eca4b73aab
Land #7499 , check method for pkexec exploit
2016-11-03 10:59:06 -05:00
1c746c0f93
Prefer CheckCode::Detected
2016-11-03 11:14:48 +01:00
2cdff0f414
Fix check method
2016-11-03 11:14:48 +01:00
5169341f62
Land #7522 , Fix psh template to avoid 100% cpu spike on CTRL+C
2016-11-02 16:40:34 -05:00
7895ba810d
Update payload cached size for the powershell payload
2016-11-03 02:50:13 +10:00
cc8c1adc00
Add first pass of multi x86 http/s payload (not working yet)
2016-11-03 02:44:53 +10:00
a651985b4f
Land #7498 , Joomla account creation and privesc
2016-11-01 22:46:36 -05:00
f414db5d6d
Clean up module
2016-11-01 22:46:28 -05:00
494b4e67bd
Refactor http/s handler & payloads
...
This commit moves much of the platform-specific logic from the
reverse_http handler down into the payloads. This makes the handler
a bit more agnostic of what the payload is (which is a good thing).
There is more to do here though, and things can be improved.
Handling of datastore settings has been changed to make room for the
ability to override the datastore completely when generating the
payloads. If a datastore is given via the `opts` then this is used
instead otherwise it falls back to the settings specified in the usual
datatstore location.
Down the track, we'll have a payload that supports multiple stages, and
the datastore will be generated on the fly, along with the stage itself.
Without this work, there's no other nice way of getting datastore
settings to be contained per-stager.
2016-11-02 11:33:59 +10:00
a924981369
Landing #7516 , X11 print fixes
2016-11-01 19:50:05 -04:00
a79f860cb7
Add UUIDs to mettle stages
2016-11-01 16:58:21 -05:00
05e2aad837
Land #7497 , Add Kerberos domain user enumeration module
2016-11-01 14:34:47 -05:00
e4b4264d79
Fix psh template to avoid 100% cpu spike on CTRL+C
...
Fixes #7293
2016-11-02 05:19:52 +10:00
1b4cef10d1
Change creds_name to Kerberos
2016-11-01 17:59:51 +00:00
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
f8912486df
fix typos
2016-11-01 05:43:03 -05:00
47ec362148
Small fixes for dbvis enum
2016-11-01 07:35:36 +10:00
5c065459ae
print_{good,error} more specifically in open_x11
2016-10-31 11:29:00 -05:00
ffb53b7ca3
Tidy arch check in meterpreter inject
2016-11-01 01:51:12 +10:00
557424d2ec
Small tidy of the multiport_egress_traffic module
2016-11-01 01:46:58 +10:00
ec8536f7e9
Fix firefox module to use symbols where appopriate
2016-11-01 01:43:25 +10:00
b9bbb5e857
Replace regex use with direct string checks in dbvis module
2016-11-01 01:35:01 +10:00
3c57ff5c59
Avoid internal constants for bypassuac file path generation
2016-11-01 01:32:24 +10:00
6ce7352c45
Revert silly change in applocker bypass
2016-11-01 01:30:54 +10:00
3c56f1e1f7
Remove commented x64 arch from sock_sendpage
2016-11-01 01:29:11 +10:00
6b264ce6c4
Land #7508 , Fix typo PAYLOAD_OVERWRITE vs PAYLOAD_OVERRIDE
...
Fixes #7504 .
2016-10-30 17:58:43 -05:00
45d6012f2d
fix check method
2016-10-30 14:57:42 -04:00
ccce361768
Remove accidentally included debug output
2016-10-29 18:46:51 -04:00
fa7cbf2c5a
Fix the jenkins exploit module for new versions
2016-10-29 18:19:14 -04:00
f754adad0c
Fix typo PAYLOAD_OVERWRITE vs PAYLOAD_OVERRIDE
2016-10-29 11:20:32 +01:00
640827c24b
Final pass of regex -> string checks
2016-10-29 14:59:05 +10:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
8b97183924
Update UUID to match detected platform, fail exploit on invalid session
2016-10-29 13:45:28 +10:00
0737d7ca12
Tidy code, remove regex and use comparison for platform checks
2016-10-29 13:41:20 +10:00
8173e87756
Add references
2016-10-28 16:12:46 -07:00
5c12d55c84
Land #7484 , Add Telpho10 Credentials Dump Exploit
2016-10-28 17:41:46 -05:00
991a3fe448
Markdown docs added.
2016-10-28 17:38:00 -05:00
96c204d1ea
Add aws_keys docs; correct description
2016-10-28 15:27:47 -07:00
751742face
Fix typo in arch check for inject script
2016-10-29 08:25:23 +10:00
1ca2fe1398
More platform/arch/session fixes
2016-10-29 08:11:20 +10:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
7dea613507
Initial commit of module for snagging AWS key material from shell/meterpreter sessions
2016-10-28 14:48:55 -07:00
971c8207bd
Update telpho10_credential_dump.rb
...
