Commit Graph

16877 Commits (65a40a994b24fba091d2ec907c400711145818b0)

Author SHA1 Message Date
HD Moore c3f2536ef6 Make the stager clear in the payload descriptions 2015-03-11 21:30:02 -05:00
HD Moore b105a88b95 Fix https convention 2015-03-11 21:26:31 -05:00
HD Moore 8bae58d631 Updated cache sizes 2015-03-11 21:25:12 -05:00
Tod Beardsley 99494328d2
Update Nvidia module with an OSVDB ref
The paper is really good, but could use a more traditional reference.

[See #4884]
2015-03-11 19:51:22 -05:00
jvazquez-r7 0e4e264325 Redo description 2015-03-11 18:19:28 -05:00
jvazquez-r7 4e6aca0209 refactor create_exploit_file 2015-03-11 18:13:09 -05:00
jvazquez-r7 5662e5c5a6 Add module for MS15-020 2015-03-11 17:29:02 -05:00
HD Moore 1135e5e073 First take on WinHTTP stagers, untested 2015-03-11 16:27:14 -05:00
HD Moore 7e3b4017f0 Rename and resynced with master, ready for refactoring 2015-03-11 14:36:27 -05:00
HD Moore ea1bc69e2e Merge branch 'master' into feature/add-reverse_winhttp-stagers 2015-03-11 14:29:34 -05:00
sinn3r 215c209f88
Land #4901, CVE-2014-0311, Flash ByteArray Uncompress UAF 2015-03-11 14:04:17 -05:00
sinn3r 43b90610b1 Temp 2015-03-11 13:53:34 -05:00
Brent Cook ceeee4446f
Land #4904, @hmoore-r7 reworks reverse_http/s stagers
They are now assembled dynamically and support more flexible options,
such as long URLs.
2015-03-11 10:41:59 -05:00
sinn3r 2a9d6e64e2 Starting point for CVE-2015-0318 2015-03-11 09:58:41 -05:00
HD Moore ad39adf9c2 Missing comma 2015-03-11 00:49:07 -05:00
HD Moore a89926b663 Exclude vncinject from http stagers (depends on sockedi) 2015-03-11 00:46:04 -05:00
jvazquez-r7 8a452a7cba Do somce cleanup 2015-03-10 17:10:44 -05:00
Brent Cook 9ade107325 disable reverse_http methods from upexec and shell payloads
These don't work over http and don't appear to have ever, as far back as
I could test. They appear to be an accident perhaps.
2015-03-10 17:08:58 -05:00
jvazquez-r7 4a84693fb0 Support windows 2015-03-10 16:58:33 -05:00
jvazquez-r7 c26bea3429 Fix credits 2015-03-10 16:27:07 -05:00
jvazquez-r7 980c83cb70 Fix metadata 2015-03-10 16:25:02 -05:00
jvazquez-r7 9e17874389 Exploit CVE-2015-1427 2015-03-10 16:17:51 -05:00
HD Moore db351317a5 Merge with PR branch 2015-03-10 14:08:35 -05:00
HD Moore 0f763c2cb3 First step to reworking the winhttp stagers 2015-03-10 14:07:25 -05:00
Borja Merino 991e72a4fa HTTP stager based on WinHttp 2015-03-10 13:40:16 -05:00
HD Moore 966848127a Refactor x86 Windows reverse_http and reverse_https stagers 2015-03-10 12:48:30 -05:00
m-1-k-3 64f769504b encoding 2015-03-10 17:47:15 +01:00
m-1-k-3 6657c7d11d Belkin - CVE-2014-1635 2015-03-10 16:49:51 +01:00
jvazquez-r7 f8f178b1db Fix script_mvel_rce check 2015-03-10 09:39:02 -05:00
jvazquez-r7 9dc99e4207 Update check 2015-03-10 09:26:22 -05:00
Sigurd Jervelund Hansen c6cb1e840d Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...". 2015-03-10 10:26:03 +01:00
Brent Cook 97f09b6ab0
Land #4894: hmoore-r7 cache payload sizes on start
Avoid the hit of regenerating all of the static-size payloads when
loading the framework. This will facilitate conversion of payloads to
use metasm later.
2015-03-09 23:06:55 -05:00
jvazquez-r7 fc4b312879 Add template 2015-03-09 23:04:32 -05:00
Julian Vilas fe822f8d33 Modify automatic file cleanup 2015-03-10 00:45:20 +01:00
Julian Vilas 0ef303cb6c Fix Java payload 2015-03-10 00:01:27 +01:00
HD Moore 618fbf075a Update CachedSize for the fixed stager 2015-03-09 16:57:14 -05:00
HD Moore 746f18d9bb Fallback to a localhost variant to make the length predictable 2015-03-09 16:56:25 -05:00
jvazquez-r7 78167c3bb8 Use single quotes when possible 2015-03-09 16:55:21 -05:00
HD Moore 6543c3c36f Update CachedSize for the fixed stager 2015-03-09 16:54:57 -05:00
HD Moore c676ac1499 Fallback to a localhost variant to make the length predictable 2015-03-09 16:53:28 -05:00
jvazquez-r7 cb72b26874 Add module for CVE-2014-0311 2015-03-09 16:52:23 -05:00
HD Moore d0324e8ad3 Final cleanup, passing specs 2015-03-09 15:50:57 -05:00
HD Moore da81f6b2a0 Correct the :dynamic cache sizes 2015-03-09 15:44:14 -05:00
HD Moore 02509d02e4 The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 15:31:04 -05:00
Hans-Martin Münch (h0ng10) bba4223d68 Initial commit 2015-03-09 16:36:11 +01:00
Tod Beardsley df80d56fda
Land #4898, prefer URI to open-uri 2015-03-09 09:14:10 -05:00
William Vu 3075c56064 Fix "response HTML" message
In modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb.
2015-03-07 17:08:08 -06:00
Julian Vilas 2eb0011a99 Autotrigger JSP shell at docBase 2015-03-07 20:41:08 +01:00
Julian Vilas 3be2bde5a2 Use bypass for bulletin S2-020 2015-03-07 19:14:20 +01:00
joev d7295959ca Remove open-uri usage in msf. 2015-03-05 23:45:28 -06:00
jvazquez-r7 2134cc3d22
Modify description 2015-03-05 16:55:24 -06:00
jvazquez-r7 7b4776ee79 Deregister FOLDER_NAME 2015-03-05 16:42:07 -06:00
jvazquez-r7 1bc81ea723
Merge #4884 into updated master 2015-03-05 16:41:15 -06:00
Meatballs 33f089b1a5
Tidyup 2015-03-05 21:50:12 +00:00
jvazquez-r7 9f3f8bb727
Merging #3323 work 2015-03-05 15:44:15 -06:00
jvazquez-r7 c388fd49c2 Fix print message 2015-03-05 15:43:54 -06:00
jvazquez-r7 dd2559b748 Favor new target over new module 2015-03-05 15:41:53 -06:00
jvazquez-r7 e1a4b046a0 Add support for tomcat 7 to struts_code_exec_classloader 2015-03-05 15:40:24 -06:00
Meatballs c56679f33e
Modify for new SMB mixin 2015-03-05 21:26:13 +00:00
Tod Beardsley e429d4c04f Add reference and description for PTH on Postgres
Dave and William did most of the work already over on PR #4871, this
just points it out in the module.
2015-03-05 14:36:56 -06:00
sinn3r 16c86227e2 Change to OptBool and default to explicit 2015-03-05 13:07:03 -06:00
jvazquez-r7 de08d8247b Do some module cleanup 2015-03-05 13:00:01 -06:00
jvazquez-r7 82659aba93 Populate metadata from code to make test easier 2015-03-05 12:40:20 -06:00
jvazquez-r7 dc02f8332f Pass msftidy 2015-03-05 12:29:31 -06:00
jvazquez-r7 a06eb04d59 Deregister FOLDER_NAME on exploit modules 2015-03-05 12:27:12 -06:00
sinn3r cb9922ad39
Land #4874, Add PHPMoAdmin command injection 2015-03-05 11:30:44 -06:00
sinn3r 8978b1d7b5 Add a version 2015-03-05 11:29:44 -06:00
Ricardo Almeida 32188f09d6 Update phpmoadmin_exec.rb
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
Ricardo Almeida 95962aab0d Update phpmoadmin_exec.rb
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.

Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
aushack 2f4df39dc9 Fixed typo 2015-03-05 17:40:51 +11:00
sinn3r d40e7485dd Add CVE-2015-0240 auxiliary module 2015-03-04 23:50:14 -06:00
jvazquez-r7 e715eaba58 Update description 2015-03-04 16:39:27 -06:00
jvazquez-r7 e155f2998e Change module filename 2015-03-04 16:38:08 -06:00
jvazquez-r7 77abd57397 Do code cleanup 2015-03-04 16:37:31 -06:00
jvazquez-r7 22ff4d0097 Update with master changes 2015-03-04 16:30:19 -06:00
jvazquez-r7 e7de09df29 Change module filename 2015-03-04 16:18:45 -06:00
jvazquez-r7 1337b7ace8 Clean module 2015-03-04 16:18:10 -06:00
Ricardo Almeida 9530e15c81 Update phpmoadmin_exec.rb
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
jvazquez-r7 d4738d8c0a
Update #3076 branch 2015-03-04 15:51:00 -06:00
Ricardo Almeida c19895ac85 Update phpmoadmin_exec.rb
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
jvazquez-r7 5cc9ea3618 Update with master changes 2015-03-04 15:16:12 -06:00
William Vu a64dd4a1af
Land #4871, Postgres PTH support
MSP-12244
2015-03-04 15:08:57 -06:00
David Maloney 2d46c06b97
Merge branch 'master' into feature/MSP-12244/postgres-pass-the-hash 2015-03-04 13:56:10 -06:00
jvazquez-r7 fa9d921138 Beautify description 2015-03-04 13:07:10 -06:00
jvazquez-r7 8fdb7a798e Change module filename 2015-03-04 13:01:06 -06:00
jvazquez-r7 36375fab28 Fix downcase path handling 2015-03-04 12:58:41 -06:00
jvazquez-r7 62dde22d88 Clean packet building 2015-03-04 12:27:58 -06:00
Ricardo Almeida 4d67e0e1bb Add PHPMoAdmin RCE 2015-03-04 18:17:31 +00:00
jvazquez-r7 e04ff3ee24 Delete CMD option 2015-03-04 11:51:58 -06:00
jvazquez-r7 d4337ce1ae Do minor metadata cleanup 2015-03-04 11:46:01 -06:00
jvazquez-r7 1371cfe025 Test landing #4451 2015-03-04 11:20:07 -06:00
jvazquez-r7 aaab4b401a Fix indenting and use primer 2015-03-04 10:46:34 -06:00
jvazquez-r7 0e57277dc1 Do cleanup 2015-03-04 10:33:57 -06:00
jvazquez-r7 b9ed8178a9 Solve conflicts on ms13_071_theme 2015-03-04 10:28:52 -06:00
Matthew Hall 4757698c15 Modify primer to utilise file_contents macro. 2015-03-04 09:52:00 +00:00
Matthew Hall a90ebfe9a7 Modify primer to utilise file_contents macro. 2015-03-04 09:51:32 +00:00
Matthew Hall dfb6711ad7 Modify primer to utilise file_contents macro. 2015-03-04 09:51:01 +00:00
Matthew Hall a5d748d19e Modify primer to utilise file_contents macro. 2015-03-04 09:50:28 +00:00
Matthew Hall 0d56f5b6e6 Modify primer to utilise file_contents macro. 2015-03-04 09:49:17 +00:00
jvazquez-r7 80b76436bb
Land #4831, @wchen-r7's update for MS14-064 exploit
* Support Windows XP with VBScript technique
2015-03-03 19:19:49 -06:00
sinn3r 7591e9ece3 Unbreak the comment 2015-03-03 19:14:18 -06:00
sinn3r 79e7bf7f9c Update comments and description 2015-03-03 19:13:15 -06:00
David Maloney c8f23b2903
fix jtr_postgres_fast too
the JtR hash cracker for postgres hashes now uses
the new PostgresMD5 class for finding it's hashes

