
Fix #3973 - Unneeded datastore option URI
...
When Glassfish is installed, the web root is always /, so there is
no point to make this arbitrary.
2014-10-09 00:06:15 -05:00
Christian Mehlmauer
1584c4781c
Add reference
2014-10-09 06:58:15 +02:00
nullbind
168f1e559c
fixed status
2014-10-08 21:19:50 -05:00
nullbind
3ebcaa16a1
removed scanner
2014-10-08 21:18:56 -05:00
nstarke
328be3cf34
Fine Tuning Jenkins Login Module
...
At the request of the maintainers, I have deregistered the
RHOST option and made the failure proof a verbose only
print.
2014-10-08 17:53:21 -05:00
jvazquez-r7
4f96d88a2f
Land #3949 , @us3r777's exploit for CVE-2014-6446, wordpress infusionsoft plugin php upload
2014-10-08 16:35:49 -05:00
jvazquez-r7
66a8e7481b
Fix description
2014-10-08 16:35:14 -05:00
jvazquez-r7
8ba8402be3
Update timeout
2014-10-08 16:32:05 -05:00
jvazquez-r7
bbf180997a
Do minor cleanup
2014-10-08 16:29:11 -05:00
Pedro Ribeiro
4817e1e953
Update trackit_sql_domain_creds.rb
2014-10-08 21:41:04 +01:00
William Vu
f86c0c2bb5
Land #3970 , rm jtr_unshadow
2014-10-08 14:55:15 -05:00
Jay Smith
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
jvazquez-r7
411f6c8b2d
Land #3793 , @mfadzilr's exploit for CVE-2014-6287, HFS remote code execution
2014-10-08 12:16:09 -05:00
jvazquez-r7
98b69e095c
Use %TEMP% and update ranking
2014-10-08 12:12:00 -05:00
jvazquez-r7
d90fe4f724
Improve check method
2014-10-08 12:03:16 -05:00
jvazquez-r7
25344aeb6a
Change filename
2014-10-08 11:55:33 -05:00
jvazquez-r7
909f88680b
Make exploit aggressive
2014-10-08 11:08:01 -05:00
jvazquez-r7
d02f0dc4b9
Make minor cleanup
2014-10-08 10:36:56 -05:00
jvazquez-r7
d913bf1c35
Fix metadata
2014-10-08 10:29:59 -05:00
Tod Beardsley
a901916b0b
Remove nonfunctional jtr_unshadow
...
This module hasn't been doing anything but print_error a go away message
since June, so may as well get rid of it.
2014-10-08 10:23:29 -05:00
Brendan Coles
e0016d4af3
Remove hash rocket from refs array #3766
...
[SeeRM #8776 ]
2014-10-08 09:16:38 +00:00
Brendan Coles
3c7be9c4c5
Remove hash rockets from references #3766
...
[SeeRM #8776 ]
2014-10-08 09:01:19 +00:00
Pedro Ribeiro
6af6b502c3
Remove spaces at EOL
2014-10-08 08:30:30 +01:00
Pedro Ribeiro
0a9795216a
Add OSVDB id and full disclosure URL
2014-10-08 08:25:41 +01:00
Pedro Ribeiro
713ff5134a
Add OSVDB id
2014-10-08 08:24:44 +01:00
Pedro Ribeiro
bd812c593c
Add full disclosure URL
2014-10-08 08:24:04 +01:00
Pedro Ribeiro
bbac61397d
Restore :address to rhost and explain why
2014-10-08 08:23:43 +01:00
sinn3r
c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution
2014-10-08 00:30:07 -05:00
Pedro Ribeiro
9cb0ad1ac2
Change the reporting address to the real value
2014-10-08 01:18:17 +01:00
Pedro Ribeiro
6e9bebdaf9
Fix noob mistake in assignment
2014-10-08 01:04:15 +01:00
Pedro Ribeiro
7dbfa19e65
Add exploit for Track-It! domain/sql creds vuln
2014-10-07 23:54:43 +01:00
Pedro Ribeiro
d328b2c29d
Add exploit for Track-It! file upload vuln
2014-10-07 23:50:10 +01:00
jvazquez-r7
299d9afa6f
Add module for centreon vulnerabilities
2014-10-07 14:40:51 -05:00
jvazquez-r7
3daa1ed4c5
Avoid changing modules indentation in this pull request
2014-10-07 10:41:25 -05:00
jvazquez-r7
341d8b01cc
Favor echo encoder for back compatibility
2014-10-07 10:24:32 -05:00
jvazquez-r7
3628f73235
Fix ARCH_CMD perl encoding
2014-10-07 10:21:30 -05:00
jvazquez-r7
e63b389713
Add @jlee-r7's changes to perl encoding
2014-10-07 00:16:16 -05:00
nullbind
031fb19153
requested updates
2014-10-06 23:52:30 -05:00
William Vu
399a61d52e
Land #3946 , ntp_readvar updates
2014-10-06 21:57:57 -05:00
nstarke
e1b0ba5d3d
Removing 'require pry'
...
