infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
45,026 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

23451 Commits (650c5c7a93eb8cfbbe66e48e99e47beed58ed752)

Author SHA1 Message Date
Jeffrey Martin 4778de053a
Land #9687, bump payloads, fix PHP meterpreter message parsing 2018-03-07 18:47:47 -08:00
Jacob Robles 49bc0024c1
Land #9678, Add memcached UDP version scanner 2018-03-07 18:47:47 -08:00
Jacob Robles fbee660136
Land #9554, Eclipse Equinoxe OSGi console RCE 2018-03-07 07:49:31 -08:00
Jon Hart 64019d3301
Land #9676, correcting CVE and adding disclosure date for memcached 
amplification
 2018-03-07 07:49:30 -08:00
Brent Cook f6223c0193
Land #9614, Juniper post enum module 2018-03-07 07:49:29 -08:00
bwatters-r7 9be7bc9b21
Land #9665, Add missing reverse_tcp_rc4 payload tests. 
Merge branch 'land-9665' into upstream-master
 2018-03-05 15:29:21 -08:00
William Vu d3b4f91b4c
Land #9671, missed code from TelnetEnable refactor 2018-03-05 15:29:21 -08:00
Jon Hart 6909c635bc
Land #9644, @xistence's memcached stats amplification scanner 2018-03-05 15:29:20 -08:00
h00die 2731b91036
Land #9658 spelling and grammar fixes 2018-03-05 07:42:48 -08:00
h00die e57a1fbd43
Land #9650 netgear telnetenable exploit 2018-03-05 07:42:48 -08:00
bwatters-r7 00d5fcfd97
ReLand #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 
This reverts commit 7964868fcd.
 2018-03-02 17:46:46 -06:00
bwatters-r7 d2150c8d15
Revert "Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm" 
This reverts commit fcc579377f, reversing
changes made to 95cd149378.
 2018-03-02 17:45:58 -06:00
bwatters-r7 4841f29190
Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 2018-03-02 16:41:33 -06:00
William Vu 3fd2862f76
Land #9639, multi/handler exit on disabled handler 
If DisablePayloadHandler is set, abort instead of hanging.
 2018-03-01 07:48:02 -08:00
Sonny Gonzalez 667cc5bcca
Land #9653, fix Y2k38 issue (until Jan 1, 2038) 2018-03-01 09:28:11 -06:00
Wei Chen 735fbc5c9f
Land #9623, Support Win 2008/7+ for enum_ms_product_keys 
Land #9623
 2018-02-25 23:25:03 -08:00
Brent Cook bffba1e5e3
Land #9607, upgrade osx shells to osx meterpreter 2018-02-25 23:25:02 -08:00
William Vu 0a5e9d922f
Land #9601, ms17_010_eternalblue reliability fixes 2018-02-23 08:31:02 -08:00
Brent Cook 2af4f56382
Land #9611, Fix bug causing all OWA logins to appear valid 2018-02-23 08:31:01 -08:00
bwatters-r7 ac6fede928
Land #9441, Create exploit for AsusWRT LAN RCE 
Merge branch 'land-9441' into upstream-master
 2018-02-23 08:31:01 -08:00
Jacob Robles 178afdaed1
Land #9604, Fix logged errors when running without Python 3.6 / gmpy2 2018-02-22 08:27:37 -08:00
Brent Cook a189673782
Land #9584, Fix reverse_php_ssl infinite loop 2018-02-22 08:27:36 -08:00
Brent Cook 826b986018
Land #9602, Create sessions with the Fortinet SSH backdoor scanner 2018-02-22 08:27:36 -08:00
Brent Cook 4e8fe54c6c
Land #9524, prefer 'shell' channels over 'exec' channels for ssh CommandStream 2018-02-22 08:27:36 -08:00
William Vu c1d701f656