MSP-12244
2015-03-03 18:46:47 -06:00
David Maloney 199c3ba96c
postgres hashdump now stores PostgresMD5 objects
instead of nonreplayabke hashes the postgres_hashdump
aux module now saves them approriately as PostgresMD5s
with the md5 tag intact at the front

MSP-12244
2015-03-03 16:45:13 -06:00
William Vu a648e74c4b Remove unnecessary semicolon 2015-03-02 15:36:45 -06:00
William Vu 80169de4d0 Remove -i from shell in reverse_python 2015-03-02 15:29:50 -06:00
William Vu ecd7ae9c3b
Land #4857, symantec_web_gateway_restore module 2015-03-02 15:00:10 -06:00
sinn3r ad28f9767f Use include 2015-03-02 14:41:25 -06:00
sinn3r cb140434f9 Update 2015-03-02 12:59:21 -06:00
sinn3r 5f3ed83922
Land #4836, Solarwinds Core Orion Service SQL injection 2015-03-02 11:44:26 -06:00
OJ 905a539a00 Add exploit for Seagate Business NAS devices
This module is an exploit for a pre-authenticated remote code execution
vulnerability in Seagate Business NAS products.
2015-03-01 13:25:28 +10:00
Brandon Perry f8e3874203 add nil check 2015-02-28 20:43:19 -06:00
sinn3r 4a1fbbdc3b Use datastore to find payload name 2015-02-28 19:56:32 -06:00
sinn3r ef9196ba6c Correct comment 2015-02-27 13:27:49 -06:00
sinn3r 7b6c39058a Correct target name 2015-02-27 13:24:57 -06:00
sinn3r 90aff51676 Add CVE-2014-7285, Symantec Web Gateway restore.php Command Injection 2015-02-27 12:31:29 -06:00
Bazin Danil 1d03b9a166 Maj debug output 2015-02-26 21:06:20 +01:00
rastating 3b21de3906 Add WPVDB reference 2015-02-26 13:37:23 +00:00
Brandon Perry ceb92cdf5e update login method 2015-02-26 07:33:51 -06:00
William Vu f24da1b178 Add file checking to printer_delete_file 2015-02-25 18:14:13 -06:00
William Vu dc3ba40e5d Add file checking to printer_upload_file 2015-02-25 18:13:36 -06:00
William Vu 513d11ce93 Complete replacement of "pathname" with "path"
See e8c2c3687d.
2015-02-25 15:52:26 -06:00
William Vu b3d4fc798f Add printer_delete_file module 2015-02-25 15:47:53 -06:00
William Vu 90d179e56f Add printer_upload_file module 2015-02-25 15:01:01 -06:00
William Vu 3cf94740e6
Land #4817, CHECK_TCP option for Lantronix module 2015-02-25 13:16:14 -06:00
William Vu d301752a88 Fix whitespace 2015-02-25 13:16:03 -06:00
rastating e2dfdd60c0 Update version range 2015-02-25 19:11:15 +00:00
rastating 242d3b8680 Add WP EasyCart privilege escalation module 2015-02-24 21:11:22 +00:00
Tod Beardsley 94b4bc24bd
Minor word choice changes
[See #4804]
2015-02-24 12:29:11 -06:00
Tod Beardsley 6feae9524b
Fix up funny indent on description
[See #4770]
2015-02-24 12:25:48 -06:00
Brandon Perry 1134b0a6fa fix dataastore to datastore 2015-02-24 10:34:33 -06:00
Brent Cook cf913e521c
Land #4832 @wvu-r7 remove and merge duplicate hash key initializers 2015-02-24 08:38:09 -06:00
BAZIN-HSC a0ba078801 add debug output 2015-02-24 14:15:30 +01:00
William Vu 5cdb678654 Fix invalid use of RPORT (should be RHOST) 2015-02-24 05:24:09 -06:00
William Vu f3cad229d3 Fix duplicate hash key "References"
In modules/auxiliary/scanner/http/http_login.rb.
2015-02-24 05:19:58 -06:00
William Vu aa1e1a5269 Fix duplicate hash key "Platform"
In modules/exploits/windows/mssql/mssql_linkcrawler.rb.
2015-02-24 05:19:56 -06:00
William Vu 57642377cc Fix duplicate hash key "MinNops"
In modules/exploits/windows/backupexec/name_service.rb.
2015-02-24 05:19:55 -06:00
William Vu f2c96b4fdd Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/ntr_activex_stopmodule.rb.
2015-02-24 05:19:54 -06:00
William Vu b671c9b496 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb.
2015-02-24 05:19:53 -06:00
William Vu 2e90f266fa Fix duplicate hash key "massage_array"
In modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb.
2015-02-24 05:19:52 -06:00
William Vu e618c2f112 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb.
2015-02-24 05:19:51 -06:00
William Vu 2ffa368c18 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/ntr_activex_check_bof.rb.
2015-02-24 05:19:50 -06:00
William Vu a8f0af4409 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/browser/cisco_playerpt_setsource.rb.
2015-02-24 05:19:49 -06:00
William Vu ff73b4d51a Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/local/pxeexploit.rb.
2015-02-24 05:19:48 -06:00
William Vu 53e45498ca Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb.
2015-02-24 05:19:47 -06:00
William Vu 943ff2da75 Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/http/hp_pcm_snac_update_domain.rb.
2015-02-24 05:19:46 -06:00
William Vu 6aa3952c91 Fix duplicate hash key "Platform"
In modules/exploits/windows/scada/winlog_runtime_2.rb.
2015-02-24 05:19:45 -06:00
sinn3r 8d17aa04ee Update the title too 2015-02-24 00:46:35 -06:00
sinn3r 578a545b22 Update MS14-064 for Windows XP 2015-02-23 23:08:13 -06:00
William Vu 8c5ff858d0
Land #4812, hp_sys_mgmt_login configurable URIs 2015-02-23 19:04:14 -06:00