I accidentally left a reference to pry in my code.
Removing
2014-10-06 21:40:39 -05:00
nstarke
b8c2643d56
Converting Module to LoginScanner w/ Specs
...
The previous commits for this Jenkins CI module relied on an
obsolete pattern. Consequently, it was necessary to write
this module as a LoginScanner and incorporate the appropriate
specs so that the tests will run properly.
2014-10-06 21:14:10 -05:00
jvazquez-r7
0089810026
Merge to update
2014-10-06 19:09:31 -05:00
jvazquez-r7
6f174a9996
Fix obvious introduced bug
2014-10-06 18:56:25 -05:00
jvazquez-r7
6b52ce9101
Delete 'old' generic_sh unix cmd encoder, favor splitting
2014-10-06 18:45:10 -05:00
jvazquez-r7
212762e1d6
Delete RequiredCmd for unix cmd encoders, favor EncoderType
2014-10-06 18:42:21 -05:00
sinn3r
d3354d01f0
Fix #3808 - NoMethodError undefined method `map'
...
NoMethodError undefined method `map' due to an incorrect use of
load_password_vars
2014-10-06 15:42:51 -05:00
Jon Hart
8c8ccc1d54
Update Authors
2014-10-06 11:30:39 -07:00
us3r777
03888bc97b
Change the check function
...
Use regex based detection
2014-10-06 18:56:01 +02:00
us3r777
29111c516c
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
...
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for
WordPress does not properly restrict access, which allows remote
attackers to upload arbitrary files and execute arbitrary PHP
code via a request to utilities/code_generator.php.
2014-10-06 14:10:01 +02:00
nstarke
69400cf280
Fixing Author Declaration
...
I had accidentally listed myself three times as the author.
Fixing that issue so that I am only declaring myself once.
2014-10-05 23:17:28 -05:00
nstarke
c0a3691817
Adding Jenkins-CI Login Scanner
...
Per Github issue #3871 (RM8774), I have added a
login scanner module for Jenkins-CI installations.
2014-10-05 22:08:34 -05:00
James Lee
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Jon Hart
a341756e83
Support spoofing source IPs for NTP readvar, include status messages
2014-10-03 14:05:57 -07:00
Jon Hart
fa4414155a
Only include the exact readvar payload, not any padding
2014-10-03 13:58:13 -07:00
Jon Hart
65c1a8230a
Address most Rubocop complaints
2014-10-03 13:47:29 -07:00
Jon Hart
0715c671c6
Update NTP readvar module to detect DRDoS, UDPScanner to be faster
2014-10-03 13:28:30 -07:00
William Vu
f7e709dcb3
Land #3941 , new WPVDB reference
2014-10-03 10:17:02 -05:00
Christian Mehlmauer
f45b89503d
change WPVULNDBID to WPVDB
2014-10-03 17:13:18 +02:00
0a2940
f2b9aeed74
typo
2014-10-03 11:02:56 +01:00
0a2940
f60f6d9c92
add exploit for CVE-2011-1485
2014-10-03 10:54:43 +01:00
Brandon Perry
2c9446e6a8
Update f5_icontrol_exec.rb
2014-10-02 17:56:24 -05:00
Christian Mehlmauer
33b37727c7
Added wpvulndb links
2014-10-02 23:03:31 +02:00
Joe Vennix
5a8eca8946
Adds a :vuln_test option to BES, just like in BAP.
...
I needed this to run a custom JS check for the Android
webview vuln when the exploit is served straight
through BES. The check already existed when using BAP,
so I tried to preserve that syntax, and also added a
:vuln_test_error as an optional error message.
This commit also does some mild refactoring of un-
useful behavior in BES.
2014-10-01 23:34:31 -05:00
HD Moore
0380c5e887
Add CVE-2014-6278 support, lands #3932
2014-10-01 18:25:41 -05:00
William Vu
c1b0acf460
Add CVE-2014-6278 support to the exploit module
...
Same thing.