Land #9593, finger_users regex fix 2018-02-22 08:27:35 -08:00
Aaron Soto dc913b60e4
Land #9444 - `hsts_eraser` module and docs 2018-02-22 08:27:35 -08:00
Jacob Robles 40220b5ab6
Land #9594, CloudMe Sync v1.10.9 Buffer Overflow 2018-02-22 08:27:35 -08:00
Jacob Robles 72cb9f358e
Land #9561, Disk Savvy Enterprise v10.4.18 built-in server buffer overflow 2018-02-22 08:27:34 -08:00
Brent Cook 59a41f04f7 Land #9366, Add x64 staged Meterpreter for macOS 2018-02-20 09:24:41 -06:00
Brent Cook 8c2484d2da
Land #9164, add OWA 2016 support 2018-02-20 09:24:13 -06:00
Chris Higgins d2c203bcb9
Lands #9504, MagniComp SysInfo privilege escalation 2018-02-20 09:24:13 -06:00
Brent Cook d89a8c3eb9
Land #9571, specify a python encoding for the claymore DoS module 2018-02-16 15:34:49 -08:00
Brent Cook d2e71cfc8b
Land #9512, Add Claymore Dual GPU Miner<= 10.5 DoS module 2018-02-16 15:34:48 -08:00
Brent Cook 31ed50ac92
Land #9539, add bind_named_pipe transport to Windows meterpreter 2018-02-16 15:34:47 -08:00
Wei Chen 004e228a52
Land #9509, Ulterius Server < v1.9.5.0 Directory Traversal 
Land #9509
 2018-02-16 15:34:47 -08:00
Brent Cook e8ad3a98e9
Land #9558, Fix #9417, map timeout exp to a var for telnet_encrypt_overflow 2018-02-15 14:14:07 -08:00
Brent Cook 87dcb13413
update magic numbers 2018-02-15 15:25:47 -06:00
Brent Cook 0cee8485d0
Land #9557, add back udp_probe for now 2018-02-14 11:26:59 -08:00
Spencer McIntyre bdc0b47844
Land #9552, add private_type for stored tomcat pw 
Fixes #9513
 2018-02-13 19:55:54 -08:00
Jeffrey Martin aecc1f143f
Land #7699, Add UDP handlers and payloads (redux) 2018-02-13 14:46:07 -08:00
Jacob Robles f281b45384
Land #9546, Correct Typo 2018-02-13 14:46:07 -08:00
Jacob Robles e485b152e3
Land #9542, Correct Typo 2018-02-13 14:46:06 -08:00
h00die 37cb2d77e7
Land #9422 abrt race condition priv esc on linux 2018-02-12 11:55:21 -06:00
Pearce Barry 6c3168c541
Land #9536, Add Ubuntu notes to documentation 2018-02-12 11:55:19 -06:00
Pearce Barry 73bcec5d11
Land #9408, Add Juju-run Agent Privilege Escalation module (CVE-2017-9232) 2018-02-12 11:55:19 -06:00
h00die 090f7c8bd6
Land #9467 linux priv esc against glibc origin 2018-02-12 11:55:19 -06:00
h00die cd7187023c
Land #9469 linux local exploit for glibc ld audit 2018-02-12 11:55:18 -06:00
Brent Cook 32bd516e70
Land #9525, Update mysql_hashdump for MySQL 5.7 and above 2018-02-12 11:55:17 -06:00
Adam Cammack cd723ac86e Add scanner for Bleichenbacher oracle (ROBOT) 2018-02-09 11:14:30 -06:00
Brent Cook b696665adc
Land #9478, Improve Dup Scout BOF exploit 2018-02-08 10:25:39 -06:00
Brent Cook 909b787a56
Land #9521, flush pipe buffers when a process exists in mettle 2018-02-08 10:25:25 -06:00
William Vu 6c350be24e
Land #9473, new MS17-010 aux and exploit modules 2018-02-02 11:32:40 -06:00
h00die 016af01fd8
Land #9399 a linux priv esc against apport and abrt 2018-02-02 11:32:29 -06:00
Brent Cook ce3d5d77e4
Land #9481, Update native DNS spoofer for Dnsruby 2018-02-02 11:32:18 -06:00
Brent Cook ec12d61702
Land #9354, Debut embedded httpd server (Brother printers) DoS 2018-02-02 11:31:59 -06:00