Brandon Perry c9439addf8 fix url 2015-02-23 16:50:58 -06:00
HD Moore bf103def9e Add the /ews/ path to enable easy OWA brute force 2015-02-23 14:03:39 -06:00
William Vu bcfbcb7eea Clean up whitespace 2015-02-23 13:15:21 -06:00
sinn3r c39d6e152e
Land #4819, Normalize HTTP LoginScanner modules 2015-02-23 11:43:42 -06:00
William Vu 933c4a05b4
Land #4814, ms04_011_pct improved error messages 2015-02-22 23:51:14 -06:00
HD Moore 1b1716bcf6 Fix a handful of bugs that broke this modules. Fixes #4799 2015-02-22 22:01:01 -06:00
HD Moore 9730a1655e Small cleanups to the LLMR responder module 2015-02-22 22:00:42 -06:00
HD Moore 615d71de6e Remove extraneous calls to GC.start() 2015-02-22 21:51:33 -06:00
Brandon Perry 3d82c7755b add solarwinds module 2015-02-22 15:35:42 -06:00
rastating 61bdd58fbe Fix required flag on options 2015-02-22 16:20:47 +00:00
rastating 37a55cce74 Abstracted version comparison code 2015-02-22 16:20:46 +00:00
rastating 31cdd757f6 Add WordPress WPLMS privilege escalation module 2015-02-22 16:20:46 +00:00
HD Moore ea54696d99 Remove redundant params now provided by the mixin helper 2015-02-22 02:32:28 -06:00
HD Moore 8e8a366889 Pass Http::Client parameters into LoginScanner::Http (see #4803) 2015-02-22 02:26:15 -06:00
Christian Mehlmauer c820431879
Land #4770, Wordpress Ultimate CSV Importer user extract module 2015-02-22 08:52:45 +01:00
RageLtMan 2e58a3d1dd Update credential reporting mechanism
Replace :report_auth_info deprecated method with hooks into the
Metasploit Credential based system.
2015-02-22 02:49:54 -05:00
William Vu 2609a2acee
Land #4815, MS15-001 reference update 2015-02-21 21:05:03 -06:00
RageLtMan 8ace041a23 TCP option for Lantronix Telnet Password Recovery
This commit adds a CHECK_TCP option to the Lantronix password
disclosure module. If set to true, a TCP port will be used to
check for the disclosure instead of the default UDP configuration.
2015-02-21 20:22:18 -05:00
rastating f9dbff8a6c Add store path output 2015-02-21 23:41:26 +00:00
Christian Mehlmauer 7d42dcee9c
Land #4769, Wordpress holding-pattern theme file upload 2015-02-21 23:13:06 +01:00
Christian Mehlmauer 9223c23eb4
Land #4808, Wordpress plugin upload module 2015-02-21 23:01:15 +01:00
sinn3r aa8a82f44f Update MS15-001 reference 2015-02-21 08:39:21 -06:00
rastating 708340ec5a Tidy up various bits of code 2015-02-21 12:53:33 +00:00
jvazquez-r7 ef62e1fc04
Land #4798, @wchen-r7's deletion of x64 support on ms13_022_silverlight_script_object
* Ungenuine support, well deleted
2015-02-21 01:11:09 -06:00
jvazquez-r7 ef990223d5 Move arch out of target 2015-02-21 01:10:35 -06:00
sinn3r 441c301fd3 Fix #4458, more informative errors for ms04_011
Fix #4458
2015-02-21 00:32:20 -06:00
sinn3r f4e512e0ff Should be an array 2015-02-20 21:56:49 -06:00
sinn3r 40c237f507 Fix #3982, allow URIs to be user configurable
Fix #3982
2015-02-20 21:54:03 -06:00
rastating 76a64b31d7 Resolve msftidy issues 2015-02-21 01:41:29 +00:00
rastating 7d30b214ee Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00
sinn3r 40972220e3
Land #4804, HP Client Automation Command Injection 2015-02-20 16:56:03 -06:00
Brent Cook 58436fcc98
Land #4706 jvazquez-r7 adds NTLMSSP support for smb_relay 2015-02-20 15:15:00 -06:00
William Vu c9ddd0dac9
Land #4795, f5_bigip_cookie_disclosure update 2015-02-20 13:11:42 -06:00
William Vu b676f5a07e Clean up #4795 2015-02-20 13:10:31 -06:00
Brent Cook b624278f9d Merge branch 'master' into land-4706-smb_reflector 2015-02-20 10:26:04 -06:00
Brent Cook 5297ebc1a1 Merge branch 'master' into land-1396-http_proxy_pstore
Bring things back to the future
2015-02-20 08:50:17 -06:00
Brent Cook 91b4a59fc7 msftidy fixes 2015-02-20 08:42:54 -06:00
Matthew Hall e6ecdde451 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:35:22 +00:00
Matthew Hall 4963992b17 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:31:15 +00:00
Matthew Hall da829d9ea9 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:29:09 +00:00
Matthew Hall 9aef561fd3 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:28:35 +00:00
Matthew Hall 34f4ae782d Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:26:19 +00:00
Matthew Hall 1751921ede Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:01:38 +00:00
jvazquez-r7 1633a6d4fd Read response back while staging 2015-02-20 01:06:47 -06:00
jvazquez-r7 b0c6671721 Add module for ZDI-15-038, HPCA command injection 2015-02-20 00:41:17 -06:00
sinn3r 49f4b68671
Land #4790, injecting code into eval-based Javascript unpackers 2015-02-19 12:33:52 -06:00
sinn3r 036a6089eb Drop ungenuine x64 support in ms13_022_silverlight_script_object
The MS13-022 exploit does not actually run as x64. IE by default
still runs x86 so BES will always automatically select that target.