2014-10-01 17:58:25 -05:00
William Vu
5df614d39b
Land #3928 , release fixes
2014-10-01 17:21:08 -05:00
HD Moore
77bb2df215
Adds support for both CVEs, lands #3931
2014-10-01 17:06:59 -05:00
William Vu
51bc5f52c1
Add CVE-2014-6278 support
...
Going with an OptEnum to simplify the code for now...
2014-10-01 16:40:55 -05:00
Spencer McIntyre
8cf718e891
Update pureftpd bash module rank and description
2014-10-01 17:19:31 -04:00
James Lee
7e05ff343e
Fix smbdirect
...
Also some whitespace and a typo in output message
2014-10-01 16:02:59 -05:00
James Lee
a21752bc9c
Fix NoMethodError on os, mark DCs as 'server'
2014-10-01 16:02:46 -05:00
Tod Beardsley
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
Spencer McIntyre
cf6029b2cf
Remove the less stable echo stager from the exploit
2014-10-01 15:15:07 -04:00
Spencer McIntyre
632edcbf89
Add CVE-2014-6271 exploit via Pure-FTPd ext-auth
2014-10-01 14:57:40 -04:00
William Vu
9bfd013e10
Land #3923 , mv misc/pxexploit to local/pxeexploit
...
Also renamed typo'd pxexploit -> pxeexploit.
2014-09-30 17:48:06 -05:00
William Vu
039e544ffa
Land #3925 , rm indeces_enum
...
Deprecated.
2014-09-30 17:45:38 -05:00
sinn3r
be1df68563
Remove auxiliary/scanner/elasticsearch/indeces_enum.rb
...
Time is up, so good bye.
2014-09-30 17:24:21 -05:00
sinn3r
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
William Vu
5ea968f3ee
Update description to prefer the exploit module
2014-09-30 11:34:28 -05:00
William Vu
162e42080a
Update title to reflect scanner status
2014-09-30 11:04:17 -05:00
William Vu
de65ab0519
Fix broken check in exploit module
...
See 71d6b37088
.
2014-09-29 23:03:09 -05:00
William Vu
12d7073086
Use idiomatic Ruby for the marker
2014-09-29 22:32:07 -05:00
William Vu
71d6b37088
Fix bad header error from pure Bash CGI script
2014-09-29 22:25:42 -05:00
William Vu
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
sinn3r
b2d2101be2
Land #3913 - Change hardcoded table prefixes
2014-09-29 17:55:45 -05:00
sinn3r
8f3e03d4f2
Land #3903 - ManageEngine OpManager / Social IT Arbitrary File Upload
2014-09-29 17:53:43 -05:00
Christian Mehlmauer
b266233e95
fix bug
2014-09-30 00:21:52 +02:00
Pedro Ribeiro
533b807bdc
Add OSVDB id
2014-09-29 21:52:44 +01:00
HD Moore
878f3d12cd
Remove kind_of? per @trosen-r7
2014-09-29 15:39:10 -05:00
HD Moore
77efa7c19a
Change if/else to case statement
2014-09-29 15:37:58 -05:00
HD Moore
bfadfda581
Fix typo on match string for opera_configoverwrite
2014-09-29 15:34:35 -05:00
sinn3r
ffe5aafb2f
Land #3905 - Update exploits/multi/http/apache_mod_cgi_bash_env_exec
2014-09-29 15:19:35 -05:00
sinn3r
21b2d9eb3f
Land #3899 - WordPress custom-contact-forms Plugin SQL Upload
2014-09-29 14:40:28 -05:00
sinn3r
9e5826c4eb
Land #3844 - Add the JSObfu mixin to Firefox exploits
2014-09-29 11:15:14 -05:00
sinn3r
ababc3d8ff
Land #3869 - HP Network Node Manager I PMD Buffer Overflow
2014-09-29 11:00:12 -05:00
Meatballs
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
Spencer McIntyre
fe12ed02de
Support a user defined header in the exploit too
2014-09-27 18:58:53 -04:00
Pedro Ribeiro
f20610a657
Added full disclosure URL
2014-09-27 21:34:57 +01:00
Pedro Ribeiro
030aaa4723
Add exploit for CVE-2014-6034
2014-09-27 19:33:49 +01:00
HD Moore
64dbc396dd
Add header specification to check module, lands #3902
2014-09-27 12:58:29 -05:00
William Vu
044eeb87a0
Add variable HTTP header
...
Also switch from OptEnum to OptString for flexibility.
