418e371e35
add SMB2 login scanner and module
...
add smb2_login module backed by an smb2
LoginScanner class. This is a temporary alternative
to smb_login until ruby_smb catches up more on feature parity
MS-2557
2017-03-29 11:36:33 -05:00
2758010355
Fix x86 mettle shellcode
2017-03-28 17:59:13 -05:00
8b3fe0ac06
Merge branch 'dmchell-cve-2017-7269' into iis_6_sc-dev
2017-03-28 19:33:37 +01:00
697d3978af
Update iis_webdav_scstoragepathfromurl.rb
2017-03-28 19:14:32 +01:00
d7bed334b0
Add Metasploit header
2017-03-28 12:07:57 -05:00
ebbed949c2
Get rid of double header
2017-03-28 12:05:44 -05:00
d1c269e5e8
Update iis_webdav_scstoragepathfromurl.rb
2017-03-28 11:54:52 -05:00
4972b510d1
Use HttpClient instead of Tcp
2017-03-28 11:37:40 -05:00
c203fa71d1
Create iis_webdav_scstoragepathfromurl.rb
2017-03-28 11:34:11 -05:00
ffdd5fb471
Update iis_webdav_scstoragepathfromurl.rb
...
converted to Msf::Exploit::Remote::HttpClient
2017-03-28 17:16:35 +01:00
ed90971489
Update iis_webdav_scstoragepathfromurl.rb
2017-03-28 16:16:51 +01:00
1552cc4cac
Update iis_webdav_scstoragepathfromurl.rb
2017-03-28 16:11:44 +01:00
b301a8d0c0
Update iis_webdav_scstoragepathfromurl.rb
2017-03-28 16:07:12 +01:00
20a9b88eb6
Update and rename iis_webdav_ScStoragePathFromUrl.rb to iis_webdav_scstoragepathfromurl.rb
2017-03-28 15:53:18 +01:00
f7cecaf31e
Update and rename cve-2017-7269.rb to iis_webdav_ScStoragePathFromUrl.rb
2017-03-28 15:47:20 +01:00
9e8ec532a2
Create cve-2017-7269.rb
...
Exploit for cve-2017-7269.rb
2017-03-28 15:33:20 +01:00
30896d1fab
Add Cambium ePMP Arbitrary Command Execution Module
2017-03-28 00:17:36 +05:30
66a585ab41
Land #8050 , Add Cambium ePMP System Hash Dumper
2017-03-27 12:08:53 -05:00
935c59306b
Land #7897 , Add Cambium ePMP 1000 Device Configuration file dumper
2017-03-27 12:05:11 -05:00
d705949b37
Land #7784 , Cambium ePMP 1000 Login Scanner
2017-03-27 12:01:56 -05:00
31c03840bb
Style fixes for HWBridge RF and a couple small bug fixes
...
I should have tweaked these earlier, my bad.
2017-03-26 13:45:19 -05:00
dd7cf39678
updated references
2017-03-25 12:31:08 +05:30
63d88c159a
updated references
2017-03-25 12:27:38 +05:30
fd5e25bcc2
restored version check
2017-03-25 12:08:00 +05:30
68e4b8a855
Updated user data param to load aggregator
2017-03-24 22:58:04 -07:00
82ebbfb9a7
Fix msftidy warnings
2017-03-24 23:12:48 -04:00
3e2173d4f9
Add key length check and remove mixin
...
Also add a reference to the original honeyscore website
2017-03-24 22:33:09 -04:00
581d523d5b
Fix things from review
2017-03-24 21:22:23 -04:00
9db2e9fbcd
Land #8146 , Add Default Secret & Deserialization Exploit for Github Enterprise
2017-03-24 14:38:47 -05:00
92c0748447
Land #8102 , Add a plugin to notify new sessions via SMS
2017-03-24 11:17:59 -05:00
e04f01ed6b
Land #7778 , RCE on Netgear WNR2000v5
2017-03-23 15:34:16 -05:00
3b062eb8d4
Update version info
2017-03-23 13:46:09 -05:00
fdb52a6823
Avoid checking res.code to determine RCE success
...
Because it's not accurate
2017-03-23 13:39:45 -05:00
39682d6385
Fix grammar
2017-03-23 13:23:30 -05:00
ee21377d23
Credit Brent & Adam
2017-03-23 11:22:49 -05:00
196a0b6ac4
Add Default Secret & Deserialization Exploit for Github Enterprise
2017-03-23 10:40:31 -05:00
d37966f1bb
Remove old file
2017-03-23 12:53:08 +03:00
8a43a05c25
Change name of the module
2017-03-23 12:49:31 +03:00
8dd0f953b0
remove unnecessary require
2017-03-22 19:48:24 -04:00
420df11c44
Change up the way shodan is reached
2017-03-22 19:39:45 -04:00
a93aef8b7a
Land #8086 , Add Module Logsign Remote Code Execution
2017-03-22 11:33:49 -05:00
2200c9faee
Create moxa_discover.rb
2017-03-22 10:49:26 -04:00
fa61d67761
Fix score comparison
2017-03-21 19:17:20 -04:00
3af0f814c3
Land #8138 , fix mettle UAF and add initial http/https transport support
2017-03-21 16:51:09 -05:00
1a8e8402ae
Land #8113 , SysGauge SMTP server validation sploit
2017-03-21 16:45:42 -05:00
9542087642
bump mettle to 0.1.8
2017-03-21 16:45:25 -05:00
d10b3da6ec
Land #8132 , Support Python 2 & 3 for web_delivery
2017-03-21 13:48:27 -05:00
6b3cfe0a98
Support both Python 2 and Python 3 in one line
...