If IE forces x64 (which can be done manually), the BES detection
code will see it as ARCH_X86_64, and the payload generator will
still end up generating a x86 payload anyway.

If the user actually chooses a x64 payload, such as
windows/x64/meterpreter/reverse_tcp, the exploit is going to crash
because you can't run x64 shellcode on an x86 architecture.
2015-02-19 10:39:43 -06:00
dnkolegov f6c871a8e5 Deleted spaces at EOL 2015-02-19 05:06:00 -05:00
dnkolegov caabb82975 Fixed indentation errors 2015-02-19 05:02:10 -05:00
dnkolegov 2a584da6d9 Added cookie value in print function 2015-02-19 00:43:57 -05:00
Spencer McIntyre fe840635e5
Land #4791, fix ms14-070 CreateFile arguments
The arguments to CreateFileA used to require that the user had
some level of access on the \\.\tcp device.
2015-02-18 17:15:45 -05:00
David Maloney ffa6550aec
Land #4787, HD's new Zabbix and Chef LoginScanners
Lands the new LoginScanners HD wrote for Zabbix
and the Chef WebUI
2015-02-18 14:51:16 -06:00
David Maloney 804db0ff0c
add leixcal sorting to methods
lexical sort the new methods except for
msf module entrypoint methods which should always be at
the top
2015-02-18 14:50:33 -06:00
joev 483a145d19 Fix msftidy issues. 2015-02-18 14:08:03 -06:00
jakxx 44a7e7e4bc publish-it fileformat exploit 2015-02-18 13:22:54 -05:00
William Vu 35511636cc
Land #4788, splunk_web_login new version support 2015-02-18 11:54:54 -06:00
Jay Smith e40772efe2
Fixed open device issue for non-priv users
Fixed the open_device call to work for users without Administrator
privileges
2015-02-18 12:44:58 -05:00
joev f8609ab0ba Add file format exploit for injecting code into unpackers. 2015-02-18 11:26:45 -06:00
William Vu 10960310da
Land #4786, cosmetic fixes from @hmoore-r7
For {axis,glassfish}_login.
2015-02-18 03:56:13 -06:00
HD Moore cc6899d783 Fix a stack trace on null response, thanks @jlee-r7 2015-02-18 00:38:55 -06:00
HD Moore f4d8a25981 Add support for newer Splunk versions 2015-02-18 00:30:47 -06:00
HD Moore 2847507f03 Add a chef brute force module 2015-02-17 23:49:57 -06:00
HD Moore 27d5ab45b4 Add a zabbix brute force module 2015-02-17 22:56:08 -06:00
HD Moore f0e69cb526 Fix two cosmetic typos in the axis/glassfish modules 2015-02-17 21:01:35 -06:00
vulp1n3 69b37976c1 Fix disclosure date. 2015-02-17 17:29:52 -08:00
vulp1n3 a19a5328f1 Add JBoss Seam 2 upload execute module
Versions of the JBoss Seam 2 framework  < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions.  As a
result, attackers can gain remote code execution through the
application server.  This module leverages RCE to upload and execute
a meterpreter payload. CVE-2010-1871
2015-02-17 17:25:01 -08:00
sinn3r 6acbe64dbd The MSB reference in the title is wrong
It should be MS13-022.