2014-09-27 12:39:24 -05:00
Brandon Perry
161a145ec2
Create f5_icontrol_exec.rb
2014-09-27 10:40:13 -05:00
Christian Mehlmauer
c51c19ca88
bugfix
2014-09-27 14:56:34 +02:00
Christian Mehlmauer
9a424a81bc
fixed bug
2014-09-27 13:46:55 +02:00
Christian Mehlmauer
1c30c35717
Added WordPress custom_contact_forms module
2014-09-27 13:42:49 +02:00
sinn3r
c75a0185ec
Land #3897 - Fix check for apache_mod_cgi_bash_env & apache_mod_cgi_bash_env_exec
2014-09-26 17:06:23 -05:00
jvazquez-r7
80d9af9b49
Fix spacing in description
2014-09-26 17:03:28 -05:00
jvazquez-r7
9e540637ba
Add module for CVE-2014-5377 ManageEngine DeviceExpert User Credentials
2014-09-26 17:02:27 -05:00
jvazquez-r7
3259509a9c
Use return
2014-09-26 16:04:15 -05:00
jvazquez-r7
0a3735fab4
Make it better
2014-09-26 16:01:10 -05:00
jvazquez-r7
3538b84693
Try to make a better check
2014-09-26 15:55:26 -05:00
jvazquez-r7
6e2d297e0c
Credit the original vuln discoverer
2014-09-26 13:45:09 -05:00
jvazquez-r7
e1f00a83bc
Fix Rex because domainname and domain_name were duplicated
2014-09-26 13:40:52 -05:00
jvazquez-r7
5044117a78
Refactor dhclient_bash_env to use the egypt's mixin mods
2014-09-26 13:34:44 -05:00
nullbind
ebf4e5452e
Added mssql_escalate_dbowner module
2014-09-26 10:29:35 -05:00
jvazquez-r7
a4bc17ef89
deregister options needed for exploitation
2014-09-26 10:15:46 -05:00
jvazquez-r7
54e6763990
Add injection to HOSTNAME and URL
2014-09-26 10:13:24 -05:00
jvazquez-r7
a31b4ecad9
Merge branch 'review_3893' into test_land_3893
2014-09-26 08:41:43 -05:00
James Lee
86f85a356d
Add DHCP server module for CVE-2014-6271
2014-09-26 01:24:42 -05:00
sinn3r
38c8d92131
Land #3888 - exploit module version of CVE-2014-6271
2014-09-26 00:31:41 -05:00
HD Moore
b878ad2b75
Add a module to exploit bash via DHCP, lands #3891
...
This module is just a starting point for folks to test their DHCP client implementations and we plan to significantly overhaul this once we get a bit of breathing room.
2014-09-25 23:38:40 -05:00
Ramon de C Valle
9c11d80968
Add dhclient_bash_env.rb (Bash exploit)
...
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
2014-09-26 01:37:00 -03:00
jvazquez-r7
ad864cc94b
Delete unnecessary code
2014-09-25 16:18:01 -05:00
Joe Vennix
2b02174999
Yank Android->jsobfu integration. Not really needed currently.
2014-09-25 16:00:37 -05:00
jvazquez-r7
9245bedf58
Make it more generic, add X86_64 target
2014-09-25 15:54:20 -05:00
Samuel Huckins
be6552dae7
Clarifying VMware priv esc via bash module name
2014-09-25 14:34:09 -05:00
jvazquez-r7
d8c03d612e
Avoid failures due to bad payload selection
2014-09-25 13:49:04 -05:00
jvazquez-r7
91e5dc38bd
Use datastore timeout
2014-09-25 13:36:05 -05:00
jvazquez-r7
8a43d635c3
Add exploit module for CVE-2014-6271
2014-09-25 13:26:57 -05:00
jvazquez-r7
e0fc30c040
Land #3884 , @wvu's check and reporting for apache_mod_cgi_bash_env
2014-09-25 09:52:17 -05:00
William Vu
f66c854ad6
Fix description to be less lulzy
2014-09-25 07:09:08 -05:00
William Vu
9ed28408e1
Favor check_host for a scanner
2014-09-25 07:06:12 -05:00
William Vu
62b74aeaed
Reimplement old check code I was testing before
...
I would like to credit @wchen-r7 for providing advice and feedback.
@jvazquez-r7, too! :)
2014-09-25 06:38:25 -05:00
William Vu
d9120cd586
Fix typo in description
...
Running on fumes here...