bwatters-r7 64746d8325
Land # 9407, Add BMC Server Automation RSCD Agent RCE exploit module 
Merge branch 'land-9407' into upstream-master
 2018-02-01 11:23:59 -06:00
h00die b7fbffa331
Land #9445 fixes for ssl labs scanner module 2018-02-01 11:23:46 -06:00
Jacob Robles 4fa68f29d9
Land #9457, Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow 2018-02-01 11:23:26 -06:00
Aaron Soto 395320ba97 Land #9379, Oracle Weblogic RCE exploit and documentation 2018-01-26 18:08:56 -06:00
William Vu a87ae41d81 Land #9446, Post API fix for setuid_nmap 2018-01-26 18:08:47 -06:00
Matthew Kienow b515a582f0
Land #9424, Add SharknAT&To external scanner 2018-01-24 17:20:03 -06:00
Pearce Barry 926ce42a01
Land #8632, colorado ftp fixes 2018-01-24 17:13:20 -06:00
bwatters-r7 2ea9ab2625
Land #9416, Sync Breeze Enterprise 9.5.16 Import Command buffer overflow 
Merge branch 'land-9416' into upstream-master
 2018-01-24 17:13:16 -06:00
Adam Cammack a4022f7b8f
Land #9430, Improve Hyper-V checkvm checks 2018-01-24 17:13:12 -06:00
bwatters-r7 a136841794
Land #9114, Add module for Kaltura <= 13.1.0 RCE (CVE-2017-14143) 
Merge branch 'land-9114' into upstream-master
 2018-01-24 17:13:00 -06:00
Brent Cook d6beb94c59
Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-24 17:12:52 -06:00
Brent Cook 5ec3da843e
Land #9349, GoAhead LD_PRELOAD CGI Module 2018-01-24 17:12:47 -06:00
Brent Cook 294a8e0ada
Land #9413, Expand the number of class names searched when checking for an exploitable JMX server 2018-01-24 17:12:43 -06:00
Brent Cook bb73d2c07e
Land #9431, Fix owa_login to handle inserting credentials for a hostname 2018-01-24 17:12:39 -06:00
Brent Cook 47682e3f37
Land #9404, update module author 2018-01-24 17:12:34 -06:00
Wei Chen ab610f599b
Land #9442, Remove NoMethod Rescue for cerberus_sftp_enumusers 
Land #9442
 2018-01-24 17:12:25 -06:00
Wei Chen 10fafb62bb
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil 
Land #9436

Thanks Steve!
 2018-01-24 17:12:16 -06:00
Brent Cook 512192d3b0
Land #9267, Add targets to sshexec 2018-01-24 17:12:12 -06:00
Brent Cook 55c345418d
Land #9438, address cmd_exec inconsistencies 2018-01-24 17:11:40 -06:00
Brent Cook 23619431aa
update stageless python sizes 2018-01-24 17:08:51 -06:00
Brent Cook d6e966b079
Land #9414, wp_admin_shell_upload - remove plugin dir after exploitation 2018-01-16 21:08:22 -06:00
William Vu e5bd36da1c
Land #9402, NIS bootparamd domain name disclosure 2018-01-15 15:36:00 -06:00
Christian Mehlmauer 2f9eebe28b
remove plugin dir 2018-01-15 14:48:59 +01:00
William Vu 736d438813 Address second round of feedback 
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
 2018-01-13 22:55:01 -06:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback 
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
 2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback 
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
 2018-01-13 15:40:11 -06:00
William Vu eb8429cbd3
Revert "umlaut" 
This reverts commit ffd7073420.