Tested on:
* Python 2.7.13 on Windows
* Python 3.5.3 on Windows
2017-03-21 13:47:07 -05:00
fef8ec10bc
Fix author formatting
2017-03-21 13:23:41 -04:00
d7640713df
Add more checks and formatting
2017-03-21 13:23:06 -04:00
1f68a3bda6
Rename honeypot.rb to shodan_honeyscore.rb
2017-03-21 13:10:31 -04:00
2e096be869
Remove debugging output
2017-03-21 11:26:02 -05:00
79c7b84f08
Create honeypot.rb
2017-03-21 11:15:12 -04:00
be41df6de0
Land #8036 , Fix run_as_psh with domain accounts
2017-03-21 09:05:50 -05:00
f397624a69
Land #7935 , HWBridge RF transceiver extension
2017-03-21 06:12:32 -05:00
aa5e9cd702
Land #8058 , Allow the http_payload stager to sleep before retry
2017-03-21 00:07:10 -05:00
c4279a837a
Minor formatting/spelling/verbiage changes.
2017-03-20 17:37:12 -05:00
2fde287424
Initial patch for rftransceiver (RfCat / YardstickOne)
2017-03-20 17:36:16 -05:00
2acd941b16
Merge branch 'master' into dtc_fix
2017-03-20 14:10:01 -05:00
0be6b8c905
Fixes #8022
...
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-03-20 13:49:39 -05:00
06ebb22a8f
Land #8065 , Zigbee Hardware Bridge Extension
2017-03-20 10:44:15 -05:00
ffe77c484e
fixed spacing
2017-03-20 16:37:35 +01:00
e51063aa56
added the python3 syntax to the web_delivery script
2017-03-20 16:08:08 +01:00
7bcd53d87d
Land #8079 , exploit and aux for dnaLims
2017-03-20 11:08:05 -04:00
fd5345a869
updates per pr
2017-03-20 10:40:43 -04:00
fe5167bf26
changes to file per pr
2017-03-20 10:16:42 -04:00
f9ecefe465
Land #8031 , nil fixes for HWBridge
2017-03-19 22:37:28 -05:00
aa1e76f28e
Land #8128 , ensure there is a response before deferencing
2017-03-19 22:17:31 -05:00
e2c6f959f4
Land #8129 , s/colom/colon/g
2017-03-19 22:14:38 -05:00
534ca8c5cb
fix: URL encoding userdata
2017-03-18 21:52:49 -07:00
26d344a0ef
Initial checkin of launch instances module
2017-03-18 21:52:49 -07:00
ae883d7f02
Update multi_meterpreter_inject.rb
2017-03-19 00:27:28 -04:00
661bf6e492
Update multi_meterpreter_inject.rb
2017-03-19 00:27:03 -04:00
93a6614ab3
Update multi_meterpreter_inject.rb
2017-03-19 00:25:46 -04:00
f88a522bf5
fix #8121
2017-03-18 14:50:24 -04:00
06e6a973ce
land #7944 a scanner for Carlo Gavazzi energy meters
2017-03-18 10:35:43 -04:00
84e4b8d596
land #8115 which adds a CVE reference to IMSVA
2017-03-18 09:51:52 -04:00
1d0024ee3c
tools/modules/update_payload_cached_sizes.rb update
2017-03-17 20:58:41 -03:00
d55b680394
Land #8088 , Add some binaries to enum_protections
2017-03-17 17:14:59 -05:00
6aa42dcf08
Add solarwinds default ssh user rce
2017-03-17 21:54:35 +03:00
1180bd6ed7
Land #8037 , priv_migrate improvements
2017-03-17 13:19:51 -05:00
52cea93ea2
Merge remote-tracking branch 'upstream/master' into land-8118-
2017-03-17 12:39:30 -05:00
e67c83e92c
Land #8119 , Updated rails_secret_deserialization to add '.' cookie regex
2017-03-17 12:34:25 -05:00
ea4ca7ecc5
Land #8116 , Handle ::Errno::ECONNRESET in telnet_version
2017-03-17 12:32:02 -05:00
095a110e65
Code and doc tweaks (minor).
...
Only one behavior change in the scan loop of zstumbler.rb to, when doing a scan across all the channels, keep it from retrying channel 11 again one last time just before it exits.
2017-03-16 21:43:36 -05:00
db6bc6c784
Land #8100 , msfcrawler improvements
...
Does anyone use this anymore??
2017-03-16 21:31:23 -05:00
7a12e446a0
Updated documentation and fixed module header. Whoops, copy/paste fail.
2017-03-16 21:28:24 -05:00
ab75794cd4
Land #8071 , Add API to send an MMS message to mobile devices
2017-03-16 11:57:34 -05:00
78586f0dc9
Fixed an extra space at the EOL
2017-03-16 09:22:01 -07:00
80c33fc27f
adding '-' to rails deserialization regex for cookie matching
2017-03-16 10:54:32 -05:00
59c7de671e
Updated rails_secret_deserialization to add '.' regex for cookie matching.