2014-09-25 01:22:08 -05:00
William Vu
790df96396
Fix missed var
2014-09-25 01:19:14 -05:00
Rob Fuller
f13289ab65
remove debugging
2014-09-25 02:16:19 -04:00
William Vu
e051cf020d
Add missed mixin
2014-09-25 01:14:58 -05:00
William Vu
27b8580f8d
Add protip to description
...
This gets you lots of shells.
2014-09-25 01:10:22 -05:00
Rob Fuller
8cb4ed4cb7
re-add quotes -oops
2014-09-25 02:09:12 -04:00
William Vu
b1e9b3664e
Improve false positive check
2014-09-25 01:01:11 -05:00
Rob Fuller
6fb587ef96
update to use vmware-vmx-stats
2014-09-25 01:55:04 -04:00
William Vu
8daf8d4339
Report vuln for apache_mod_cgi_bash_env
...
Now with fewer false positives! It's kinda like a check method.
2014-09-25 00:42:14 -05:00
jvazquez-r7
37753e656e
Land #3882 , @jvennix-r7's vmware/bash privilege escalation module
2014-09-25 00:42:12 -05:00
jvazquez-r7
456d731aa3
Fix processes check
2014-09-25 00:24:39 -05:00
William Vu
5a59b7cd89
Fix formatting
2014-09-24 23:12:11 -05:00
William Vu
e6f0736797
Add peer
2014-09-24 22:48:51 -05:00
William Vu
8b6519b5b4
Revert shortened reference
...
But it's so long. :(
2014-09-24 22:43:33 -05:00
William Vu
ecb10ebe28
Add variable HTTP method and other stuff
2014-09-24 22:41:01 -05:00
Joe Vennix
f6708b4d83
Check for running vmware processes first.
2014-09-24 19:11:38 -05:00
William Vu
a600a0655d
Scannerify the module
2014-09-24 18:58:39 -05:00
William Vu
abadf65d8d
Clean up title and formatting
2014-09-24 18:42:43 -05:00
William Vu
2562964581
Revert to my original code of using CMD
2014-09-24 18:00:13 -05:00
Joe Vennix
99da950734
Adds osx vmware/bash priv escalation.
2014-09-24 17:44:14 -05:00
William Vu
6ae578f80f
Add Stephane Chazelas as an author
2014-09-24 17:14:18 -05:00
William Vu
b2555408a4
Rename module
...
I don't think we're gonna make a supermodule like we had hoped.
2014-09-24 16:55:10 -05:00
William Vu
31e9e97146
Replace unnecessary reference with a better one
2014-09-24 16:52:43 -05:00
William Vu
fc04bf9d48
Update description
...
This is what I had when @todb-r7 beat me to the punch. >:P
2014-09-24 16:22:58 -05:00
Tod Beardsley
2f788c2e0c
Fix description
2014-09-24 16:13:05 -05:00
Joe Vennix
b96a7ed1d0
Install a global object in firefox payloads, bump jsobfu.
2014-09-24 16:05:00 -05:00
William Vu
ca63fe931d
Add CVE-2014-6271 PoC
2014-09-24 16:02:59 -05:00
Joe Vennix
5d234c0e01
Pass #send in this so jsobfu is not confused.
2014-09-24 15:07:14 -05:00
jvazquez-r7
0247e4a521
Change RequiredCmd for reverse_bash_telnet_ssl cmd payload
2014-09-24 00:40:14 -05:00
jvazquez-r7
f2cfbebbfb
Add module for ZDI-14-305
2014-09-24 00:22:16 -05:00
Brendan Coles
5f6e84580c
Clean up and use Metasploit::Credential
2014-09-24 01:00:23 +00:00
sinn3r
11b9a8a6ae
Land #3814 - Advantech WebAccess dvs.ocx GetColor BoF
2014-09-23 15:06:21 -05:00
jvazquez-r7
b021ff4399
Add noche tags
2014-09-23 13:11:06 -05:00
jvazquez-r7
5c6236e874
Fix rop chain to allow VirtualAlloc when end of stack is too close
2014-09-23 13:08:26 -05:00
sinn3r
31ecbfdc4e
Land #3756 - EMC AlphaStor Device Manager Opcode 0x75 Command Injection
2014-09-23 12:57:46 -05:00
Jon Hart
259a368577
Land #3841 , @jabra-'s modifications to ssdp_amp to support spoofing
2014-09-22 12:28:46 -07:00
Jon Hart
fc4c1907d3
Land #3839 , @jabra-'s updates to dns_amp to support spoofing
2014-09-22 12:14:39 -07:00
Jon Hart
8f63075da4
Land #3837 , @jabra-'s update to chargen scanner to support spoofing
2014-09-22 12:02:01 -07:00
Jon Hart
4e9f1282de
Land #3834 , @jabra-'s updates to UDPscanner to support spoofing
2014-09-22 11:49:53 -07:00
Joe Vennix
d9e6f2896f
Add the JSObfu mixin to a lot of places.