MS12-022 is MSFT Expression Design.
2015-02-17 14:56:14 -06:00
William Vu be5a0ee9c2
Land #4777, @todb-r7's release fixes 2015-02-17 13:45:00 -06:00
rastating e0d87a8886 Update to use store_loot for CSV export 2015-02-17 19:21:31 +00:00
Tod Beardsley fb06cb13cc
Land #4774, Chromecast HTTP scanner 2015-02-17 13:11:25 -06:00
Tod Beardsley a8108cfc17
Be less stupid in the description
[See #4774]
2015-02-17 13:04:26 -06:00
Tod Beardsley 71c5f622ca
Land #4775, Kindle Fire TV Stick controller 2015-02-17 12:59:54 -06:00
Tod Beardsley 053de8e62c
Fix whitespace in author name
[See #4777]
2015-02-17 12:57:36 -06:00
Tod Beardsley 14e764ff5a
Move to http subdirectory
After all, the wordpress scanners are all HTTP as well, and not under
some platform specific "wordpress" directory. Lots of other HTTP-ish
devices in there as well.
2015-02-17 12:53:18 -06:00
Tod Beardsley 5e07b01a1f
Fix up description a tiny bit 2015-02-17 12:51:55 -06:00
William Vu 45b16c92b7 Prefer sleep
It's all the same, anyway.
2015-02-17 12:43:14 -06:00
William Vu 787deb4b23 Change service name to something more appropriate
Technically, it's part of DIAL, but we don't want to confuse the user
even more.
2015-02-17 12:41:31 -06:00
sinn3r b90639fd66
Land #4726, X360 Software actvx buffer overflow 2015-02-17 11:41:23 -06:00
David Maloney 8e50baaded
Land #4771, userPrincipalName fix
Lands Meatballs1's PR to add userPrincipalName as a column
enumerated by the enum_ad_user* post modules.
2015-02-17 11:31:15 -06:00
Matthew Hall 666b8e3e72 Add timeout to connection handler 2015-02-17 17:27:03 +00:00
Matthew Hall 728cfafe4d cleanups 2015-02-17 17:27:03 +00:00
Matthew Hall e4bab60007 Generic HTTP DLL Injection Exploit Module
This is an example implementation of using the
Msf::Exploit::Remote::SMBFileServer module to perform
arbitrary DLL injection over SMB.
2015-02-17 17:27:03 +00:00
Matthew Hall c86caacf95 Merge branch 'master' into module-exploitsmbdllserver
Conflicts:
	lib/msf/core/exploit/smb.rb
2015-02-17 17:16:09 +00:00
Matthew Hall 9f04e3bcf0 Merge branch 'master' into hp_dataprotector_dll_cmd_exec 2015-02-17 17:06:40 +00:00
Matthew Hall afca27dae5 Merge branch 'master' into cve-2014-0094 2015-02-17 17:06:21 +00:00
Tod Beardsley 214146beaa
Correct author attribution 2015-02-17 10:52:55 -06:00
Brent Cook e08206d192
Land #4768, jvazquez-r7 reorganizes the SMB mixins 2015-02-17 10:36:19 -06:00
Tod Beardsley 6370c99755
Avoid version numbers in titles 2015-02-17 10:28:56 -06:00
Tod Beardsley 62a679ebb8
Avoid version numbers in titles
Usually, the versions are more of a range, and nearly always, the module
author never truly knows where the ranges are bounded. It's okay to
clarify in the description.
2015-02-17 10:26:40 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Meatballs ecefad946e
Spellingz 2015-02-17 14:39:34 +00:00
William Vu b4e2a50a6a Really fix the bug
App is so slow. :(
2015-02-17 06:10:32 -06:00
William Vu 09239b37aa Fix touchy YouTube app
It likes the previous video stopped before playing a new one.
2015-02-17 06:07:58 -06:00
William Vu 76e3539434 Add Amazon Fire TV YouTube remote control 2015-02-17 05:44:04 -06:00
William Vu b3d301e960 Fix annoying double quotes
As much as I love them, the use here is inconsistent.
2015-02-17 05:12:28 -06:00
William Vu e16614abb9 Program a bit more defensively
Even though /setup/eureka_info should always be JSON...
2015-02-17 05:04:26 -06:00
William Vu ea4dd023ae Add SSID to report_service info 2015-02-17 04:46:11 -06:00
William Vu e5d6af6b23 Gather info from /setup/eureka_info
Looks better with SSID.
2015-02-17 04:37:16 -06:00
William Vu b6f83937ef Add chromecast_webserver scanner 2015-02-17 03:27:48 -06:00
Nikita Oleksov 19cd00e6d5 Fix cookit name split 2015-02-16 23:53:32 +07:00
Meatballs 6559b43f1e
EOL Spaces argh 2015-02-16 15:46:45 +00:00
Meatballs 12f2828829
Allow additional fields 2015-02-16 15:24:28 +00:00
Meatballs b77aed1c56
UPN is optional, should use sAMAccountName 2015-02-16 15:08:09 +00:00
Meatballs 3a894a29de
Dont use magic values and use the userPrincipalName as the
username
2015-02-16 15:02:01 +00:00
Meatballs e42bbcbcbb
Enum_ad modules should retrive userPrincipalName as it may differ
to the sAMAccountName value.
2015-02-16 14:03:15 +00:00
dnkolegov a44e858bd7 Fixed minor errors in F5 BigIP cookie disclosure module 2015-02-16 01:31:52 -05:00
rastating 73bac94fa8 Add Ultimate CSV Importer extract module 2015-02-15 15:27:27 +00:00
rastating 40c92f5fe3 Add URL reference 2015-02-14 13:09:37 +00:00
rastating 4dce589bbe Add WordPress Holding Pattern file upload module 2015-02-14 12:54:03 +00:00
jvazquez-r7 0158e94a18 Fix mixin usage 2015-02-13 17:18:51 -06:00
jvazquez-r7 0372b08d83 Fix mixin usage on modules 2015-02-13 17:17:59 -06:00
sinn3r fd441d2c5e Fix #4764, NameError unitialized constant Net::DNS in shodan_search 2015-02-13 14:40:23 -06:00
sinn3r b197b98ab9
Land #4759, fix ms09_067_excel_featheader 2015-02-13 13:25:15 -06:00
dnkolegov 19144e143a Fixed some errors in F5 BigIP cookie disclosure module 2015-02-13 03:29:23 -05:00
sinn3r 29163db7fc Add CVE reference for ie_uxss_injection 2015-02-12 17:16:59 -06:00
jvazquez-r7 3ae3d56caa
Land #4745, fixes #4711, BrowserAutoPwn failing due to getpeername 2015-02-12 16:51:09 -06:00
jvazquez-r7 92422c7b9a Save the output file on local_directory 2015-02-12 16:16:21 -06:00
Christian Mehlmauer 55f57e0b9b
Land #4746, WordPress photo-gallery exploit 2015-02-12 22:24:12 +01:00
Christian Mehlmauer bce7211f86