Code improvements suggested by @h00die
2016-10-28 16:45:14 -05:00
c9574a4707
Update telpho10_credential_dump.rb
...
output correction
2016-10-28 16:44:52 -05:00
05ee51a832
Update telpho10_credential_dump.rb
...
do not write to stdout
2016-10-28 16:44:40 -05:00
fb534a9e85
add telpho10_exploit
...
telpho10 credential dump exploit
2016-10-28 16:44:27 -05:00
5eca6866f2
Fix failing versions, specify version explicitly
2016-10-28 16:24:06 -05:00
c7b775ac1c
Fix detection following @bwatters-r7 recommendations. Remove safesync exploit that shouldn't be here.
2016-10-28 18:03:56 +00:00
88a2a770a3
Update to have checks in place
...
Add: added checks to the code
2016-10-28 11:24:39 +01:00
c153686465
Added Disk Pulse Enterprise Login Buffer Overflow
2016-10-27 21:49:17 -05:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
9eaaba1dea
Added user logging into the db and humored rubocop
2016-10-27 15:50:17 -05:00
16b7c77851
satisfying travis
2016-10-27 13:37:04 -05:00
a8ab7b09b0
Added Bassmaster batch Arbitrary JavaScript Injection Remote Code Execution Vulnerability (CVE-2014-720)
2016-10-27 13:22:39 -05:00
c2af2ab214
Move kerberos_enumusers module to aux/gather & add documentation
2016-10-27 19:11:22 +01:00
88beea0c56
updating code
...
Fix: changing to seggested fixes
2016-10-27 14:30:59 +01:00
23ab4f1fc1
Remove one last tab
2016-10-27 12:32:40 +02:00
d9f07183bd
Please h00die ;)
2016-10-27 12:18:33 +02:00
2ac54f5028
Add a check for the linux pkexec module
2016-10-27 10:28:13 +02:00
2851faefe8
Update module info
...
Fix: removed info that didn't belong
2016-10-27 03:11:38 +01:00
e522d7f5a4
Fixing issues regarding travis checks
...
Fix: EOL spaces;
2016-10-27 02:50:20 +01:00
8ad1c66bd3
Code update and file rename
...
Fix: clean up and improving code using all the comments.
Fix: rename file to a more meaning and more easy to search
2016-10-27 02:46:40 +01:00
0af47ef411
Fixing warning from travis checks
...
Fixing: Auxiliary modules have no 'Rank': Rank = ExcellentRanking
Fixing: Spaces at EOL
2016-10-26 23:29:17 +01:00
5a127886bb
Fixing issues regarding travis checks
...
Fixing unicode issues;
Fixing CVE format;
Fixing EOL spaces;
Fixing the way cookies are read.
2016-10-26 23:24:09 +01:00
94b05d7943
Joomla Account Creation and Privilege Escalation
...
This module allows to create an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3.
2016-10-26 23:11:38 +01:00
9672759be8
Land #7462 , Add support for Unicode domains
2016-10-26 16:47:09 -05:00
18c3d42aca
This commit adds the kerberos_enumusers module
2016-10-26 20:56:41 +01:00
1a1841d441
rebuilt metasploit-payloads without debug info
2016-10-26 05:43:36 -05:00
ed35bf5011
remove unneeded badchars from payload specification
2016-10-26 04:47:33 -05:00
342bfd628a
Dont' set default PORTS or PROBE options. Require user configuration.
2016-10-25 15:58:46 -05:00
2a18ea0e33
Initial commit of generic module for detecting UDP amplification vulnerabilities
2016-10-25 15:58:46 -05:00
f7f28a0833
Land #7480 , deprecation msg for udp_probe
2016-10-25 15:52:56 -05:00
6a31dad678
clean up some style guide issues with rubocop
...
applied rubocop to the module for some
tidying up
2016-10-25 11:24:32 -05:00
94979f4541
changed formatting for else statements
2016-10-25 09:42:00 -05:00
6f3c20069b
fixed formatting errors for travis
2016-10-25 09:42:00 -05:00
0ec153eb9c
changed formatting, changed to OptPath. cleaned unneeded code
2016-10-25 09:41:59 -05:00
3b9a441382
cleaned up write_target, and variables REXE
2016-10-25 09:41:59 -05:00
c3ada74728
changed formatting to comform with travis
2016-10-25 09:41:59 -05:00
0395d57512
formatting changes and design changes. tested
2016-10-25 09:41:58 -05:00
337e3b6cce
added persistence_exe.rb to windows post modules
2016-10-25 09:41:58 -05:00
c00df4dd71
Land #6969 , Regsrv cmd delivery server module
...
This Lands kn0's PR for the Regsrv32 command delivery server
2016-10-24 11:46:59 -05:00
7f65b28483
Deprecate udp_probe in favor of udp_sweep
2016-10-23 13:06:58 -07:00
b5ba862e98
parse ipv4 / website info
2016-10-23 10:53:43 -05:00
50284cf01b
parse domain/ip info from certificate
2016-10-23 10:33:17 -05:00
6a8da3223e
set payload file executable bit
2016-10-22 03:30:10 -05:00
c79c102998
remove unuse variable @uri
2016-10-21 23:59:09 -05:00
893a6ef82e
add censys search module
2016-10-21 23:45:44 -05:00
51ffea3e03
Land #7470 , fixes bad file refs for cmdstagers
2016-10-21 14:01:04 -05:00
e442f5f76b
Land #7460 , zoomeye search module
...
typo in previous land commit
2016-10-21 13:48:28 -05:00
264fe7b8f8
Land #7460 , zoomeye search module
2016-10-21 13:47:46 -05:00
9a0307b0c0
Land #7369 , Panda Antivirus Priv Esc
2016-10-21 13:20:41 -05:00
6b77f509ba
fixes bad file refs for cmdstagers
...
