jvazquez-r7
d4ec858051
Clean zimbra_lfi
2013-12-18 15:46:37 -06:00
sinn3r
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
Joe Vennix
64273fe41d
Move addon datastore options into mixin.
2013-12-18 14:42:01 -06:00
Joe Vennix
ca2de73879
It helps to actually commit the exploit.
2013-12-18 14:31:42 -06:00
Joe Vennix
1235615f5f
Add firefox 15 chrome privilege exploit.
...
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Mekanismen
0c0e8c3a49
various updates
2013-12-18 20:54:35 +01:00
jvazquez-r7
ab69454f89
Land #2745 , @rcvalle's exploit for CVE-2013-2068
2013-12-18 12:06:27 -06:00
jvazquez-r7
ec64382efc
Fix cfme_manageiq_evm_upload_exec according to chat with @rcvalle
2013-12-18 11:53:30 -06:00
jvazquez-r7
a28ea18798
Clean pull request
2013-12-18 11:32:34 -06:00
Mekanismen
2de15bdc8b
added module for Zimbra Collaboration Server CVE-2013-7091
2013-12-17 19:32:04 +01:00
sinn3r
ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 20:32:27 -06:00
jvazquez-r7
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
jvazquez-r7
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
jvazquez-r7
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
Tod Beardsley
f88a3a55b6
More slight updates.
2013-12-16 15:05:39 -06:00
sinn3r
afcee93309
Land #2771 - Fix description
2013-12-16 15:01:32 -06:00
sinn3r
04b7e8b174
Fix module title and add vendor patch information
2013-12-16 14:59:00 -06:00
Tod Beardsley
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jvazquez-r7
533accaa87
Add module for CVE-2013-3346
2013-12-16 14:13:47 -06:00
Meatballs
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
Meatballs
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
Meatballs
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
OJ
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
OJ
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
Meatballs
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
Meatballs
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
Meatballs
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
jvazquez-r7
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
sinn3r
ba1a70b72e
Update Microsoft patch information
2013-12-13 15:59:15 -06:00
jvazquez-r7
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
jvazquez-r7
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
jvazquez-r7
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
jvazquez-r7
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
jvazquez-r7
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
jvazquez-r7
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
sinn3r
930a907531
Land #2748 - HP LoadRunner EmulationAdmin Web Service Directory Traversal
2013-12-10 16:29:12 -06:00
sinn3r
3a9ac303f0
Use rexml for XML data generation
2013-12-10 15:37:44 -06:00
William Vu
ff9cb481fb
Land #2464 , fixes for llmnr_response and friends
...
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
jvazquez-r7
3d5501326b
Land #2743 , @Mekanismen's exploit for CVE-2013-0632
2013-12-10 10:00:30 -06:00
jvazquez-r7
30960e973f
Do minor cleanup on coldfusion_rds
2013-12-10 09:59:36 -06:00
jvazquez-r7
230fcd87a5
Add module for zdi-13-259
2013-12-10 08:45:08 -06:00
Mekanismen
9a6e504bfe
fixed path error and description
2013-12-10 09:05:34 +01:00
Mekanismen
313a98b084
moved coldfusion_rds to multi directory and fixed a bug
2013-12-10 08:45:27 +01:00
Mekanismen
0845e3ce37
updated
2013-12-10 00:45:34 +01:00
Mekanismen
bca2212f7e
updated
2013-12-09 23:28:17 +01:00
Mekanismen
60d32be7d9
updated
2013-12-09 23:10:13 +01:00
Tod Beardsley
e737b136cc
Minor grammar/caps fixup for release
2013-12-09 14:01:27 -06:00
Mekanismen
14d12a2ce3
updated
2013-12-09 20:22:26 +01:00
Ramon de C Valle
21661b168b
Add cfme_manageiq_evm_upload_exec.rb
...