added url and randomize upload directory 2015-02-12 22:16:37 +01:00
sinn3r 05d2703a98 Explain why obfuscation is disabled 2015-02-12 14:00:01 -06:00
William Vu 9b10cd5655
Land #4755, @todb-r7's release fixes 2015-02-12 13:16:08 -06:00
William Vu d7fa06de06 Fix off-by-one whitespace 2015-02-12 13:12:13 -06:00
Tod Beardsley c156ed62a9
on, not of. 2015-02-12 12:56:53 -06:00
Tod Beardsley e35f603888
Comma fascism 2015-02-12 12:49:45 -06:00
Tod Beardsley d89eda65fa
Moar fixes, thanks @wvu-r7
See #4755
2015-02-12 12:46:38 -06:00
Tod Beardsley e78d08e20d
Fix up titles, descriptions 2015-02-12 12:11:40 -06:00
sinn3r 50c72125a4 ::Errno::EINVAL, disable obfuscation, revoke ms14-064 2015-02-12 11:54:01 -06:00
jvazquez-r7 155651e187 Make filename shorter 2015-02-12 11:45:51 -06:00
jvazquez-r7 95bfe7a7de Do minor cleanup 2015-02-12 11:45:51 -06:00
rastating 30f310321d Added CVE reference 2015-02-12 11:45:51 -06:00
rastating 38ad960640 Add Maarch LetterBox file upload module 2015-02-12 11:45:51 -06:00
William Vu 309159d876
Land #4753, updated ms14_070_tcpip_ioctl info 2015-02-12 09:57:29 -06:00
Spencer McIntyre 8ab469d3bd Update ms14-070 module information and references 2015-02-12 09:51:01 -05:00
Tod Beardsley 02fe57e2a1
Bump out to April, 60ish days 2015-02-11 12:56:37 -06:00
William Vu fd11afff1a Deprecate manage/pxexploit
modules/post/windows/manage/pxeexploit.rb
2015-02-11 12:39:10 -06:00
William Vu 58b6b7519a Deprecate server/pxexploit
modules/auxiliary/server/pxeexploit.rb
2015-02-11 12:38:38 -06:00
William Vu 6294cbf4de Fix manage/pxexploit datastore 2015-02-11 12:19:59 -06:00
William Vu b894050bba Fix local/pxeexploit datastore 2015-02-11 12:19:56 -06:00
William Vu 9e717084af Fix server/pxexploit datastore 2015-02-11 12:19:39 -06:00
Brent Cook f99ef5c0f5 fix msftidy warnings about towelroot module 2015-02-11 11:17:44 -06:00
rastating cb1efa3edd Improved error handling, tidied up some code 2015-02-11 10:16:18 +00:00
rastating 80a086d5f6 Add WordPress Photo Gallery upload module 2015-02-11 01:03:51 +00:00
sinn3r d23c9b552f Trade MS12-004 for MS13-090 against Windows XP BrowserAutoPwn 2015-02-10 18:58:56 -06:00
jvazquez-r7 b07ef333e9 Fix java_rmi_server include 2015-02-10 12:52:19 -06:00
jvazquez-r7 29c68ef1ec
End fixing namespaces 2015-02-10 11:55:14 -06:00
Tod Beardsley 1e8f98c285
Updated description, credit, and URL 2015-02-10 11:25:13 -06:00
Tod Beardsley 1b89242a75
Add module for R7-2015-02 2015-02-10 11:03:46 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
jvazquez-r7 5687028f09
Land #4671, @earthquake's exploit for achat buffer overflow 2015-02-09 17:50:09 -06:00
jvazquez-r7 6165d623ff
Change module filename 2015-02-09 17:39:55 -06:00
jvazquez-r7 eb0741d7a7
Modify reference 2015-02-09 17:39:18 -06:00
Tod Beardsley 0a42ac947a
Land #4737, fix Socket Context usages 2015-02-09 17:34:03 -06:00
jvazquez-r7 86f3bcad11
Do minor cleanup 2015-02-09 17:33:05 -06:00
Tod Beardsley 7ee5fd9b32
Fix lotus_domino to use get_cookies correctly. 2015-02-09 17:29:44 -06:00
Balazs Bucsay ac6879cfe1 proper payload encoding from now on 2015-02-09 23:36:35 +01:00
Balazs Bucsay c7880ab4e1 hex strings related explanations 2015-02-09 23:21:38 +01:00
Balazs Bucsay 9891026d30 sleep changed to Rex::sleep 2015-02-09 22:33:41 +01:00
jvazquez-r7 81cad064ea
Land #4724, @wchen-r7's AllowWin32SEH's change on alpha encoders 2015-02-09 11:01:00 -06:00
Brent Cook af405eeb7d
Land #4287, @timwr's exploit form CVS-2014-3153 2015-02-09 10:33:14 -06:00
jvazquez-r7 831a1494ac Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper 2015-02-08 18:29:25 -06:00
jvazquez-r7 3e7e9ae99b Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumMixed 2015-02-08 18:22:11 -06:00
Meatballs 133ae4cd04
Land #4679, Windows Post Gather File from raw NTFS. 2015-02-08 18:50:50 +00:00
Meatballs 69e53a46cb
Final tidyups, description etc 2015-02-08 18:49:17 +00:00
Meatballs 9518090b8b
Ignore some error conditions 2015-02-08 18:46:48 +00:00
Bazin Danil cc4fc1aefa use GetFileAttributesW and CreateFileW 2015-02-08 17:36:49 +01:00
Tod Beardsley 1f7bee35b5
Land #4731, fix fail_with message 2015-02-07 22:27:17 -06:00
Tod Beardsley a5b2e99136
Correct punctuation on outlook, too. 2015-02-07 22:26:14 -06:00
Christian Mehlmauer 6d46182c2f
Land #4570, @rastating 's module for wp-easycart 2015-02-07 23:42:23 +01:00
Christian Mehlmauer f2b834cebe
remove check because the vuln is unpatched 2015-02-07 23:38:44 +01:00
Christian Mehlmauer d2421a2d75
wrong version 2015-02-07 23:34:19 +01:00
Christian Mehlmauer 56d2bc5adb
correct version number 2015-02-07 23:22:43 +01:00
wez3 1390c81420 Fix fail_with text
Fix fail_with text, when the target system is locked.
2015-02-07 21:20:24 +01:00
rastating 345d5c5c08 Update version numbers to reflect latest release 2015-02-07 19:09:16 +00:00
HD Moore b1726fd609 Missing comma 2015-02-07 11:56:22 -06:00
HD Moore 8d982e3286 Pass the framework/module down into LoginScanner 2015-02-07 11:50:30 -06:00
Meatballs 358ab2590e
Small tidyup 2015-02-07 11:35:47 +00:00
jvazquez-r7 87775c6ee4 Fix description 2015-02-06 23:55:27 -06:00
jvazquez-r7 76387eebe0 Use File.open 2015-02-06 21:35:07 -06:00
jvazquez-r7 1ea4a326c1
Land #4656, @nanomebia's fixes for sugarcrm_unserialize_exec 2015-02-06 16:42:01 -06:00
jvazquez-r7 e511f72ab4 Delete final check
* A session is the best proof of success
2015-02-06 16:34:34 -06:00
sinn3r a543d957d4 Fix #4717 - Change AllowWin32SEH's default to false
This is patch to change AllowWin32SEH to false.