2017-03-16 10:45:43 -05:00
f4bb1d6a37
Updated based on @wvu's comments
2017-03-15 19:15:12 -05:00
91a4657c36
Bumped the metasploit-payloads version and cache sizes with PR#8043
2017-03-15 19:02:21 -05:00
b2a7d18584
Update cached payload sizes
2017-03-15 18:43:48 -05:00
f706c4d7f6
Removing prefix
2017-03-16 00:49:55 +03:00
a1d7748d82
Fix #8061 , Handle ::Errno::ECONNRESET in telnet_version
...
Fix #8061
2017-03-15 16:33:37 -05:00
60186f6046
Adding CVE number
2017-03-16 00:31:21 +03:00
d4ee254057
Land #8076 , Add Easy File Sharing FTP Server Version 3.6 traversal
2017-03-15 16:17:13 -05:00
8afe6a9061
Update easy_file_sharing_ftp and add documentation
2017-03-15 16:14:41 -05:00
a0ba3f17e7
Land #8110 , process migration by name fix
2017-03-15 15:52:54 -05:00
456ddcebc0
Remove nil values that are default already
...
There are four lights!
2017-03-15 15:51:22 -05:00
8995629037
Land #7061 , allow chaining the service stub with other encoders
2017-03-15 13:56:09 -05:00
b65919e7b1
Land #7956 , Add QNAP NAS/NVR administrator hash disclosure
2017-03-15 11:12:59 -05:00
0a71e4a903
Update check with Exploit::CheckCode::Appears
2017-03-15 05:13:30 -05:00
86d2217f4d
Fix whitespace and clarify options
2017-03-15 04:27:30 -05:00
a0bff5c8c3
Bump RETRIES to 10
...
3 was a bit too low. I was using 10 and had more success with it.
2017-03-15 03:18:09 -05:00
b3fbbbee34
Spelling is hard
2017-03-14 23:34:00 -05:00
cc4f18e6c5
Add sysgauge_client_bof module and documentation
2017-03-14 23:29:19 -05:00
e96013cd0f
Land #7781 , IBM Websphere Java Deserialization RCE
2017-03-14 17:21:18 -05:00
cf8b4a78fa
Bring branch up to date with upstream-master
2017-03-14 16:48:33 -05:00
04f11b0bf7
fix migrate by process name
2017-03-14 17:27:46 -04:00
1736332638
Land #8103 , Add CVE-2017-5638, Struts2 Content-Type OGNL injection
2017-03-14 16:10:49 -05:00
9201f5039d
Use vprint for check because of rules
2017-03-14 15:02:54 -05:00
f429b80c4e
Forgot to rm this when i combined
2017-03-14 12:18:11 -05:00
01ea5262b8
Land #8070 , msftidy vars_get fixes
2017-03-14 12:05:24 -05:00
5c436f2867
Appease msftidy in tr064_ntpserver_cmdinject
...
Also s/"/'/g.
2017-03-14 11:52:21 -05:00
5d6a159ba9
Use query instead of uri in mvpower_dvr_shell_exec
...
I should have caught this in #7987 , @bcoles, but I forgot. Apologies.
This commit finishes what @itsmeroy2012 attempted to do in #8070 .
2017-03-14 11:51:55 -05:00
79331191be
msftidy error updated 2.5
2017-03-14 22:02:59 +05:30
67fc43a0a1
msftidy error updated 2.4
2017-03-14 21:33:53 +05:30
53c9caa013
Allow native payloads
2017-03-13 20:10:02 -05:00
2053b77b01
ARCH_CMD works
2017-03-13 18:37:50 -05:00
bb4d6e17c8
Resolve #8026 , Add a plugin to notify new sessions via SMS
...
This plugin will notify you of a new session via SMS.
It also changes the SMS text format to MIME.
Resolve #8026
2017-03-13 16:13:59 -05:00
fe4e2306b4
Reverting one step
2017-03-13 22:22:24 +05:30
665adec298
Patching storedb function (adding host/port/ssl for correct report_web_page)
2017-03-13 17:37:47 +01:00
78ff7a8865
Module renamed
...
Renamed from websphere_java_deserialize.rb to ibm_websphere_java_deserialize.rb
2017-03-13 08:22:24 +02:00
9f76b4d99c
Change default RPORT to 443 with SSL
...
I never really tested port 80, so I wonder why I didn't change this.
Turns out 80 isn't even the vuln service. Welp. Hat tip @bcoles.
2017-03-12 21:03:31 -05:00
e7c920db44
Remove DEBEUG/print_debeug :(
2017-03-12 21:01:48 -05:00
d57b772ac9
Bump default RETRIES to 3
2017-03-12 21:00:38 -05:00
8638f9ec7e
Update freesshd_authbypass to use CmdStager fully
2017-03-11 19:59:39 -06:00
4e32c80e8e
Use the Msf::Exploit::CmdStager mixin. Fixes #8092 .