This module exploits a path traversal vulnerability in the "linuxpkgs"
action of "agent" controller of the Red Hat CloudForms Management Engine
5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
2013-12-09 16:18:12 -02:00
Mekanismen
67415808da
added exploit module for CVE-2013-0632
2013-12-09 15:18:34 +01:00
sinn3r
2f6a77861a
Land #2731 - vBulletin nodeid SQL injection (exploit)
2013-12-09 02:22:07 -06:00
jvazquez-r7
f77784cd0d
Land #2723 , @denandz's module for OSVDB-100423
2013-12-06 17:32:07 -06:00
jvazquez-r7
3729c53690
Move uptime_file_upload to the correct location
2013-12-06 15:57:52 -06:00
jvazquez-r7
2ff9c31747
Do minor clean up on uptime_file_upload
2013-12-06 15:57:22 -06:00
jvazquez-r7
d47292ba10
Add module for CVE-2013-3522
2013-12-06 13:50:12 -06:00
Meatballs
6f02744d46
Land #2730 Typo in mswin_tiff_overflow
2013-12-06 12:32:37 +00:00
Meatballs
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r
89ef1d4720
Fix a typo in mswin_tiff_overflow
2013-12-06 00:44:12 -06:00
DoI
3d327363af
uptime_file_upload code tidy-ups
2013-12-06 13:45:22 +13:00
jvazquez-r7
e4c6413643
Land #2718 , @wchen-r7's deletion of @peer on HttpClient modules
2013-12-05 17:25:59 -06:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
DoI
07294106cb
Removed redundant content-type parameter
2013-12-05 14:18:26 +13:00
DoI
cfffd80d22
Added uptime_file_upload exploit module
2013-12-05 11:56:05 +13:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
Tod Beardsley
f5a45bfe52
@twitternames not supported for author fields
...
It's kind of a dumb reason but there are metasploit metadata parsers out
there that barf all over @names. They assume user@email.address . Should
be fixed some day.
2013-12-04 13:31:22 -06:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
sinn3r
bf3489203a
I missed this one
2013-12-03 13:13:14 -06:00
sinn3r
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r
ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
...
Also [SeeRM #8140 ]
2013-12-03 10:51:58 -06:00
jvazquez-r7
2d77ed58d5
Land #2648 , @pnegry's exploit for Kaseya File Upload
2013-12-03 09:35:05 -06:00
jvazquez-r7
2606a6ff0e
Do minor clean up for kaseya_uploadimage_file_upload
2013-12-03 09:34:25 -06:00
Thomas Hibbert
21bb8fd25a
Update based on jvazquez's suggestions.
2013-12-03 13:49:31 +13:00
jvazquez-r7
47bff9a416
Land #2711 , @Mekanismen exploit for wordpress OptimizePress theme
2013-12-02 16:30:24 -06:00
jvazquez-r7
5c3ca1c8ec
Fix title
2013-12-02 16:30:01 -06:00
jvazquez-r7
c32b734680
Fix regex
2013-12-02 16:24:21 -06:00
Tod Beardsley
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
jvazquez-r7
79a6f8c2ea
Clean php_wordpress_optimizepress
2013-12-02 15:43:41 -06:00
jvazquez-r7
41f8a34683
Use attempts
2013-12-02 08:43:22 -06:00
jvazquez-r7
433d21730e
Add ATTEMPTS option
2013-12-02 08:42:25 -06:00
jvazquez-r7
b9192c64aa
Fix @wchen-r7's feedback
2013-12-01 19:55:53 -06:00
Mekanismen
57b7d89f4d
Updated
2013-12-01 09:06:41 +01:00
Mekanismen
045b848a30
added exploit module for optimizepress
2013-11-30 21:51:56 +01:00
jvazquez-r7
3417c4442a
Make check really better
2013-11-30 09:47:34 -06:00
jvazquez-r7
749e6bd65b
Do better check method
2013-11-30 09:46:22 -06:00
jvazquez-r7
0a7c0eea78
Fix references
2013-11-29 23:13:07 -06:00
jvazquez-r7
691d47f3a3
Add module for ZDI-13-255
2013-11-29 23:11:44 -06:00
sinn3r
8817c0eee0
Change description a bit
...