Root cause:

The truely intended behavior is that if the user doesn't set a
BufferRegister and the encoder is for Windows, the AllowWin32SEH
code should kick in.

The problem here is that msfencode and msfvenom handle the platform
information differently, so we get different results.

With msfencode, the platform information isn't passed when alpha_mixed
is used, so even if you're using the encoder for Win32, the encoder
doesn't actually know about this. But everything works out just fine
anyway because people don't actually rely on AllowWin32SEH.

With msfvenom, the platform information is passed, so the encoder
actually knows it's for Windows. The two conditions are met (regster
and platform), so AllowWin32SEH kicks in. However, the AllowWin32SEH
technique enforces the BufferRegister to ECX, and that there's no
GetPC, so by default this isn't going to work.

The solution:

We are actually better off with setting AllowWin32SEH to false, mainly
because the SEH technique is pretty much dead (congrats MSFT!). And we
want the GetPC routine by default.

If people want to use AllowWin32SEH routine, they can simply set
AllowWin32SEH to true to bring it right back. For example:

e = framework.encoders.create('x86/alpha_mixed')
e.datastore.import_options_from_hash({'AllowWin32SEH'=>true})
buf = e.encode("AAAA", nil, nil, ::Msf::Module::PlatformList.win32)

Or in msfvenom:

msfvenom -p windows/meterpreter/bind_tcp -e x86/alpha_mixed
AllowWin32SEH=true -f raw

Fix #4717
2015-02-06 12:38:04 -06:00
jvazquez-r7 f6933ed02c Add module for EDB-35948 2015-02-06 11:05:29 -06:00
Tod Beardsley 036cb77dd0
Land #4709, fixed up some datastore mangling 2015-02-05 21:22:38 -06:00
Tod Beardsley 7e649a919c
This version will actually work. 2015-02-05 21:00:54 -06:00
Tod Beardsley 3e0ce4a955
Fix datastore mangling with instance variables
See rapid7/metasploit-framework #4709
2015-02-05 20:37:18 -06:00
Spencer McIntyre 4e0a62cb3a
Land #4664, MS14-070 Server 2003 tcpip.sys priv esc 2015-02-05 18:49:15 -05:00
Spencer McIntyre a359fe9acc Minor fixup on the ms14-070 module description 2015-02-05 18:41:58 -05:00
Tod Beardsley f8c81e601c
Land #4710 for real.
This isn't a proper merge commit. Will need to figure out what I did to
wang up the last landing -- I'm guessing I didn't fetch enough first.

This should fix #4710.
2015-02-05 17:18:51 -06:00
Tod Beardsley 0a587c9f5a
Land #4710, really
Looks like my publish script ended up rebasing wchen-r7/aux_ie_uxss and
didn't catch the file rename correctly.

Conflicts:
	modules/auxiliary/gather/ie_uxss_injection.rb
2015-02-05 17:13:53 -06:00
sinn3r 79e0ddadf6 Rename file again 2015-02-05 17:09:11 -06:00
sinn3r 97aa9f9dd2 Credit @joevennix 2015-02-05 17:09:11 -06:00
sinn3r 7585c625fa Another update
Thanks @joevennix
2015-02-05 17:09:11 -06:00
sinn3r 12aadb3132 Another update 2015-02-05 17:09:10 -06:00
sinn3r 17f2d8048d Another update 2015-02-05 17:09:10 -06:00
sinn3r 01252078ea Use store_loot to store coookie 2015-02-05 17:09:10 -06:00
sinn3r 6fd38307e7 An update 2015-02-05 17:09:10 -06:00
sinn3r 727fc51c0b Don't need this line 2015-02-05 17:09:10 -06:00
sinn3r 4924749b96 Try to make the filename more self explanatory 2015-02-05 17:09:09 -06:00
sinn3r 26af10c3b6 Change public ip option name and store cookie to db 2015-02-05 17:09:09 -06:00
sinn3r bfa7b61663 Final 2015-02-05 17:09:09 -06:00