2017-03-11 17:44:05 -06:00
fe4f20c0cc
Land #7968 , NETGEAR R7000 exploit
2017-03-10 16:02:30 -06:00
25bfa88c46
Land #7877 , Add mDNS query spoofing service
2017-03-10 15:44:57 -06:00
1c54e0ba94
msftidy error updated 2.2
2017-03-10 23:59:38 +05:30
6d8789a56e
Updated msftidy error 2.1
2017-03-10 23:03:37 +05:30
c0f17cf6b8
msftidy error updated 2.0
2017-03-10 22:16:27 +05:30
84b9449137
Add some binaries to enum_protections
...
- gradm2 for grsec
- aa-status for apparmor
- getenforce for setlinux
2017-03-10 14:16:58 +01:00
f6bac3ae31
Add iso link to md file and change CheckCode code
2017-03-10 13:00:49 +03:00
e7b65587b4
Move to a more descriptive name
2017-03-09 14:19:06 -06:00
e07d5332de
Don't step on the payload accessor
2017-03-09 13:54:00 -06:00
d92ffe2d51
Grab the os.name when checking
2017-03-09 13:52:58 -06:00
83f5f98bb0
Merge remote-tracking branch 'upstream/pr/8074' into land-8072
2017-03-09 11:08:29 -06:00
0ab3ad86ee
change dnalims_file_retrieve module type
2017-03-09 10:06:31 -05:00
95a01b9f5e
add dnaLIMS exploits
2017-03-09 09:46:18 -05:00
081ca17ebf
Specify default resource in start_service
...
This eliminates the need to override resource_uri. Depends on #8078 .
2017-03-09 03:00:51 -06:00
ed22902fd4
Support the subject field
2017-03-08 11:40:08 -06:00
f60dae0917
Lots of syntax fixups from rubocop
2017-03-08 09:21:33 -08:00
183be81ba8
Easy File Sharing FTP Server Directory Traversal
2017-03-08 17:59:27 +02:00
c52b0cba5e
msftidy error on master updated
2017-03-08 20:58:01 +05:30
0f899fdb0b
Convert ARCH_CMD to CmdStager
2017-03-08 07:35:37 -06:00
e18eb98e49
Land #8019 , fix issues from #7817 with post/multi/gather/firefox_creds
2017-03-08 05:46:21 -05:00
c8215e609a
pushing fixes again, something failed.
2017-03-08 10:16:06 +01:00
2546263d50
Improved error handling and general fixes
2017-03-08 10:11:05 +01:00
c5fb69bd89
Struts2 S2-045 Exploit 2017/03/08
2017-03-08 14:26:33 +08:00
b73a884c05
struts2_s2045_rce.rb
2017-03-08 13:38:18 +08:00
75a1d979dc
Fix: Incorrect disclosure month forma
2017-03-07 20:28:29 -06:00
fc0f63e774
exploit Apache Struts2 S2-045
2017-03-07 20:10:59 -06:00
e327f9b330
Update other module descriptions
2017-03-07 16:55:06 -06:00
dc13b84189
Bring mms branch up to date w/ master
2017-03-07 16:13:39 -06:00
7e19486a97
Merge branch 'wchen-r7-sms' into upstream-master
...
Merged #8047
2017-03-07 15:56:00 -06:00
7976966ce9
Issue 7923 - msftidy errors on master
2017-03-08 03:12:41 +05:30
fbde0d18f2
Add auxiliary/client/mms/send_mms
2017-03-07 12:53:17 -06:00
4e9b8946d8
Fixed some small msftidy issues
2017-03-06 22:47:37 -08:00
60cd04bc7b
Added module for zstumbler
2017-03-06 16:10:14 -08:00
0b5da60564
Added nil check + formatting edits
2017-03-07 02:17:21 +05:30
d99d81992f
Added nil check + formatting edits
2017-03-07 02:16:01 +05:30
05efb61d3b
Added nil check + formatting edits
2017-03-07 02:14:18 +05:30
62b0efd99d
Added nil check + formatting edits
2017-03-07 01:44:23 +05:30
9a5ab604e5
Added nil check + formatting edits
2017-03-07 01:21:07 +05:30
2d8e3c73f5
Minor edits
2017-03-07 00:20:05 +05:30
3ab214e758
Minor edits
2017-03-07 00:03:24 +05:30
a466dc44c6
Do exception handling for sms client
2017-03-06 10:54:08 -06:00
b5afac6627
Per PR #8054 , we don't need the OUTPUTPATH option here.
2017-03-03 16:20:01 -06:00
4362c891b6
Land #8054 , Fix #8052 , remove forgotten OUTPUTPATH option
2017-03-03 15:36:30 -06:00
bb140b9581
fix deprecated target ARCH
2017-03-03 13:38:16 -06:00
d76e80bc44
Land #7424 , Ektron Webservices XSLT Remote Code Execution
2017-03-03 12:12:21 -06:00
48e06e27b0
Fix #8052 , remove forgotten OUTPUTPATH option
...
Fix #8052
2017-03-03 12:00:07 -06:00
6ad8afb8b3
Add API to send a text message (SMS) to mobile devices
2017-03-02 16:47:55 -06:00
e8460c3b94
Minor edit
2017-03-03 02:37:20 +05:30
fafd35330d
Add epmp1000 dump hashes module
2017-03-03 02:22:34 +05:30
c6e65b1521
Minor edits
2017-03-03 02:00:19 +05:30
6bd09c142f
Minor edits
2017-03-03 00:53:17 +05:30
c9a354b844
Added nil checks
2017-03-01 20:18:51 +05:30
759b67c565
Fix ru_as_psh with domain accounts
...
