infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
39,769 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

20878 Commits (699a8e91d2fab81fc65151264c6c1e185e32123c)

Author SHA1 Message Date
jvoisin 2272e15ca2 Remove some anti-patterns, in the same spirit than #7372 2016-09-29 00:15:01 +02:00
William Vu 988471b860
Land #7372, useless use of cat fix 
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
 2016-09-28 16:37:11 -05:00
William Vu 3033c16da6 Add missing rank 2016-09-28 16:37:04 -05:00
jvoisin b46073b34a Replace `cat` with Ruby's `read_file` 
Thanks to wvu-r7 for the comment
 2016-09-28 23:22:19 +02:00
Jeffrey Martin 1689f10890
Land #7292, add android stageless meterpreter_reverse_tcp 2016-09-28 16:05:22 -05:00
William Vu 45ee59581b
Fix inverted logic in Docker exploit 
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.

Credit to @fslavin-r7.
 2016-09-28 15:36:09 -05:00
William Vu ab94bb9cdd
Land #7365, nonce fix for Ninja Forms exploit 2016-09-28 13:57:08 -05:00
averagesecurityguy f7e588cdeb Initial commit of module. 2016-09-28 14:55:32 -04:00
Julien (jvoisin) Voisin dbb2abeda1 Remove the `cat $FILE | grep $PATTERN` anti-pattern 
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
 2016-09-28 13:41:25 +02:00
Tim b4a1adaf0f refactor into android.rb 2016-09-28 18:23:34 +08:00
Tim dc43f59dcf dalvik -> android 2016-09-28 14:50:52 +08:00
wchen-r7 f838c9990f Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload 
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
 2016-09-27 11:30:52 -05:00
OJ 76b3c37262
Fix msftidy errors 2016-09-27 22:56:07 +10:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw 
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
 2016-09-27 22:37:45 +10:00
Pearce Barry edbe1c3e14
Land #7361, Make OSX screencapture silent 2016-09-26 17:24:03 -05:00
Brendan b9de73e803
Land #7334, Add aux module to exploit WINDOWS based (java) Colorado 
FTP server directory traversal
 2016-09-26 14:15:23 -05:00
Pearce Barry 6382fffc75
Land #7326, Linux Kernel Netfilter Privesc 2016-09-26 12:38:50 -05:00
Tim 53823a4807 oops msftidy 2016-09-26 23:50:38 +08:00
Henry Pitcairn e5c05c05d2 Make OSX screencapture silent 
By default, the `screencapture` command on OS X plays a camera sound effect. The -x option silences this.
 2016-09-25 22:54:57 -04:00
Adam Cammack a13e83af8a
Land #7357, Stagefright CVE-2015-3864 2016-09-25 17:10:06 -05:00
h00die 23e5556a4c binary drops work! 2016-09-24 21:31:00 -04:00
Brent Cook e0ff8859e9
Land #7359, add EXTRABACON auxiliary module auxiliary/admin/cisco/cisco_asa_extrabacon 2016-09-24 10:46:13 -04:00
Brent Cook df28e2a85e Add credit to wwebb-r7 for the initial module and ASA hacking notes 2016-09-24 05:48:31 -04:00
TheNaterz cd4299b3a2 Added offsets for version 9.2(4)14 
This version of the ASA is patched and our offsets do not work currently. We may do more work on this to find a solution.
 2016-09-23 16:57:08 -06:00
TheNaterz 087e9461ce Added offsets for version 9.2(4)13 2016-09-23 16:50:50 -06:00
TheNaterz 3f985d94d7 Added offsets for version 8.4(6)5 2016-09-23 16:32:42 -06:00
TheNaterz 352946d8f5 Added offsets for version 8.4(4)9 2016-09-23 16:19:36 -06:00
TheNaterz 368fd1a77f Added offsets for version 8.4(4)5 2016-09-23 16:07:42 -06:00
TheNaterz 19fe09318a Added offsets for version 8.4(4)3 2016-09-23 15:56:02 -06:00
TheNaterz 8840af0e90 Added offsets for version 8.4(4)1 2016-09-23 15:44:39 -06:00
TheNaterz 19caff2293 Added offsets for 8.3(2)40 2016-09-23 15:26:02 -06:00
TheNaterz ba4505bcce Added offsets for version 8.3(2)39 2016-09-23 15:05:39 -06:00
TheNaterz 64df7b0524 Added offsets for verion 8.3(2)-npe 
We currently can't distinguish between 8.3(2) and 8.3(2)-npe versions from the SNMP strings. We've commented out the 8.3(2)-npe offsets, but in the future, we'd like to incorporate this version.
 2016-09-23 14:49:57 -06:00
TheNaterz 926e5fab9e Added offsets for version 8.2(5)41 2016-09-23 14:00:23 -06:00
TheNaterz b4d3e8ea3e Added offsets for version 9.2(1) 2016-09-23 13:52:13 -06:00
TheNaterz d36e16fc32 Added offsets for version 8.2(5)33 2016-09-23 13:15:39 -06:00
TheNaterz f19ed4376b Adding new version offsets 2016-09-23 12:57:36 -06:00
Joshua J. Drake dbf66f27d5 Add a browser-based exploit module for CVE-2015-3864 2016-09-23 11:14:31 -05:00
Tijl Deneut 2fab62b14d Update profinet_siemens.rb 
Removed unnecessary rescue, gave "timeout" variable a better name.
 2016-09-23 18:05:45 +02:00
George Papakyriakopoulos 639dee993a Fixed interactive password prompt issue 
Fixed an issue where the exploit would drop to interactive password prompt by default on newer ruby version which rendered the exploit unusable. It now properly forces pubkey authentication instead and proceeds with the bypass as expected.
 2016-09-23 17:03:40 +01:00
TheNaterz 98cf5d8eb5 Changed 'build_offsets' to 'build_payload' 2016-09-23 09:32:17 -06:00
zerosum0x0 1868371ba7 fix merge conflicts 2016-09-23 14:49:36 +00:00
zerosum0x0 2591d0b7c6 numerous fixes as per @busterb 2016-09-23 14:46:40 +00:00
Pearce Barry 5de1d34869
Land #7341, add module metasploit_static_secret_key_base 2016-09-23 09:20:48 -05:00
h00die cba297644e post to local conversion 2016-09-22 22:08:24 -04:00
TheNaterz dda6b67928 Added basic error handling for unsupported ASA versions 2016-09-22 18:24:25 -06:00
TheNaterz cf070853e9 Moved required datastore option into constructor 2016-09-22 18:08:35 -06:00
h00die 7646771dec refactored for live compile or drop binary 2016-09-22 20:07:07 -04:00
TheNaterz df25f07b34 Replaced '+=' with '<<' 2016-09-22 17:53:28 -06:00
TheNaterz f525c24a9f Added offsets for 8.4(7) 2016-09-22 17:16:37 -06:00
zerosum0x0 28a09c2d13 stupid comment 2016-09-22 22:57:42 +00:00
TheNaterz 7762f42dfa Added offsets for 8.3(1) 2016-09-22 16:17:37 -06:00
TheNaterz 064aed858b Added RiskSense contributor repo to references 2016-09-22 16:10:30 -06:00
TheNaterz 961524d648 Adding offsets for 9.1(1)4 2016-09-22 16:04:44 -06:00
TheNaterz 4e9459d876 Added offsets for 9.0(1) 2016-09-22 15:35:59 -06:00
TheNaterz 5ca6563c8f Fixed problem with 9.2(2)8 offsets 2016-09-22 15:24:49 -06:00
TheNaterz b77adc97f0 Removing redundant version check 2016-09-22 15:05:42 -06:00
TheNaterz c22a2a19e8 Added offsets for 9.2(2)8 2016-09-22 14:59:49 -06:00
TheNaterz e8d1f6d5a0 Added offsets for 8.2(3) 2016-09-22 14:38:52 -06:00
Jenna Magius a0ba8b7401 Fix whitespace per msftidy 2016-09-22 14:25:04 -06:00
TheNaterz 022189c075 Added offsets for 8.4(3) 2016-09-22 14:12:33 -06:00
zerosum0x0 4288c3fb46 added always_return_true variable 2016-09-22 19:44:55 +00:00
TheNaterz c18045128a Replaced global vars, made 'patched_code' value static 2016-09-22 13:42:23 -06:00
zerosum0x0 3c7fc49788 Added module auxiliary/admin/cisco/cisco_asa_extrabacon 
This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.
 2016-09-22 18:06:03 +00:00
wchen-r7 bc425b0378 Update samsung_security_manager_put 
This patch improves the following