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced
Fixes #7466
2016-10-21 12:31:18 -05:00
05ffa0074c
Land 37460, zoomeye search module
...
Lands nixawk's zoomeye search aux module
2016-10-21 10:25:58 -05:00
ada571bfdf
Fix login - check condition
2016-10-20 22:52:24 -05:00
344b688ae5
remove ZoomEye_APIKEY, add (USERNAME / PASSWORD)
2016-10-20 22:48:01 -05:00
12e4fe1c5c
updated dlls and docs
2016-10-20 20:45:50 -04:00
097a273abb
fix dork_search
2016-10-19 20:54:31 -05:00
72b2ba2e88
replace [Net::HTTP] with [rex/proto/http]
2016-10-19 20:40:45 -05:00
a77f415893
remove unuseful condition
2016-10-19 20:05:12 -05:00
9f3f0fd358
make [matches_records] simple
2016-10-19 19:59:02 -05:00
b5a41c3011
Convert ANSI data to UTF-8 char by char because MS might
...
put an invalid character in the WORKGROUP name during SMB
handshake
2016-10-19 17:42:26 -05:00
fcc22d9027
add module references info
2016-10-19 02:23:11 -05:00
2668a4a1cd
Fix #6993 , tnspoison_checker cleanup
2016-10-19 00:53:33 -05:00
3630388e91
zoomeye search
2016-10-18 22:52:23 -05:00
684feb6b50
moved STAGE0 and STAGE1 into datastore
2016-10-18 11:47:38 -04:00
e806466fe3
correct carriage return and link issue
2016-10-17 10:31:39 -04:00
7e68f7d2a4
EmpirePowerShell Arbitrary File Upload (Skywalker)
2016-10-17 10:03:07 -04:00
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
25238f1a26
Update capcom exploit module to support Windows 10
2016-10-15 11:56:48 +10:00
8e2ff8df80
Land #7433 , Add IP Addresses to HTTP PUT/DELETE scanner output
2016-10-14 13:27:17 -05:00
5e7d546fa2
Land #7094 , OpenNMS Java Object Deserialization RCE Module
2016-10-14 13:19:11 -05:00
cfddc734a8
Land #7286 , WiFi pineapple preconfig command injection module
2016-10-14 12:57:42 -05:00
e05a325786
Land #7285 , WiFi pineapple command injection via authentication bypass
2016-10-14 12:57:05 -05:00
1da40b5deb
Change HAVE_POPEN to USE_POPEN
...
PS target doesn't support it, so the option should be renamed.
2016-10-14 11:58:39 -05:00
4c248ebe9e
Merge branch 'master' into land-7430-
2016-10-14 09:48:33 -05:00
acec45c8b3
Land #7409 , CVE-2013-5093 Graphite Pickle Handling - Add Version Check
2016-10-14 08:54:57 -05:00
9fbe1ddd9d
Land #7384 , CVE-2016-6415 - Cisco IKE Information Disclosure
2016-10-14 08:41:34 -05:00
12493d5c06
moved c code to external sources
2016-10-13 20:37:03 -04:00
022830634b
Rejig platform to use windows instead of win32/win64
2016-10-14 10:10:04 +10:00
5b46e72aea
Update module logic
2016-10-13 17:40:16 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
e70ba8110d
Update references
2016-10-13 17:35:55 -05:00
88bb2e2295
Update description
2016-10-13 17:35:30 -05:00
9e97febcd1
Land #7429 , Ruby on Rails Dynamic Render File Upload Remote Code Exec
2016-10-13 11:45:46 -05:00
b74539be44
check if isakmp payload is same to IKE Leak data
2016-10-13 04:20:23 -05:00
2014b2d2ab
Land #7432 , Fix erroneous cred reporting in SonicWALL exploit
2016-10-12 22:39:15 -05:00
a2a1d6c28a
Land #7411 , Add an HTA server module using Powershell
2016-10-12 13:05:40 -05:00
7536d1d94a
print leak data
2016-10-12 02:42:50 -05:00
70d4833654
Fix report_vuln
2016-10-12 02:16:00 -05:00
e78d3d6bf0
Fix erroneous cred reporting in SonicWALL exploit
...
A session ID will be returned in the parsed JSON if the login succeeded.
Bad user:
{"noldapnouser"=>1, "loginfailed"=>1}
Bad password:
{"loginfailed"=>1}
Good user/password:
{"userid"=>"1", "sessionid"=>"4WJ9cNg1TkBrwjzX"}
2016-10-11 19:25:52 -05:00
98d7b19ab9
Passed IP parameter to additional functions.