 2018-01-12 22:57:22 -06:00
Brendan Coles ffd7073420
umlaut 2018-01-13 15:48:45 +11:00
Jeffrey Martin 1f1dc59d17
Land #9392, python meterpreter whitespace normalization 2018-01-12 21:24:13 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout 
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
 2018-01-12 19:34:59 -06:00
William Vu 0c9f1d71d3 Add NIS bootparamd domain name disclosure 2018-01-12 19:34:53 -06:00
Agahlot 488f27bf76 Small Typo 2018-01-12 07:05:30 -05:00
Wei Chen e6c4fb1dab
Land #9269, Add a new target for Sync Breeze Enterprise GET BoF 
Land #9269
 2018-01-11 16:54:23 -06:00
Wei Chen f395e07fc6 Land #9269, add new target for Sync Breeze Enterprise GET BoF 
Land #9269
 2018-01-11 16:53:02 -06:00
William Vu 4b225c30fd
Land #9368, ye olde NIS ypserv map dumper 2018-01-10 22:02:36 -06:00
William Vu f66b11f262 Nix an unneeded variable declaration 2018-01-10 20:24:02 -06:00
Wei Chen 6510ee53bc
Land #9204, Add exploit for Samsung SRN-1670D (CVE-2017-16524) 
Land #9204
 2018-01-10 20:15:29 -06:00
Wei Chen 18c179a091 Update module and add documentation 
This updates the module to pass:

* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes

A documentation is also added.
 2018-01-10 20:13:42 -06:00
William Vu b66889ac86 Rescue additional errors and refactor code 
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
 2018-01-10 20:11:25 -06:00
Wei Chen 7e2c7837e5
Land #9325, Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module 
Land #9325
 2018-01-10 17:39:50 -06:00
Wei Chen b1f3f471f3 Update phpcollab_upload_exec code (also module documentation) 2018-01-10 17:38:52 -06:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules 
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
 2018-01-10 15:47:20 -06:00
Wei Chen 8d77f35b16
Land #9373, Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow 
Land #9373
 2018-01-09 22:40:50 -06:00
Wei Chen 25280e3319 Update labf_nfsaxe and module documentation 2018-01-09 22:39:40 -06:00
Brent Cook f125e13278
python meterpreter whitespace normalization 2018-01-09 16:08:52 -05:00
Wei Chen 777e383568
Land #9377, Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 
Land #9377
 2018-01-09 13:56:53 -06:00
Wei Chen a0c9cdd73d
Land #9376, Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 
Land #9376
 2018-01-09 13:28:03 -06:00
Brent Cook 573ee28631
Land #9378, Detect and return on bad VNC negotiations 2018-01-09 03:46:00 -05:00
William Vu 4a5a17a8e1 Add NIS ypserv map dumper 2018-01-08 14:27:53 -06:00
Wei Chen d138f1508c
Land #9340, Add exploit for Commvault Remote Command Injection 
Land #9340
 2018-01-07 12:17:26 -06:00
Daniel Teixeira ff1806ef5f
Update labf_nfsaxe.rb 2018-01-07 16:46:06 +00:00
Daniel Teixeira a69f275a39
Update labf_nfsaxe.rb 2018-01-05 21:14:47 +00:00
Daniel Teixeira c819aebc76
Add files via upload 2018-01-05 21:11:21 +00:00
Daniel Teixeira e797ca4781
Add files via upload 2018-01-05 21:00:47 +00:00
Daniel Teixeira aca76e2a4e
Update labf_nfsaxe.rb 2018-01-05 20:58:36 +00:00
Daniel Teixeira 2643acbc25
Update labf_nfsaxe.rb 2018-01-05 20:55:49 +00:00
Daniel Teixeira b29710c66b
Add files via upload 2018-01-05 20:47:27 +00:00
Daniel Teixeira 94a1198485
Update labf_nfsaxe.rb 2018-01-05 20:41:49 +00:00
Daniel Teixeira b97785c7a9
Update labf_nfsaxe.rb 2018-01-05 18:46:33 +00:00
Daniel Teixeira e7946549d7