The current versions has too many escape backslashes, as a result, running run_as_psh for domain users does not work.
Also added support for DOMAIN\\User format in the USER parameter.
2017-03-01 13:38:15 +11:00
fb5e090f15
fixes from jvoisin
2017-02-28 20:09:26 -05:00
e5636d6ce1
Adding logsign rce module and doc
2017-02-28 21:04:37 +03:00
031285d49a
update payloads
2017-02-28 03:04:53 -06:00
8c876f4a57
Land #7996 , Major rewrite and cleanup of reverse shell jcl payload
2017-02-28 02:12:40 -06:00
d4e5cb7993
Fixes #8022
...
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-02-27 21:09:57 -08:00
def5088097
Change NOFAIL default to false
2017-02-27 20:37:58 -06:00
2f5dd38957
Update Admin target list and module description
2017-02-27 20:19:59 -06:00
dcb42a3e69
Initial zigbee support using killerbee. Core session setup portion
2017-02-27 17:29:54 -08:00
3333019e5f
Check if current admin proc is in target list
2017-02-27 18:55:25 -06:00
717879f3df
Downcase targets and current proc name
2017-02-27 18:28:46 -06:00
8e8e7244f4
Add exit language
2017-02-27 18:07:15 -06:00
e1d76b8ff6
Add more error handling
2017-02-27 17:06:16 -06:00
69c7b0168c
Restore USERNAME and PASSWORD options for owa_login
...
Requested by our own pentesters, the username & password options
should be restored so users can more easily try one password but
multiple users.
2017-02-27 15:04:06 -06:00
ffb54a13fe
Add NOFAIL datastore option
2017-02-27 12:41:18 -06:00
df7932bb1b
Added more error handling
2017-02-27 13:30:42 +01:00
264cfc9bd4
Added OPTIONS to the module
2017-02-27 13:24:31 +01:00
81efe096aa
Update Author Handle
2017-02-26 21:01:19 -06:00
e3e607a552
reword description
2017-02-26 15:24:22 -05:00
0c353841ab
forgot add fixes for travis
2017-02-25 23:25:36 -05:00
a8609f5c66
ntfs-3g lpe
2017-02-25 23:09:22 -05:00
37066acc03
Try harder to get user id, correctly handle dirs with spaces.
...
Fixes #7817 .
2017-02-25 20:32:53 -06:00
1e28e2b2c7
Cache sizes again...
2017-02-24 20:43:13 -06:00
493f17761b
payload cache size change- all together, now
2017-02-24 20:23:34 -06:00
15af90c011
payload cache size change
2017-02-24 20:22:27 -06:00
634753f985
Add QNAP admin hash "disclosure"
2017-02-24 19:18:30 -06:00
d9a7fac399
Land #8004 , Use post/windows/manage/priv_migrate instead of migrate -f
2017-02-24 17:30:14 -06:00
f18b533226
change platform time to unix (although it is linux in reality but whatevs)
2017-02-24 22:58:24 +00:00
2631259919
Land #7973 , Enable cert validation for Nexpose
...
This PR enables connection to a Nexpose console using the
nexpose client gem.
It also allows you to connect using a trusted certificate
instead of simply overriding the SSL validation.
2017-02-24 14:27:24 -06:00
b2ad8938ff
Added tomcat_gather modules to Metasploit.
2017-02-24 15:15:55 +01:00
4be426df4d
Added jboss_gather module.
2017-02-24 11:18:01 +01:00
45b1f796e4
Added archmigrate module to metasploit.
2017-02-24 10:29:19 +01:00
43550b8cdf
fixing line length
2017-02-23 19:55:23 -05:00
041238f77c
land #7896 Binom3 power meter scanner and brute
2017-02-23 19:49:50 -05:00
70f7dccf62
copy and paste fail
2017-02-23 17:11:08 -06:00
5d0b532b20
Fix #8002 , Use post/windows/manage/priv_migrate instead of migrate -f
...
Because migrate -f uses a meterpreter script, and meterpreter scripts
are deprecated, we should be replacing with a post module
Fix #8002
2017-02-23 17:04:36 -06:00
236606838a
Land #7987 , MVPower DVR exploit
2017-02-23 01:46:04 -06:00
0b34efab43
Add documentation
2017-02-23 06:59:05 +00:00
5d3a4cce67
Use all caps for module option names
2017-02-23 16:30:01 +11:00
27a7b279f5
Major rewrite and cleanup of reverse shell jcl
...
The shell does exactly the same as the previous, just made the code read much
better so as to not severely anger the gray beards and other lesser
mainframe deities. The only architectural change is the payload uses the
spawn system call vs exec - this provides for a cleaner exit in some cases.