2016-10-11 15:09:50 -05:00
acff0fa9cf
Added IP addresses to output.
2016-10-11 14:43:42 -05:00
f0ff4a0721
Added IP addresses to output.
2016-10-11 14:42:06 -05:00
bd110430e9
Remove unnecessary require statements
2016-10-11 15:35:49 -04:00
bd646ded1b
fixed the check function
2016-10-11 14:06:03 -05:00
3fd806b87f
Merge remote-tracking branch 'upstream/pr/6993' into land-6993
2016-10-11 09:33:26 -05:00
95017cea0c
Merge remote-tracking branch 'upstream/master' into rails
2016-10-11 08:31:33 -05:00
157740ba06
update payload sizes
2016-10-11 07:01:17 -05:00
3d9cb7375c
store Android payload information in byte array
2016-10-11 14:41:32 +08:00
d8f98ccd4e
run through msftidy
2016-10-10 22:36:20 -05:00
f2252bb179
fixed a few things, thanks @h00die
2016-10-10 22:30:01 -05:00
3c3f424a4d
added a some references
2016-10-10 17:56:03 -05:00
bca3aab1db
added CVE-2016-0752
2016-10-10 17:36:20 -05:00
9d2355d128
removed debug line
2016-10-10 10:23:51 -04:00
2ad82ff8e3
more nagios versatility
2016-10-10 10:21:49 -04:00
e139a1ee8f
Land #7383 : Rebase/Fix + SSL stager support for python
2016-10-10 13:06:09 +10:00
7b84e961ed
Minor output correction.
2016-10-09 19:01:06 -05:00
d1a11f46e8
Land #7418 , Linux recvmmsg Priv Esc (CVE-2014-0038)
2016-10-09 18:37:52 -05:00
7e6facd87f
added wrong file
2016-10-09 09:49:58 -04:00
2c4a069e32
prepend fork fix
2016-10-09 09:40:44 -04:00
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
b77a910205
Land #7355 , allwinner post to local exploit conversion
2016-10-08 21:38:54 -05:00
e074669406
Land #7296 , Added a SCADA module for detecting Profinet devices, e.g. Siemens controllers
2016-10-08 21:34:40 -05:00
bd24e7eba0
more cleanups and print output on auto-run
2016-10-08 21:14:26 -05:00
5284db6b58
module cleanup
2016-10-08 20:17:29 -05:00
199bf8e726
cleanups and update to require 4.0 CLR by default
2016-10-08 15:24:13 -05:00
44c5fc3250
Sync build_net_code post module upstream
...
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.
Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
0e57808914
Update to class name MetasploitModule
2016-10-08 14:06:35 -05:00
f24bfe7d4e
Import Powershell::exec_in_place
...
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
2016-10-08 14:06:35 -05:00
36b989e6d7
Initial import of .NET compiler and persistence
...
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.
Add compiler modules for payloads and custom .NET code/blocks.
==============
Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).
C# templates for simple binaries and a service executable with
its own install wrapper.
==============
Generic .NET compiler post module
Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.
Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.
==============
Concept:
Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.
This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.
Usage notes:
Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.
Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).
==============
On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
7c20f20493
remove unneeded bash
2016-10-07 21:12:27 -04:00
bbdb58eb00
Add an HTA server module using powershell
2016-10-06 19:25:22 -04:00
fb0a438fdf
Perform a version check to determine exploitability for graphite pickle
2016-10-05 16:08:02 -07:00
e8c3a61e72
Land #7405 , nil fix for ntp_protocol_fuzzer
2016-10-05 15:26:39 -05:00
8749eaf097
Fix the default num to be 0 when not specified.
2016-10-05 14:52:43 -05:00
b95cc7bbbe
Set correct default options; fix usage on OS X
...
Fixes 7404
2016-10-05 09:51:31 -07:00
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
75bea08e0e
changing branches
2016-10-04 21:08:12 -04:00
63ed5624ff
Land #7395 , Ninja Forms module update
2016-10-04 11:14:30 -05:00
f60d575d62
Add EOF newline back in
2016-10-04 11:14:15 -05:00
705d15037a
Land #7396 , Add Meterpreter API to list installed drivers
2016-10-04 07:17:10 -05:00
691a250d78
add reverse_tcp handler to fix bug in latest update
...
The payload was missing require 'msf/core/handler/reverse_tcp', latest update pulled with msfupdate broke the startup of the framework, where you got this kind of an error:
!master ~/4tools/metasploit-framework> msfconsole
/home/tony/4tools/metasploit-framework/modules/payloads/singles/android/meterpreter_reverse_tcp.rb:28:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:71:in `on_module_load'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:182:in `load_module'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:237:in `block in load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:55:in `block (2 levels) in each_module_reference_name'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:127:in `block in find'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `catch'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `find'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:46:in `block in each_module_reference_name'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `foreach'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `each_module_reference_name'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:236:in `load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:117:in `block in load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `block in init_module_paths'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths'
from /home/tony/4tools/metasploit-framework/lib/msf/ui/console/driver.rb:204:in `initialize'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `new'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `driver'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
from /home/tony/4tools/metasploit-framework/msfconsole:48:in `<main>'
2016-10-04 10:40:04 +02:00
3101564a0a
Enable support for windows 8 in the exploit
2016-10-04 16:27:33 +10:00
a4efa77878
Support driver list, adjust capcom exploit
...
