Commit Graph

30549 Commits (62ac536b7d5076483b0914db1ee9c10c62ff930f)

Author SHA1 Message Date
Pedro Ribeiro 62ac536b7d Create manageengine_file_download.rb 2015-01-28 19:42:17 +00:00
Pedro Ribeiro 299a39a67f Merge pull request #13 from rapid7/master
a
2015-01-28 19:40:55 +00:00
jvazquez-r7 5475cf50aa
Land #4655, @wchen-r7's custom 404 for BrowserExploitServer 2015-01-27 23:03:08 -06:00
sinn3r 457598eb02 print_error about unknown request.uri 2015-01-27 20:21:18 -06:00
sinn3r acf02647fb Add a check for Custom404 2015-01-27 20:18:10 -06:00
sinn3r 66703bfe5a Allow custom 404 as an option for BrowserExploitServer
When something fails, the target is given a hardcoded 404 message
generated by the framework. But the user (attacker) now can configure
this. When the Custom404 option is set, the mixin will actually
redirect (302) to that URL.

There are several scenarios that can trigger a 404 by BES (custom or
default):

* When the browser doesn't allow javascript
* When the browser directly visits the exploit URL, which is forbidden.
  If this actually happens, it probably means the attacker gave the
  wrong URL.
* The attacker doesn't allow the browser auto-recovery to retry the
  URL.
* If some browser requirements aren't met.
* The browser attempts to go to access a resource not set up by the
  mixin.
2015-01-27 18:53:02 -06:00
jvazquez-r7 465b4a5c1b
Land #4652, @wchen-r7's ms13-037 svg exploit update to use BES 2015-01-27 13:47:35 -06:00
sinn3r ffd1257bff
Make sure this branch is up to date. 2015-01-27 12:16:15 -06:00
sinn3r bb9c961847 Change description a bit 2015-01-27 12:14:55 -06:00
William Vu b030327965
Land #4647, get_module_resource NilClass fix 2015-01-27 12:07:08 -06:00
sinn3r 2dedaee9ca Working version after the upgrade 2015-01-27 12:02:36 -06:00
William Vu ae22cf1b47
Land #4650, #strip NilClass fix 2015-01-27 11:13:33 -06:00
William Vu 7d7139d769
Consistent-ize whitespace 2015-01-27 11:11:02 -06:00
Tod Beardsley d8200c65a8
Strip safely, avoid nil.strip errors 2015-01-27 11:06:55 -06:00
William Vu 5b3d877b25
Land #4648, for real 2015-01-27 11:00:22 -06:00
William Vu 2b706f222a
Land #4648, YAML parsing fix
Prefer regex. For reasons...
2015-01-27 10:59:05 -06:00
William Vu a88a631b66
Fix #strip 2015-01-27 10:58:24 -06:00
Tod Beardsley d2bf1a73ff
Don't need to require YAML anymore either 2015-01-27 10:40:57 -06:00
William Vu bf39a7a933
Land #4648, YAML parsing fix
Prefer regex. For reasons...
2015-01-27 10:39:03 -06:00
Tod Beardsley cafbd1af51
Prefer a regex over YAML parsing
Fixes a bug introduced in #4645
2015-01-27 10:34:56 -06:00
sinn3r ee922d141c Fix #4646 - get_module_resource should check nil before using get_resource
Fix #4646. The get_module_resource needs to check nil first before
using the get_resource method (from HttpServer)
2015-01-27 00:21:43 -06:00
sinn3r 9e3388df34 Use BES for MS13-037 and default to ntdll 2015-01-27 00:18:36 -06:00
William Vu 515b125192
Land #4645, for real
Conflicts:
	modules/post/multi/gather/rubygems_api_key.rb
2015-01-26 23:46:04 -06:00
William Vu fd4812fbab
Land #4645, @claudijd's RubyGems API key stealer
Dedicating this merge to @todb-r7. :-)
2015-01-26 23:29:36 -06:00
William Vu d53f4e1178
Fix bugs and make final changes 2015-01-26 23:29:10 -06:00
Jonathan Claudius f0bcf27110 Missing ? 2015-01-27 00:15:43 -05:00
Jonathan Claudius a3cf524162 Remove copy pasta 2015-01-27 00:13:51 -05:00
Jonathan Claudius 2bb9314b4b Switch to unless conditional 2015-01-27 00:10:33 -05:00
sinn3r 7b4fd2f618
Land #4642, Allow 'creds -u "" ' to return blank usernames 2015-01-26 23:01:03 -06:00
Jonathan Claudius 1f9286da69 Undo logic reversage 2015-01-26 23:54:41 -05:00
Jonathan Claudius a9e480e44a Fixed tilde 2015-01-26 23:53:08 -05:00
Jonathan Claudius eed9fbe024 Lose assignment in conditional 2015-01-26 23:48:08 -05:00
Jonathan Claudius c496d2c987 Remove nil check 2015-01-26 23:43:31 -05:00
Jonathan Claudius c29b7488b2 Fix double new line 2015-01-26 23:40:19 -05:00
Jonathan Claudius d77f112e82 Minor Formatting 2015-01-26 23:31:36 -05:00
Jonathan Claudius 06485d8c89 Fix naming of things 2015-01-26 23:17:44 -05:00
Jonathan Claudius 685c4804e5 Add trailing return 2015-01-26 23:15:00 -05:00
Jonathan Claudius 6b6e47a237 Fix sessiontypes, again 2015-01-26 23:13:17 -05:00
Jonathan Claudius 747349a57a Fix sessiontypes 2015-01-26 23:11:48 -05:00
Jonathan Claudius ee7ecb349d Fix description 2015-01-26 23:10:08 -05:00
Jonathan Claudius 106170eddc Add multi to name 2015-01-26 23:08:43 -05:00
Jonathan Claudius a3c7cf70f8 Make MSF Tidy more happy 2015-01-26 22:30:26 -05:00
Jonathan Claudius d37b3cf0c3 Use next instead of return 2015-01-26 22:26:56 -05:00
Jonathan Claudius f58dc2789f Remove creds 2015-01-26 22:13:15 -05:00
Jonathan Claudius a27c376ae7 Add service port and host 2015-01-26 22:06:07 -05:00
Jonathan Claudius dd34b58e49 Add add loot 2015-01-26 22:01:38 -05:00
Jonathan Claudius 3889ed5784 Add cred login 2015-01-26 21:50:10 -05:00
Jonathan Claudius eead063375 Add RubyGems API Post Gather Module 2015-01-26 20:53:39 -05:00
Tod Beardsley 63c3832d7d
Also test for nonmatching passwords 2015-01-26 17:02:58 -06:00
Tod Beardsley 1410477fe9
Use the blank password/username variables 2015-01-26 17:00:45 -06:00