2014-09-21 23:45:59 -05:00
sinn3r
2a714a7c4d
Fix a typo
...
Downloading and deleting are two very different things. Thanks Dan.
2014-09-21 18:35:26 -05:00
Josh Abraham
b7a0847114
SRC IP spoofing added to the SSDP amplification module
2014-09-20 21:37:01 -04:00
Josh Abraham
bb018de3a1
chargen src IP spoofing
2014-09-20 16:08:52 -04:00
Josh Abraham
3fb00ece9e
refactored the code based on PR feedback
2014-09-20 14:10:00 -04:00
mfadzilr
a2a2ca550e
add test result on different windows version
2014-09-20 20:06:30 +08:00
mfadzilr
dd71c666dc
added osvdb reference and software download url, use FileDropper method
...
for cleanup
2014-09-20 15:31:28 +08:00
mfadzilr
19ed594e98
using FileDropper method for cleanup
2014-09-20 10:52:21 +08:00
jvazquez-r7
9acccfe9ba
Fix description
2014-09-19 17:18:59 -05:00
jvazquez-r7
d826132f87
Delete CVE, add EDB
2014-09-19 17:16:03 -05:00
jvazquez-r7
7afbec9d6c
Land #2890 , @Ahmed-Elhady-Mohamed module for OSVDB 93034
2014-09-19 17:12:49 -05:00
jvazquez-r7
1fa5c8c00c
Add check method
2014-09-19 17:11:16 -05:00
jvazquez-r7
ce0b00bb0b
Change module location and filename
2014-09-19 16:59:35 -05:00
jvazquez-r7
0267e889e2
Use FileDropper
2014-09-19 16:58:21 -05:00
jvazquez-r7
6fd5027e05
Avoid UploadPath datastore option, parse from response
2014-09-19 16:55:28 -05:00
jvazquez-r7
2ce9bdf152
Use target_uri.path.to_s instead of uri
2014-09-19 16:43:40 -05:00
jvazquez-r7
eb55c7108b
Fix indentantion again
2014-09-19 16:41:07 -05:00
jvazquez-r7
cbfb7e600d
Use Rex::MIME::Message
2014-09-19 16:29:09 -05:00
jvazquez-r7
cffb28b5d3
Fix indentantion
2014-09-19 16:18:46 -05:00
jvazquez-r7
c00094ba6e
Land #3345 , @mvdevnull's auxiliary module for OSVDB 106815, Alienvault sqli
2014-09-19 15:01:21 -05:00
jvazquez-r7
62414e2214
Add Timeout to exploit sqli
2014-09-19 15:00:54 -05:00
jvazquez-r7
db6372ec8b
Do minor module cleanup
2014-09-19 14:43:35 -05:00
jvazquez-r7
4a9294e3bf
Mark module as not executable
2014-09-19 14:36:44 -05:00
jvazquez-r7
405ac34a16
Fix author name
2014-09-19 13:56:13 -05:00
jvazquez-r7
79d5fb56d4
Land #3829 , @jhart-r7's UDP emtpy probe scanner
2014-09-19 13:54:35 -05:00
Jon Hart
737f77d31a
Cleaner output when PORTS is invalid
2014-09-19 11:12:14 -07:00
Jon Hart
3493987300
report_service when we find something this way
2014-09-19 10:45:06 -07:00
Josh Abraham
43171141da
update for ntp modules
2014-09-19 11:14:11 -04:00
mfadzilr
677d035ce8
added proper regex for check function
...
add comment for changed code
2014-09-19 11:30:51 +08:00
Jon Hart
a54b23642e
Relocate empty UDP scanner
2014-09-18 12:31:52 -07:00
Brendan Coles
6cad5d9aeb
Add ManageEngine DeviceExpert User Credentials
2014-09-18 19:18:59 +00:00
Tod Beardsley
5dad73a28f
Explicitly require credential_collection
...
Otherwise, you run into a require ordering problem on some platforms.
This is not a great way to fix this -- but it's a fast way, and possibly
even a good way, since you're being explicit about what your module
requirements are.
2014-09-17 15:47:30 -05:00
jvazquez-r7
64ac1e6b26
Rand padding
2014-09-17 08:09:09 -05:00
sinn3r
50fa5745bb
Rm print_debug line
...