This commit adds MSF-side support for listing currently loaded drivers
on the machine that Meterpreter is running on. It doesn't add a UI-level
command at this point, as I didn't see the need for it. It is, however,
possible to enumerate drivers on the target using the client API.
Also, the capcom exploit is updated so that it no longer checks for the
existence of the capcom.sys file in a fixed location on disk. Instead,
it enumerates the currently loaded drivers using the new driver listing
function, and if found it checks to make sure the MD5 of the target file
is the same as the one that is expected. The has is used instead of file
version information because the capcom driver doesn't have any version
information in it.
2016-10-04 11:27:20 +10:00
e6daef62b4
egypt
2016-10-03 20:24:59 -04:00
b1cb153c31
Make errors more meaningful
2016-10-03 15:29:40 -05:00
9853daeb4e
Land #7376 , mysql_writable_dir module #2
...
some comits got missed here somehow
2016-10-03 10:42:37 -05:00
2d361fabc6
No need to interpolate when using .to_s
2016-10-03 11:38:36 -04:00
e13a9667c2
Land #7376 , mysql_writable dirs mdoule
...
Lands avgsecurityguy's new mysql_writable_dirs module
2016-10-03 10:34:03 -05:00
95f9b778bd
Use standard status messages instead of verbose.
2016-10-03 11:01:51 -04:00
d088005d95
TABLE_NAME option not needed.
2016-10-03 10:58:13 -04:00
5f12c8e026
Incorrect warning message
...
The filename is not always test so the warning message and the note in the description are incorrect.
2016-10-03 10:57:25 -04:00
25996a16bb
Fixed file read block.
2016-10-03 10:47:03 -04:00
708eb0eb4f
Fixed syntax error.
2016-10-03 10:17:29 -04:00
fac03570d1
Use File.open block.
2016-10-03 10:09:45 -04:00
bc57537205
Add warning statement.
2016-10-03 10:07:40 -04:00
a627c3cd5e
Removed unnecessary return statements.
2016-10-03 10:02:26 -04:00
6fa8f40b31
Use unless instead of if (not ...)
2016-10-03 10:00:56 -04:00
3e01dbfded
Fixed Space-Tab mixed indent warning
2016-10-01 15:13:26 +05:30
4227cb76a8
Fixed stack trace bug & verified logic
...
- Fixed stack trace bug when value of "packet" is nill.
- Verified logic of Oracle TNS Listener poisoning which requires an ACCEPT response to be marked as vulnerable.
2016-10-01 15:01:02 +05:30
63c0b6f569
Login failure message.
2016-09-30 17:09:41 -04:00
3f9540d906
fix trailing whitespace
...
this commit got dropped during landing
2016-09-30 14:30:31 -05:00
72bd75e681
Land #7253 , x64 xor encoder fix
...
Land fullmetalcache's fix for the x64 xor encoder
2016-09-30 14:28:10 -05:00
7996c4b048
Warning about leaving files on disk.
2016-09-30 14:53:15 -04:00
3e4a23cdf6
Removed unnecessary require statement.
2016-09-30 14:51:43 -04:00
b3c6ec09a0
Show status when gathering, which can take a bit
2016-09-30 06:42:22 -07:00
abed3bf6c2
Rename
2016-09-30 06:35:26 -07:00
9ee6e1931a
target_uri simplification, cleanup
2016-09-30 06:24:50 -07:00
60cfe6216a
mstfidy
2016-09-29 22:00:35 -07:00
558adb5e1e
Uncork module and address style issues
2016-09-29 21:59:19 -07:00
b2e06bed66
Initial commit of post module to gather AWS EC2 instance metadata
2016-09-29 21:52:22 -07:00
ac76c3591a
reference urls
2016-09-29 22:43:00 -05:00
5929d72266
CVE-2016-6415 - cisco_ike_benigncertain.rb
2016-09-29 22:25:57 -05:00
fabb296b15
update cache and add payload test
2016-09-29 21:19:55 -05:00
7b0a8784aa
additional doc updates
2016-09-29 19:02:16 -04:00
301e38b08f
use correct base class for modules
2016-09-29 17:21:59 -05:00
a7470991d9
Bring Python reverse_tcp_ssl payload upstream
...
Adds TLS/SSL transport encryption for reverse tcp payloads in
python
2016-09-29 17:21:59 -05:00
bac4a25b2c
compile or nill
2016-09-29 06:15:17 -04:00
4fac5271ae
slight cleanup
2016-09-29 05:51:13 -04:00
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
3b548dc3cd
update email and paths
2016-09-28 18:37:48 -04:00
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
988471b860
Land #7372 , useless use of cat fix
...
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
3033c16da6
Add missing rank
2016-09-28 16:37:04 -05:00
b46073b34a
Replace `cat` with Ruby's `read_file`
...
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
1689f10890
Land #7292 , add android stageless meterpreter_reverse_tcp
2016-09-28 16:05:22 -05:00
45ee59581b
Fix inverted logic in Docker exploit
...