2017-02-22 17:17:27 -06:00
dc30dd70da
Add Windows Gather DynaZIP Saved Password Extraction post module
2017-02-22 22:20:19 +00:00
40e6413867
Land #7980 , Add a sploit for CVE-2017-5982, kodi file traversal
2017-02-22 13:11:48 -06:00
25b3cc685a
Update netgear_r7000_cgibin_exec.rb
2017-02-22 11:36:52 -05:00
47fec5626e
Style update
2017-02-22 07:56:17 +00:00
e491f01c70
Add MVPower DVR Shell Unauthenticated Command Execution module
2017-02-22 05:15:57 +00:00
48f6740fee
Land #7969 , Add Module Trend Micro IMSVA Remote Code Execution
2017-02-21 17:29:04 -06:00
a9b9a58d4d
Land #7893 , Add Module AlienVault OSSIM/USM Remote Code Execution
2017-02-21 13:35:56 -06:00
83cc28a091
Land #7972 , Microsoft Office Word Macro Generator OS X Edition
2017-02-21 13:26:42 -06:00
49da6289a9
Fix typo in smtp fuzzer
2017-02-20 21:47:59 +01:00
73eed104a9
Take into account @h00die's comments.
2017-02-20 13:22:20 +01:00
dad21b1c1d
Land #7979 , another downcase fix for a password
2017-02-19 21:26:52 -06:00
7bd6aff1cf
Add a sploit for CVE-2017-5982
2017-02-19 21:57:27 +01:00
92c1fa8390
remove downcase
2017-02-18 20:13:32 -05:00
e99ba0ea86
Msftidy stuff
2017-02-18 00:34:49 -05:00
189d5dc005
Thanks netgear
2017-02-18 00:15:45 -05:00
ef2fff798e
update sizes
2017-02-17 18:57:02 -06:00
24151a9c27
Land #7753 , Add auxiliary RomPager misfortune cookie authentication bypass
2017-02-17 18:07:15 -06:00
52350292cf
Fix msftidy warning
2017-02-17 18:41:11 -05:00
63d1de9acd
Updates from review
...
Also testing some things, line 84 and 85 mostly
2017-02-17 18:29:46 -05:00
2c570b6709
Land #7942 , Microsoft SQL Server Clr Stored Procedure Payload Execution
2017-02-17 17:28:54 -06:00
e4c324c988
Land #7941 , treat a user with no mailbox as a valid credential anyway
2017-02-17 17:09:57 -06:00
8019a9e519
Land #7947 , fix crash in panda_psevents when an unexpected target OS is found
2017-02-17 14:08:27 -06:00
1f23b44003
I modified windows/fileformat/office_word_macro the wrong way
2017-02-16 23:16:06 -06:00
cbfe18e4d7
use certificates in nexpose
2017-02-16 14:34:02 -06:00
7503f643cc
Deprecate windows/fileformat/office_word_macro
...
Please use exploits/multi/fileformat/office_word_macro instead,
because the new one supports OS X.
2017-02-16 12:32:14 -06:00
3d269b46ad
Support OS X for Microsoft Office macro exploit
2017-02-16 12:28:11 -06:00
811f6d4d58
Update netgear_r7000_cgibin_exec.rb
2017-02-16 08:38:06 -05:00
90224af813
Fix msftidy warning
2017-02-15 22:39:16 -05:00
81d63c8cc7
Create netgear_r7000_cgibin_exec.rb
2017-02-15 22:33:48 -05:00
8f1856c5d1
Fixed a bug with DTC decoding.
...
DTC Codes now print the English error messages next to their code with getvinfo
Frozen DTCs can also be fetched via get_frozen_dtcs()
2017-02-15 16:26:23 -08:00
f113114643
Added assigned CVE.
2017-02-15 17:05:23 -05:00
3b386f86f6
Typo fix.
2017-02-14 17:05:46 +11:00
843f559069
land #7917 piwik exploit module
2017-02-14 00:52:27 -05:00
ec316bfb6c
Use DATABASE when logging in with SQL mixin
2017-02-14 10:34:27 +10:00
a47a479bd3
add else case
2017-02-12 19:08:31 -05:00
e6bfbb7c78
Added random cookie gen, res checks, & minor updates
2017-02-12 16:55:11 +05:30
906ca6c24e
Add Carlo Gavazzi module
2017-02-11 11:18:43 +05:30
94a234e5bf
Specify sname as http/https to keep with standards throughout the code.
2017-02-10 17:31:08 -06:00
baa473a1c6
add piwik superuser plugin upload module
2017-02-11 00:20:50 +01:00
026f6eb715
Land #7929 , improve php_cgi_arg_injection
2017-02-10 10:01:38 -06:00
2d834a3f5a
Finalise module, and add supporting binaries
2017-02-10 12:56:40 +10:00
58779f0aaf
owa_login no mailbox bugfix
...
The owa_login module currently misses a success condition where the
creds are valid but there is no mailbox setup. This commit adds the
check for the condition for OWA 2013.
2017-02-09 21:35:58 -05:00
1c62559e55
Add v1 of SQL Clr stored proc payload module
2017-02-10 10:28:22 +10:00
4a9a8adaa1
Land #7928 , http_version now stores the fingerprints
2017-02-09 16:28:51 -06:00
d7a6edb5a4
Land #7939 , Override `empty?` for the weird ones
2017-02-09 15:40:24 -06:00
4f13bde471
Override `empty?` for the weird ones
...