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
jvazquez-r7
807e2dfd31
Fix title
2013-11-28 10:53:12 -06:00
jvazquez-r7
7dee4ffd4d
Add module for ZDI-13-270
2013-11-28 10:47:04 -06:00
Thomas Hibbert
d1e4975f76
Use res.get_cookies instead of homebrew parse. Use _cgi
2013-11-28 16:35:36 +13:00
sinn3r
a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection
2013-11-27 19:10:44 -06:00
OJ
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Thomas Hibbert
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
sinn3r
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
sinn3r
a914fbc400
Land #2693 - case sensitive
2013-11-26 11:16:57 -06:00
Tod Beardsley
671c0d9473
Fix nokogiri typo
...
[SeeRM #8730 ]
2013-11-26 10:54:31 -06:00
jvazquez-r7
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
jvazquez-r7
6cb63cdad6
Land #2679 , @wchen-r7's exploit for cve-2013-3906
2013-11-25 22:04:26 -06:00
jvazquez-r7
0079413e81
Full revert the change
2013-11-25 22:04:02 -06:00
sinn3r
fa97c9fa7c
Revert this change
2013-11-25 20:54:39 -06:00
sinn3r
3247106626
Heap spray adjustment by @jvazquez-r7
2013-11-25 20:50:53 -06:00
jvazquez-r7
4c249bb6e9
Fix heap spray
2013-11-25 20:06:42 -06:00
sinn3r
385381cde2
Change target address
...
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
sinn3r
57f4f68559
Land #2652 - Apache Roller OGNL Injection
2013-11-25 15:14:35 -06:00
sinn3r
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
sinn3r
4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln
2013-11-25 12:58:45 -06:00
bcoles
a03cfce74c
Add table prefix and doc root as fallback options
2013-11-25 17:44:26 +10:30
sinn3r
fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability
2013-11-24 00:47:14 -06:00
bcoles
d8700314e7
Add Kimai v0.9.2 'db_restore.php' SQL Injection module
2013-11-24 02:32:16 +10:30
sinn3r
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
sinn3r
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
sinn3r
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
sinn3r
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
sinn3r
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
jvazquez-r7
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
sinn3r
c8fd761c53
Progress
2013-11-22 16:57:29 -06:00
jvazquez-r7
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
sinn3r
953a96fc2e
This one looks promising
2013-11-22 12:27:10 -06:00
sinn3r
8476ca872e
More progress
2013-11-22 11:53:57 -06:00
sinn3r
f1d181afc7
Progress
2013-11-22 04:51:55 -06:00
sinn3r
6d5c1c230c
Progress
2013-11-22 03:55:40 -06:00
sinn3r
4d2253fe35
Diet
2013-11-22 02:25:09 -06:00
sinn3r
8382d31f46
More progress
2013-11-21 18:48:12 -06:00
jvazquez-r7
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
sinn3r
22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2
2013-11-21 15:30:42 -06:00
sinn3r
56d1c545e7
Oh look, more code
2013-11-21 14:42:07 -06:00
jvazquez-r7
851cf6f0d1
Land #2650 , @pnegry's exploit for DesktopCentral 8
2013-11-21 09:30:17 -06:00
jvazquez-r7
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
jvazquez-r7
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
jvazquez-r7
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
jvazquez-r7
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
jvazquez-r7
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
jvazquez-r7
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
jvazquez-r7
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
sinn3r
ddd5b0abb9
More progress
2013-11-21 04:27:41 -06:00
sinn3r
e13e457d8f
Progress
2013-11-20 17:11:13 -06:00
William Vu
9f45121b23
Remove EOL spaces
2013-11-20 15:08:13 -06:00
jvazquez-r7
cec4166766
Fix description
2013-11-20 12:49:22 -06:00
jvazquez-r7
18e69bee8c
Make OGNL expressions compatible with struts 2.0.11.2
2013-11-20 12:42:10 -06:00
sinn3r
94e13a0b8a
Initial commit of CVE-2013-3906
2013-11-19 23:10:32 -06:00
Thomas Hibbert
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00