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.
Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
ab94bb9cdd
Land #7365 , nonce fix for Ninja Forms exploit
2016-09-28 13:57:08 -05:00
f7e588cdeb
Initial commit of module.
2016-09-28 14:55:32 -04:00
dbb2abeda1
Remove the `cat $FILE | grep $PATTERN` anti-pattern
...
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
b4a1adaf0f
refactor into android.rb
2016-09-28 18:23:34 +08:00
dc43f59dcf
dalvik -> android
2016-09-28 14:50:52 +08:00
35a2b3e59d
working panda
2016-09-27 20:15:17 -04:00
f838c9990f
Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
...
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
76b3c37262
Fix msftidy errors
2016-09-27 22:56:07 +10:00
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
edbe1c3e14
Land #7361 , Make OSX screencapture silent
2016-09-26 17:24:03 -05:00
b9de73e803
Land #7334 , Add aux module to exploit WINDOWS based (java) Colorado
...
FTP server directory traversal
2016-09-26 14:15:23 -05:00
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
53823a4807
oops msftidy
2016-09-26 23:50:38 +08:00
e5c05c05d2
Make OSX screencapture silent
...
By default, the `screencapture` command on OS X plays a camera sound effect. The -x option silences this.
2016-09-25 22:54:57 -04:00
a13e83af8a
Land #7357 , Stagefright CVE-2015-3864
2016-09-25 17:10:06 -05:00
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
e0ff8859e9
Land #7359 , add EXTRABACON auxiliary module auxiliary/admin/cisco/cisco_asa_extrabacon
2016-09-24 10:46:13 -04:00
df28e2a85e
Add credit to wwebb-r7 for the initial module and ASA hacking notes
2016-09-24 05:48:31 -04:00
cd4299b3a2
Added offsets for version 9.2(4)14
...
This version of the ASA is patched and our offsets do not work currently. We may do more work on this to find a solution.
2016-09-23 16:57:08 -06:00
087e9461ce
Added offsets for version 9.2(4)13
2016-09-23 16:50:50 -06:00
3f985d94d7
Added offsets for version 8.4(6)5
2016-09-23 16:32:42 -06:00
352946d8f5
Added offsets for version 8.4(4)9
2016-09-23 16:19:36 -06:00
368fd1a77f
Added offsets for version 8.4(4)5
2016-09-23 16:07:42 -06:00
19fe09318a
Added offsets for version 8.4(4)3
2016-09-23 15:56:02 -06:00
8840af0e90
Added offsets for version 8.4(4)1
2016-09-23 15:44:39 -06:00
19caff2293
Added offsets for 8.3(2)40
2016-09-23 15:26:02 -06:00
ba4505bcce
Added offsets for version 8.3(2)39
2016-09-23 15:05:39 -06:00
64df7b0524
Added offsets for verion 8.3(2)-npe
...
We currently can't distinguish between 8.3(2) and 8.3(2)-npe versions from the SNMP strings. We've commented out the 8.3(2)-npe offsets, but in the future, we'd like to incorporate this version.
2016-09-23 14:49:57 -06:00
926e5fab9e
Added offsets for version 8.2(5)41
2016-09-23 14:00:23 -06:00
b4d3e8ea3e
Added offsets for version 9.2(1)
2016-09-23 13:52:13 -06:00
d36e16fc32
Added offsets for version 8.2(5)33
2016-09-23 13:15:39 -06:00
f19ed4376b
Adding new version offsets
2016-09-23 12:57:36 -06:00
dbf66f27d5
Add a browser-based exploit module for CVE-2015-3864
2016-09-23 11:14:31 -05:00
2fab62b14d
Update profinet_siemens.rb
...
Removed unnecessary rescue, gave "timeout" variable a better name.
2016-09-23 18:05:45 +02:00
639dee993a
Fixed interactive password prompt issue
...
Fixed an issue where the exploit would drop to interactive password prompt by default on newer ruby version which rendered the exploit unusable. It now properly forces pubkey authentication instead and proceeds with the bypass as expected.