I forgot to remove this line while testing the module
2014-09-16 16:46:40 -05:00
jvazquez-r7
e593a4c898
Add comment about gadgets origin
2014-09-16 16:38:03 -05:00
sinn3r
07c14f5ee8
Land #3388 - Post mod to check Win32_QuickFixEngineering
2014-09-16 16:18:04 -05:00
sinn3r
36a3abe036
Add a reference
2014-09-16 16:17:22 -05:00
jvazquez-r7
80f02c2a05
Make module ready to go
2014-09-16 15:18:11 -05:00
sinn3r
169d04020d
Land #3571 - Add Wordpress XML-RPC Login Scanner (with LoginScanner)
2014-09-16 14:51:24 -05:00
sinn3r
4ed1fa55f5
Don't need this header
2014-09-16 14:50:32 -05:00
William Vu
35b8c2be4b
Land #3800 , release fixes
2014-09-16 14:05:23 -05:00
Joe Vennix
59dfa624c4
Add a REMOTE_JS datastore option for BeEf hooks etc.
2014-09-16 13:31:03 -05:00
sinn3r
3e09283ce5
Land #3777 - Fix struts_code_exec_classloader on windows
2014-09-16 13:09:58 -05:00
sinn3r
158d4972d9
More references and pass msftidy
2014-09-16 12:54:27 -05:00
Tod Beardsley
bd17c96a6e
Dropped a hyphen in the title
2014-09-16 12:47:44 -05:00
Vincent Herbulot
7a7b6cb443
Some refactoring
...
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
2014-09-16 17:49:45 +02:00
mfadzilr
978803e9d8
add proper regex
2014-09-16 21:49:02 +08:00
us3r777
4c615ecf94
Module for CVE-2014-5519, phpwiki/ploticus RCE
2014-09-16 00:09:41 +02:00
jvazquez-r7
7d4c4c3658
Land #3699 , @dmaloney-r7's ipboard login refactor
2014-09-15 08:29:42 -05:00
mfadzilr
783b03efb6
change line 84 as mubix advice, update disclosure date according to
...
bugtraq security list.
2014-09-15 17:21:05 +08:00
mfadzilr
9860ed340e
run msftidy, make correction for CVE format and space at EOL (line 77)
2014-09-15 13:13:25 +08:00
mfadzilr
f1d3c44f4f
exploit module for HTTP File Server version 2.3b, exploiting HFS scripting commands 'save' and 'exec'.
2014-09-15 12:59:27 +08:00
mfadzilr
74ef83812a
update module vulnerability information
2014-09-15 01:43:18 +08:00
mfadzilr
8b4b66fcaa
initial test
2014-09-14 12:26:02 +08:00
HD Moore
b8a1010ba4
Switch to Array#union and rename preserved_registers
2014-09-13 22:48:14 -05:00
jvazquez-r7
3a6066792d
Work in rop chain...
2014-09-13 17:38:19 -05:00
jvazquez-r7
83bf220a10
Land #3730 , @TomSellers's post module for Remote Desktop Connection Manager
2014-09-12 15:38:33 -05:00
jvazquez-r7
5da6a450f1
fix find condition
2014-09-12 15:21:50 -05:00
jvazquez-r7
1749fc73c2
Change module filename
2014-09-12 15:05:33 -05:00
jvazquez-r7
95b6529579
Fix run method
2014-09-12 14:27:25 -05:00
jvazquez-r7
373861abb0
Land #3526 , @jhart-r7's soap_xml scanner cleanup
2014-09-12 13:29:52 -05:00
jvazquez-r7
12f949781a
Use double quote for xml strings
2014-09-12 13:18:48 -05:00
jvazquez-r7
67c0ee654b
Use Gem::Version
2014-09-12 10:35:12 -05:00
jvazquez-r7
0d054d8354
Update with master changes
2014-09-12 09:52:32 -05:00
jvazquez-r7
e2ef927177
Add first version for ZDI-14-255
2014-09-12 08:57:54 -05:00
William Vu
60b29cbd5e
Fix word splitting problem
2014-09-12 06:50:53 -05:00
William Vu
8a6a205e39
Land #3724 , NetworkManager creds module
2014-09-12 05:48:35 -05:00
William Vu
131401f024
Remove unused method
2014-09-12 05:48:11 -05:00
Luke Imhoff
706655f755
Land #3779 , Glassfish LoginScanner exception
...