Fixes #7899
2017-02-09 14:57:20 -06:00
272d1845fa
Land #7934 , Add exploit module for OpenOffice with a malicious macro
2017-02-09 13:42:58 -06:00
8ade9b8aae
Land #7905 , WordPress content injection module
2017-02-09 15:49:50 +01:00
e1a1ea9d68
Fix grammar
2017-02-08 19:26:35 -06:00
cf395ea7b1
Make error checks more consistent
2017-02-08 18:00:44 -06:00
0d56676690
Add error check for listing posts
2017-02-08 17:13:12 -06:00
047a9b17cf
Completed version of openoffice_document_macro
2017-02-08 16:29:40 -06:00
cba5e266f8
Land #7916 , module for netgear password disclosure
2017-02-08 15:48:55 -05:00
e7b421e226
Update netgear_password_disclosure.rb
2017-02-08 13:40:11 -05:00
4ee05313d8
Update tested version numbers
2017-02-08 19:31:01 +03:00
766e7b013d
Once more, with feeling
2017-02-08 09:17:37 -06:00
a71b097e6b
Revert status iteration, since it doesn't work
...
Also.
2017-02-08 09:13:42 -06:00
fd935c8e3c
Update netgear_password_disclosure.rb
2017-02-08 09:14:39 -05:00
6b2a995a7d
Revert AutoPublish, since it doesn't work
...
Apparently.
2017-02-08 07:43:17 -06:00
df38a91fbd
Be nice and parse JSON for the error
2017-02-08 07:37:09 -06:00
2dfff95669
Fix msftidy warning
2017-02-08 08:28:23 -05:00
befe224c58
Use wordpress_and_online? before actions
2017-02-08 07:24:57 -06:00
46ab03f528
Add SearchTerm to filter listed posts
2017-02-08 06:10:46 -06:00
064420075f
Update diagnostics and print better header
2017-02-08 04:54:25 -06:00
6df55c9733
Gotta catch 'em (post statuses) all
2017-02-08 04:31:06 -06:00
7583d050b7
Add AutoPublish to publish updated posts
2017-02-08 04:01:42 -06:00
e480107bd5
Add PostCount (default 100) to list more posts
2017-02-08 03:52:20 -06:00
f3bcc9f23f
Take care of suhosin
2017-02-08 09:59:36 +01:00
028d4d6077
Make the payload a bit more random
2017-02-08 09:59:22 +01:00
13f4b0d7ae
Be more specific with invalid post ID
2017-02-08 02:18:52 -06:00
c16b7e42a6
Fix review stuff
2017-02-07 21:41:38 -05:00
46fbc9dd3f
Fix some formatting
2017-02-07 21:32:19 -05:00
6f4ff89218
Add WPVDB reference
2017-02-07 18:33:58 -06:00
cb03ca91e1
Make php_cgi_arg_injection work in certain environnement
...
This commit sets two more options to `0` in the payload:
- [cgi.force_redirect](https://secure.php.net/manual/en/ini.core.php#ini.cgi.force-redirect )
- [cgi.redirect_status_env](https://secure.php.net/manual/en/ini.core.php#ini.cgi.redirect-status-env )
The configuration directive `cgi.force_redirect` prevents anyone from calling PHP
directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php .
Instead, PHP will only parse in this mode if it has gone through a web server redirect rule.
The string set in the configuration directive `cgi.redirect_status_env`
is the one that PHP will look for to know it's ok to continue its
execution. This might be use together with the previous configuration
option as a security measure.
Setting those variables to 0 is (as stated in the documentation) a
security issue, but it also make the exploit work on some Apache2 setup.
2017-02-07 18:59:27 +01:00
96f7b2e245
http_version now store the fngerprints
...
Currently, the `http_version` module doesn't store the fingerprints
into the database; this commit should fix this behaviour.
2017-02-07 18:36:36 +01:00
cefbee2df4
Add PoC for OpenOffice macro module
2017-02-07 10:12:23 -06:00
f4580a2616
Add token value check
...
Sometimes it wouldn't return creds if the token is 0. It usually works after running it another time.
2017-02-07 10:53:25 -05:00
c1f9b724cf
Maybe fix syntax error
2017-02-07 10:36:05 -05:00
d0f6d4ef45
Land #7920 , android/meterpreter_reverse_https
2017-02-07 20:42:47 +08:00
b4056a110b
Print diagnostics if no posts found/given
2017-02-07 04:37:05 -06:00
a9ea09a179
Land #7909 , Python process hiding for sessions -u
2017-02-07 02:28:24 -06:00
e1ade9caf8
Land #7910 , closed ports fix for TCP portscan
2017-02-07 02:23:15 -06:00
aac9381778
Update meterpreter_reverse_https.rb
2017-02-07 12:13:20 +04:00
00050abb73
Fix msftidy warnings
2017-02-06 22:06:50 -05:00
1f2a95c202
Use html parser instead of regex
2017-02-06 22:03:56 -05:00
115c60446e
Fix weird if loop in check
2017-02-06 17:30:49 -05:00
6ebdbc3f81
Fix some stuff from review
...