2016-09-23 17:03:40 +01:00
98cf5d8eb5
Changed 'build_offsets' to 'build_payload'
2016-09-23 09:32:17 -06:00
1868371ba7
fix merge conflicts
2016-09-23 14:49:36 +00:00
2591d0b7c6
numerous fixes as per @busterb
2016-09-23 14:46:40 +00:00
5de1d34869
Land #7341 , add module metasploit_static_secret_key_base
2016-09-23 09:20:48 -05:00
cba297644e
post to local conversion
2016-09-22 22:08:24 -04:00
dda6b67928
Added basic error handling for unsupported ASA versions
2016-09-22 18:24:25 -06:00
cf070853e9
Moved required datastore option into constructor
2016-09-22 18:08:35 -06:00
7646771dec
refactored for live compile or drop binary
2016-09-22 20:07:07 -04:00
df25f07b34
Replaced '+=' with '<<'
2016-09-22 17:53:28 -06:00
f525c24a9f
Added offsets for 8.4(7)
2016-09-22 17:16:37 -06:00
28a09c2d13
stupid comment
2016-09-22 22:57:42 +00:00
7762f42dfa
Added offsets for 8.3(1)
2016-09-22 16:17:37 -06:00
064aed858b
Added RiskSense contributor repo to references
2016-09-22 16:10:30 -06:00
961524d648
Adding offsets for 9.1(1)4
2016-09-22 16:04:44 -06:00
4e9459d876
Added offsets for 9.0(1)
2016-09-22 15:35:59 -06:00
5ca6563c8f
Fixed problem with 9.2(2)8 offsets
2016-09-22 15:24:49 -06:00
b77adc97f0
Removing redundant version check
2016-09-22 15:05:42 -06:00
c22a2a19e8
Added offsets for 9.2(2)8
2016-09-22 14:59:49 -06:00
e8d1f6d5a0
Added offsets for 8.2(3)
2016-09-22 14:38:52 -06:00
a0ba8b7401
Fix whitespace per msftidy
2016-09-22 14:25:04 -06:00
022189c075
Added offsets for 8.4(3)
2016-09-22 14:12:33 -06:00
4288c3fb46
added always_return_true variable
2016-09-22 19:44:55 +00:00
c18045128a
Replaced global vars, made 'patched_code' value static
2016-09-22 13:42:23 -06:00
3c7fc49788
Added module auxiliary/admin/cisco/cisco_asa_extrabacon
...
This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.
2016-09-22 18:06:03 +00:00
bc425b0378
Update samsung_security_manager_put
...
This patch improves the following
* Stage 1 XSS/JS attack to use the body.onload callback
* Better timing for FF
2016-09-22 12:02:49 -05:00
34e02fe097
stageless http
2016-09-22 16:26:26 +01:00
1b911e7117
placate msftidy
2016-09-22 16:26:26 +01:00
32c2311b86
android meterpreter_reverse_tcp
2016-09-22 16:26:26 +01:00
9f3c8c7eee
Land #7268 , add metasploit_webui_console_command_execution post-auth exploit
2016-09-22 00:50:58 -05:00
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
04f8f7a0ea
Land #7266 , Add Kaltura Remote PHP Code Execution
2016-09-21 17:14:49 -05:00
dcfbb9ee6a
Tidy info
...
Replace errant \t with \x20
2016-09-21 20:14:11 +10:00
1e24568406
Tweak verbosity re: found secrets
2016-09-21 20:14:08 +10:00
30d07ce0c7
Tidy metasploit_static_secret_key_base module
...
* Inline magic values
* Optimise out dead Rails3-specific code
2016-09-21 20:13:58 +10:00
9d01f24cff
Land #7388 , relocate Rex::Platform:Windows content
...
This PR consolidates the few lines of consts/code in lib/rex/platforms/windows.rb into MSF core.
Completes #MS-1714
2016-09-20 16:39:07 -05:00
8b1d29feef
Land #7304 , fix rails_secret_deserialization popchain
2016-09-20 16:05:03 -05:00
2d3c167b78
Grammar changes again.
2016-09-20 23:51:12 +03:00
0f16393220
Yet another grammar changes
2016-09-20 19:48:40 +03:00
fb00d1c556
Another minor grammer changes
2016-09-20 19:23:28 +03:00
251421e4a7
Minor grammar changes
2016-09-20 10:37:39 -05:00
385428684f
Move module and docs under the exploit/linux/http folder
2016-09-20 12:45:23 +03:00
a9a1146155
fix more ssh option hashes
2016-09-20 01:30:35 -05:00
c689a8fb61
Removing empty lines before module start
2016-09-20 01:42:18 +03:00
29a14f0147
Change References to EDB number and remove 4 space
2016-09-20 01:31:56 +03:00
a1ca27d491
add module metasploit_static_secret_key_base
2016-09-20 07:04:00 +10:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
06ff7303a6
make pubkey verifier work with old module
...
make the new pubkey verifier class and
the old identify_pubkeys aux module work
together
7321
2016-09-19 15:20:35 -05:00
3f5ed75198
Relocate Rex::Platform:Windows content (fixes MS-1714)
2016-09-19 14:34:44 -05:00
3bc566a50c
fix email
2016-09-18 20:09:38 -04:00
9c922d111f
colorado ftp
2016-09-18 20:03:16 -04:00
edd1704080
reexploit and other docs and edits added
2016-09-18 09:01:41 -04:00
4f85a1171f
reexploit and other docs and edits added
2016-09-18 08:51:27 -04:00
53d4162e7d
Send payload with POST rather than custom header.
2016-09-17 23:11:16 +03:00
d2100bfc4e
Land #7301 , Support URIHOST for exim4_dovecot_exec for NAT
2016-09-16 12:49:57 -07:00
7c396dbf59
Use URIHOST
2016-09-16 12:48:54 -07:00
4d0643f4d1
Add missing DefaultTarget to Docker exploit
2016-09-16 13:09:00 -05:00
da516cb939
Land #7027 , Docker privesc exploit
2016-09-16 12:44:21 -05:00
4ba1ed2e00
Fix formatting in fortinet_backdoor
...
Also add :config and :use_agent options.