MSP-11343
2014-09-11 15:57:47 -05:00
Tod Beardsley
d2f2b142b4
Land #3760 , Arris WEP/WPA leak from @dheiland-r7
2014-09-11 15:39:19 -05:00
Tod Beardsley
4fc1ec09c7
Land #3759 , Android UXSS, with ref/desc fixes
...
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)
Also fixes #3782 (opened by accident).
2014-09-11 14:27:51 -05:00
Tod Beardsley
fbba4b32e0
Update the title and desc to be more descriptive
...
See #3759
2014-09-11 14:06:14 -05:00
Tod Beardsley
d627ab7628
Add refs for Android UXSS
...
See #3759
2014-09-11 14:05:50 -05:00
James Lee
8aa06b8605
Better api for check_setup
2014-09-10 23:43:54 -05:00
HD Moore
71228b48a0
Update 3 more encoders to be StageEncoder compatible
...
This could probably use some DRY love via a mixin
2014-09-10 20:21:35 -05:00
James Lee
c1658e5d51
Add a check_setup method
2014-09-10 20:09:46 -05:00
James Lee
84e4db9035
Don't raise in the middle
...
MSP-11343
This means we don't bomb out with an unhandled exception, instead
continuing attempting logins against the host even though it will never
succeed. Next up: verify state before running scan!()
2014-09-10 20:09:33 -05:00
HD Moore
815e007f48
Fix two cosmetic typos
2014-09-10 19:07:40 -05:00
Deral Heiland
872ba6a53b
Update arris_dg950 module with required changes
...
Collapsed several levels of the if/else statement and changed out 2 with
case. Changed print_good to print_line. Removed rescue ::Interrupt and
altered variable names to make them more readable
2014-09-10 19:07:53 -04:00
jvazquez-r7
373eb3dda0
Make struts_code_exec_classloader to work on windows
2014-09-10 18:00:16 -05:00
Jon Hart
e317bfe0d5
Add preliminary module for discovering services with empty UDP probes
2014-09-10 10:58:22 -07:00
sinn3r
280e16c241
Land #3677 - Updated shodan_search for new API
2014-09-10 11:39:00 -05:00
sinn3r
006393360e
Add conditions to check healthy shodan results
2014-09-10 11:38:06 -05:00
James Lee
257f0fc93e
Quick fix for ssh_login_pubkey
...
Fixes #3772 , closes #3774
2014-09-10 09:57:17 -05:00
Jon Hart
495e1c14a1
Land #3721 , @brandonprry's module for Railo CVE-2014-5468
2014-09-09 19:10:46 -07:00
Jon Hart
26d8432a22
Minor style and usability changes to @brandonprry's #3721
2014-09-09 19:09:45 -07:00
Brandon Perry
db6052ec6a
Update check method
2014-09-09 18:51:42 -05:00
sinn3r
0a6ce1f305
Land #3727 - SolarWinds Storage Manager exploit AND Msf::Payload::JSP
2014-09-09 17:21:03 -05:00
us3r777
2ae23bbe99
Remove STAGERNAME option
...
This option wasn't really required, the stager can be removed as
soon as the WAR is deployed. This commit does the modifications needed
to remove the stager right after the WAR deployment.
2014-09-09 21:44:08 +02:00
HD Moore
6c0dae953d
Stage encoding is now SaveRegister aware
2014-09-09 14:21:51 -05:00
sinn3r
027f543bdb
Land #3732 - Eventlog Analzyer exploit
2014-09-09 11:33:20 -05:00
sinn3r
75269fd0fa
Make sure we're not doing a 'negative' timeout
2014-09-09 11:26:49 -05:00
Joe Vennix
7793ed4fea
Add some common UXSS scripts.
2014-09-09 02:31:27 -05:00
James Lee
b8000517cf
Land #3746 , reinstate DB_ALL_CREDS
2014-09-08 17:24:12 -05:00
David Maloney
2ac15f2088
some fixes based on Christruncer's feedback
...
fixed some stuff i borked, back to you chris
2014-09-08 15:27:01 -05:00
David Maloney
cd3cdc5384
Merge branch 'master' into feature/ipboard-login-refactor
2014-09-08 14:48:37 -05:00
Tod Beardsley
4abee39ab2
Fixup for release
...
Ack, a missing disclosure date on the GDB exploit. I'm deferring to the
PR itself for this as the disclosure and URL reference.
2014-09-08 14:00:34 -05:00
David Maloney
09e6c2f51f
Merge branch 'master' into feature/MSP-11162/db-all-creds
2014-09-08 12:52:25 -05:00