Commit Graph

20212 Commits (68d647edf1952f5c51dc7636bebc2469a6c2ca0b)

Author SHA1 Message Date
h00die 68d647edf1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into op5 2016-06-01 18:05:18 -04:00
h00die 52d5028548 op5 config exec 2016-06-01 15:07:31 -04:00
sho-luv 98cfcc65ae Added IP address to returned information.
This scanner module doesn't tell you the location of the found information. So when using the -R option to fill the RHOSTS all you get is a bunch of successful findings, however you won't know to which systems they belong.
2016-05-31 19:47:00 -07:00
wchen-r7 fb678564b1
Land #6923, Check the correct check code for ms13_081_track_popup_menu 2016-05-31 11:40:02 -05:00
wchen-r7 fb95abc645
Land #6909, Add WordPress Ninja Forms unauthenticated file upload 2016-05-25 15:40:10 -05:00
wchen-r7 14e1baf331 Minor style changes 2016-05-25 15:39:26 -05:00
rastating 19c4d5b02b Remove hard coded target path 2016-05-25 18:04:26 +01:00
William Webb 028b1ac251 Land #6816 Oracle Application Testing Suite File Upload 2016-05-24 18:27:10 -05:00
William Vu 3dfdf1d936
Land #6528, tilde expansion and more for OptPath 2016-05-24 16:01:59 -05:00
Jon Hart 48c25dd863
Remove need for expand_path in this module; normalize handles it now 2016-05-24 13:30:12 -07:00
Jon Hart 3df4c38e82
Use correct key file var 2016-05-24 13:28:08 -07:00
Brendan Watters 77a62ff7c0
Land #6905 RC4 Stagers 2016-05-24 09:34:32 -05:00
Brendan Watters af86d63498 Updated Cache size 2016-05-24 09:07:05 -05:00
Brendan Watters f0b945e4c4 Updated cache size 2016-05-24 09:06:46 -05:00
Brendan Watters d328258db4 Updated Cache size 2016-05-24 09:06:28 -05:00
Brent Cook 5c6b93c1cf
Land #6883, Add Ubiquiti airOS exploit 2016-05-24 07:26:40 -05:00
William Vu ca76e8f290 Update allwinner_backdoor report_vuln hash 2016-05-24 00:57:37 -05:00
Brent Cook 5bf8891c54
Land #6882, fix moodle_cmd_exec HTML parsing to use REX 2016-05-23 23:25:22 -05:00
Brent Cook 928a706135
Land #6890, Allwinner CPU kernel module local privilege escalation 2016-05-23 22:00:52 -05:00
Brent Cook 2f8562fba4 added documentation and minor style tweaks 2016-05-23 21:59:44 -05:00
rastating adb8098b8c Fix typo 2016-05-24 00:16:04 +01:00
rastating aae7c25603 Add WordPress Ninja Forms unauthenticated file upload module 2016-05-23 23:47:41 +01:00
h00die 4242bbdf55 change report_note to report_vuln per note 2016-05-23 17:36:50 -04:00
Brent Cook 2694907b79 update cached payload size 2016-05-23 14:30:43 -05:00
RageLtMan cf62218139 Update payload sizes 2016-05-23 14:27:11 -05:00
RageLtMan efc64eaa5f Implement reverse_tcp_rc4_dns payload in metasm
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.

For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan 0e69040a6a Implement reverse_tcp_dns as metasm payload
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.

Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly

Misc:
  Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan df2346d9e0 Implement RC4 metasm payloads for tcp bind and rev
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.

Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.

Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.

Testing:
 Tested against Win2k8r2, Win7x64, and WinXPx86

ToDo:
 Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Spencer McIntyre 7e34d1e1cf
Land #6897, use sendall python rtcp shell with ssl 2016-05-21 16:51:10 -04:00
William Vu 6581fbd294 Add note about "mf" malware
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
Brent Cook b613dfefb4
Land #6896, fix spelling in caidao_bruteforce_login 2016-05-19 21:54:06 -05:00
root a71e853c2a Fixed cache size for python/shell_reverse_tcp_ssl 2016-05-20 02:32:37 +00:00
root 87398d5195 Fixed python reverse shell ssl send for EOF occurred in violation of protocol error 2016-05-20 01:49:04 +00:00
wchen-r7 506356e15d
Land #6889, check #nil? and #empty? instead of #empty? 2016-05-19 19:23:04 -05:00
wchen-r7 99a573a013 Do unless instead "if !" to follow the Ruby guideline 2016-05-19 19:21:45 -05:00
h00die 706d51389e spelling fix 2016-05-19 19:30:18 -04:00
William Vu a16f4b5167 Return nil properly in rescue
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
William Vu d018bba301 Store SSH key as a note
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
William Vu 9f738c3e41 Add note about overwritten files 2016-05-19 15:07:27 -05:00
William Vu 8fccb26446 Add Ubiquiti airOS exploit
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
ssyy201506 31bbcfca49 Fix ms13_081_track_popup_menu 2016-05-19 17:22:47 +09:00
h00die c621f689b2 more descriptive note per @sempervictus 2016-05-18 19:08:01 -04:00
Vex Woo b5284375a7 osb_uname_jlist - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:16:53 -05:00
Vex Woo 11fedd7353 ca_totaldefense_regeneratereports - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:15:28 -05:00
Vex Woo a6405beeda ams_hndlrsvc - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:13:40 -05:00
Vex Woo 41bcdcce61 fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:11:57 -05:00
Vex Woo bc257ea628 fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:10:32 -05:00
Vex Woo 68b83c6e3a datastore['CMD'].blank? 2016-05-17 23:56:59 -05:00
h00die 815a2600a8 additional description 2016-05-17 22:07:33 -04:00
h00die 640e0b9ff7 working ready for pr 2016-05-17 21:58:32 -04:00