I'm going to change the HTML Regex to a parser a bit later, I don't have time right now
2017-02-06 17:29:39 -05:00
badca287dd
Land #7906 , Add Microsoft Word malicious macro document generator
2017-02-06 14:44:09 -06:00
f531366d89
Land #7790 an aux module to extract Meteocontrol Weblog admin password
2017-02-06 15:23:06 -05:00
9b4ca31432
Fix typo
2017-02-06 12:52:41 -05:00
52cf9c44df
Update netgear_password_disclosure.rb
2017-02-06 12:43:31 -05:00
16c6480629
Add response checks
...
I can't test this right now as I'm not at a computer that has metasploit installed, but I'll test it when I get a chance to.
2017-02-06 12:10:01 -05:00
f5450a718a
Add TARGETURI datastore option
2017-02-06 11:54:29 -05:00
99227aca1a
Fix things from review
2017-02-06 09:44:35 -05:00
0cec4be107
Android Stageless Meterpreter over HTTPS
...
Change to add functionality for stateless meterpreter over HTTPS
2017-02-06 14:59:43 +04:00
8af966a132
Add WordPress content injection module
2017-02-06 04:40:26 -06:00
fb7e5ff847
Fix more msftidy warnings
2017-02-05 14:00:05 -05:00
f08590982c
Fix some msftidy warnings
2017-02-05 13:58:01 -05:00
609ea3700a
Create netgear_password_disclosure.rb
2017-02-05 13:39:58 -05:00
db77061719
do not add closed ports to database
2017-02-04 16:24:40 +01:00
9e0cb9797b
python -c payload -> echo payload | python
2017-02-04 17:57:17 +08:00
d305f895ff
Fixed a typo space
2017-02-04 11:59:45 +05:30
36416c20cb
Updated check for extract fail case now + Minor edits
2017-02-04 03:00:31 +05:30
906fcfe355
OSSIM 5.0.0 version requires a authen token on action create
2017-02-03 23:45:33 +03:00
34b861403e
Minor updates
2017-02-04 01:44:18 +05:30
c73c189a61
Set DisablePayloadHandler default to true
2017-02-03 11:25:50 -06:00
83cb65d3a2
Don't spin CPU if an fopen fails
...
Because PHP is happy to continue on just fine in that case and the loop
below will run unbounded spewing warnings about reading from `false`.
2017-02-02 19:07:58 -06:00
3c7f78167a
Push up the preamble and modernize style
2017-02-02 17:57:03 -06:00
ccaa783a31
Add Microsoft Office Word Macro exploit
2017-02-02 17:44:55 -06:00
ff20cf911c
Move the preamble above all other code
2017-02-02 14:53:53 -06:00
23c2787d57
Land #7795 , Hardware Bridge API.
...
Initial bridge API that supports the HW rest protocol.
2017-02-02 08:47:59 -06:00
16de745437
Minor code cleanups/corrections.
2017-02-01 16:12:45 -06:00
58a50d7dd1
Minor edits
2017-02-01 04:46:05 +05:30
6d6db2f40f
Add epmp1000 dump config module
2017-02-01 04:42:47 +05:30
20a51371ce
Minor Edits
2017-02-01 04:23:28 +05:30
423648e347
Minor edits
2017-02-01 03:53:14 +05:30
82d2777417
Minor update
2017-02-01 03:44:50 +05:30
59e31e26f2
Add Binom3 module
2017-02-01 03:35:35 +05:30
3c6fa12aca
Update firefox_smil_uaf to use BrowserExploitServer
2017-01-31 16:04:16 -06:00
2ff170a1fa
Land #7820 , Exploit for TrueOnline Billion 5200W-T
2017-01-31 11:33:56 -06:00
f167358540
Land #7821 , Command Injection Exploit for TrueOnline ZyXEL P660HN
2017-01-31 11:28:46 -06:00
b3521dfb69
Land #7822 , Command Injection Exploit for TrueOnline P660HN v2
2017-01-31 11:22:49 -06:00
c666ac93f5
Adding xff header
2017-01-31 14:37:22 +03:00
40108c2374
first commit
2017-01-31 14:15:46 +03:00
0aceb0b1cb
Fix whitespace, thanks msftidy!
2017-01-30 10:16:42 +00:00
d5845343bd
Fix whitespace, thanks msftidy!
2017-01-30 10:15:20 +00:00
5fd31e621e
Add CVE number
2017-01-30 10:03:46 +00:00
fd6e10bf26
Add CVE numbers
2017-01-30 10:03:13 +00:00
David Maloney
Adam Cammack
dmchell
Carter
juushya
William Webb
Pearce Barry
Javier Godinez
dmohanty-r7
wchen-r7
Mehmet Ince
bwatters-r7
Patrick DeSantis
Brent Cook
William Vu
James Lee
Craig Smith
Swiftb0y
h00die
alpiste
Chris Higgins
Dallas Kaman
Thomas Reburn
Rich Whitcroft
itsmeroy2012
Jon P
wizard32
jvoisin
flakey-biscuits
Ahmed Elhady Mohamed
=
Koen Riepe
root
nixawk
Jin Qian
Louis
Josh Hale
Pedro Ribeiro
James Barnett
Brendan Coles
bigendiansmalls
Jan-Erik Rediger
jvoisin
Jeffrey Martin
David Manouchehri
aushack
OJ
Christian Mehlmauer
jakxx
Spencer McIntyre
Tim
sekritskwurl
MatToufoutu