Update labf_nfsaxe.rb 2018-01-05 18:31:40 +00:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Brendan Coles 006514864b Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 2018-01-05 11:28:48 +00:00
Brendan Coles 52a5fc9e0a Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 2018-01-05 11:28:14 +00:00
Daniel Teixeira a3fb8b6619
Update labf_nfsaxe.rb 2018-01-04 20:55:38 +00:00
Daniel Teixeira e5bb4bf057
Add files via upload 2018-01-04 20:26:28 +00:00
h00die 65f444ddcc
land #9362 exploit for pfsense graph injection 2018-01-04 14:35:52 -05:00
wetw0rk c9d6d0a7a7 -51 2018-01-04 12:25:31 -06:00
William Vu 366a20a4a4
Fix #9215, minor style nitpick 2018-01-03 23:11:51 -06:00
Brent Cook 520e890520
Land #8581, VMware Workstation ALSA Config File Local Privilege Escalation 2018-01-03 21:35:57 -06:00
Wei Chen b8dde2e650 Land #9360, Ayukov NFTP FTP client buffer overflow vulnerability 
Land #9360
 2018-01-03 20:56:12 -06:00
Wei Chen 04cf3017c0 Update ayukov_nftp exploit and module documentation 2018-01-03 20:52:57 -06:00
Aaron Soto 7849155347
Land #9359, Improve DCE/RPC fault handling 2018-01-03 20:42:17 -06:00
William Vu c3f10c1d57
Land #9336, Linksys WVBR0-25 exploit 2018-01-03 18:13:44 -06:00
dmohanty-r7 a5fa63405f
Land #9206, Add Xplico RCE exploit module 2018-01-03 16:02:51 -06:00
Adam Cammack a98de2d9a3
Land #9358, Support password protected key files 2018-01-03 15:12:28 -06:00
William Vu a1d43c8f33
Land #9215, new Drupageddon vector 2018-01-03 14:45:32 -06:00
William Vu 84c951cc1d
Land #8059, Postfixadmin alias modification module 2018-01-03 14:29:49 -06:00
wetw0rk 16d709f180 changes+filedropper 2018-01-03 14:09:30 -06:00
wetw0rk 8f0e41e159 requested changes 2018-01-01 17:30:43 -06:00
wetw0rk c47d09717d pfsense graph sploit 2018-01-01 03:18:51 -06:00
Daniel Teixeira 67357e316b
Update ayukov_nftp.rb 2017-12-31 17:48:23 +00:00
Daniel Teixeira 10b2833e7c
Update ayukov_nftp.rb 2017-12-31 17:00:17 +00:00
Daniel Teixeira 21717ae0a2
Create ayukov_nftp.rb 2017-12-31 15:43:16 +00:00
bka-dev 086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden 
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
 2017-12-31 14:41:33 +01:00
RageLtMan f2a8d68a1f Permit encrypted SSH keys for login scanner 
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.

Testing:
  None yet
 2017-12-31 02:53:06 -05:00
Brendan Coles c153788424 Remove sleeps 2017-12-30 15:20:56 +00:00
Jan-Frederik Rieckers 7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930 
Add error handling if request fails

Fix a typo in doc, add default value to doc
 2017-12-30 13:04:23 +01:00
h00die 3516305517
land #9191 an exploit against HP LoadRunner magentproc 2017-12-29 16:35:43 -05:00
h00die 4dacc70b9a slight updates to magentproc docs 2017-12-29 16:35:12 -05:00
h00die b698095c49 slight updates to magentproc docs 2017-12-29 16:30:32 -05:00
Jan-Frederik Rieckers 289e887895
Adding Module for Postfixadmin CVE-2017-5930 
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
 2017-12-29 17:13:59 +01:00
Brent Cook 8de760f1f7
Land #9348, Only use basic auth in couchdb_enum when credentials are provided 2017-12-28 21:24:45 -06:00
Pearce Barry e614e9b732
Land #9268, Update DiskBoss Module (EDB 42395) 2017-12-28 16:39:26 -06:00
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
james fad4ccece9 Only use basic auth in couchdb_enum when credentials are provided 2017-12-27 20:16:01 -06:00