2016-09-16 12:32:30 -05:00
e3060194c6
Fix formatting in ubiquiti_airos_file_upload
...
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
26491eed1a
pass the public key in as a file instead of data
...
when using key_data it seems to assume it is a private
key now. the initial key parsing error can be bypassed
by doing this
7321
2016-09-16 11:48:51 -05:00
c102384b7a
Remove spaces at EOL
2016-09-16 11:28:08 +01:00
7393d91bfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2016-09-16 10:46:44 +01:00
4be4bcf7eb
forgot updates
2016-09-16 02:08:09 -04:00
2e42e0f091
first commit
2016-09-16 01:54:49 -04:00
90f0eec390
Land #7325 , Fix missing form inputs in skybluecanvas_exec
2016-09-15 19:55:32 -05:00
a7103f2155
Fix missing form inputs
...
Also improve check string.
2016-09-15 19:19:24 -05:00
60e728ec5c
Land #7065 , Correct display errors for SHA-512 hashes with MS SQL Server 2012
2016-09-15 18:06:02 -05:00
8b050fcc9b
simplify cleanup code, remove duplicate logic
2016-09-15 18:05:34 -05:00
6e221ca575
Land #7221 , Updated JCL cmd payloads to use PR7007 format
2016-09-15 16:38:31 -05:00
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
116c754328
tidy Platform
2016-09-15 10:35:42 +10:00
8a0c8b54fc
merge branch 'master' into PR branch
...
make Travis happy
2016-09-15 10:31:24 +10:00
a7cf0c8a32
Make at_persistence more persistent
2016-09-14 16:19:59 -07:00
ff1c839b7d
appease msftidy
...
trailing whitespace
2016-09-15 08:18:43 +10:00
01327f0265
Land #7245 , NetBSD mail.local privilege escalation module
2016-09-14 16:07:12 -05:00
c6214d9c5e
Fix and clean module
2016-09-14 14:36:29 -05:00
27be29edb4
Fix typo
2016-09-14 13:21:37 -05:00
6509b34da1
Land #7255 , Fix issue causing Glassfish to fail uploading to Windows targets.
2016-09-14 12:57:41 -05:00
8533e6c5fd
Land #7252 , ARCH_CMD to ARCH_PHP for phoenix_exec
2016-09-14 10:38:37 -05:00
79a8123d2f
Trim platform, expand payload
2016-09-13 21:44:41 -07:00
18d424bb83
Update waiting message to indicate that it will wait up to that long
2016-09-13 21:16:59 -07:00
cac890a797
Land #7308 , disclosure date additions
2016-09-13 23:16:30 -05:00
e4e6f5daac
Fix indentation
2016-09-13 23:15:37 -05:00
a5502264d4
Land #7305 , missing env var fix for Steam module
2016-09-13 23:11:40 -05:00
b16e84f574
Bump default WfsDelay to account for execution at 0s and execution delays
...
Also, platforms, which I think achieves nothing right now.
2016-09-13 21:04:30 -07:00
18c54ebb5e
Minor rubocop gripe
2016-09-13 20:54:30 -07:00
15e44e296b
Fix cmd execution; use and cleanup temporary files
2016-09-13 20:51:32 -07:00
d73531c0d3
added disclosure dates
2016-09-13 20:37:04 -04:00
972db476ef
Implement check for at_persistence
2016-09-13 16:08:49 -07:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
245237d650
Land #7288 , Add LoginScannerfor Octopus Deploy server
2016-09-13 17:26:56 -05:00
10efafe44e
Land #7306 , Update links and add CVE to WebNMS modules
2016-09-13 15:52:27 -05:00
ed5bbb9885
Land #7284 , Add SugarCRM REST PHP Object Injection exploit
2016-09-13 15:46:46 -05:00
a0095ad809
Check res properly and update Ruby syntax
...
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
8d4ee3fac6
Forgot the bracket!
2016-09-13 19:01:22 +01:00
4d49f7140c
update links and CVE on webnms_file_download
2016-09-13 18:50:53 +01:00
41bdae4b84
update links and CVE on webnms_file_upload
2016-09-13 18:50:25 +01:00
William Vu
Brendan
OJ
h00die
Adam Cammack
attackdebris
William Webb
Brent Cook
Pearce Barry
Alex Flores
Spencer McIntyre
Konrads Smelkovs
Jon Hart
dmohanty-r7
Jan Rude
Jeff
Quentin Kaiser
Filipe Reis
Chris Higgins
mr_me
Julien (jvoisin) Voisin
Brent Cook
Louis Sato
David Maloney
drforbin
Vex Woo
nixawk
wolfthefallen
wchen-r7
Alton J
Sonny Gonzalez
Tim
RageLtMan
funkypickle
“lvarela”
Tonimir Kisasondi
Stephen Haywood
Interference Security
jvoisin
Jeffrey Martin
Henry Pitcairn
TheNaterz
Joshua J. Drake
Tijl Deneut
George Papakyriakopoulos
zerosum0x0
Jenna Magius
Justin Steven
Kyle Gray
Mehmet Ince
Thao Doan
Jan Mitchell
James Lee
James Barnett
Pedro Ribeiro