* Stage 1 XSS/JS attack to use the body.onload callback
* Better timing for FF
 2016-09-22 12:02:49 -05:00
Tim 34e02fe097 stageless http 2016-09-22 16:26:26 +01:00
Tim 1b911e7117 placate msftidy 2016-09-22 16:26:26 +01:00
Tim 32c2311b86 android meterpreter_reverse_tcp 2016-09-22 16:26:26 +01:00
Brent Cook 9f3c8c7eee
Land #7268, add metasploit_webui_console_command_execution post-auth exploit 2016-09-22 00:50:58 -05:00
Brent Cook 88cef32ea4
Land #7339, SSH module fixes from net:ssh updates 2016-09-22 00:27:32 -05:00
Brendan 04f8f7a0ea
Land #7266, Add Kaltura Remote PHP Code Execution 2016-09-21 17:14:49 -05:00
Justin Steven dcfbb9ee6a
Tidy info 
Replace errant \t with \x20
 2016-09-21 20:14:11 +10:00
Justin Steven 1e24568406
Tweak verbosity re: found secrets 2016-09-21 20:14:08 +10:00
Justin Steven 30d07ce0c7
Tidy metasploit_static_secret_key_base module 
* Inline magic values
* Optimise out dead Rails3-specific code
 2016-09-21 20:13:58 +10:00
Kyle Gray 9d01f24cff
Land #7388, relocate Rex::Platform:Windows content 
This PR consolidates the few lines of consts/code in lib/rex/platforms/windows.rb into MSF core.

Completes #MS-1714
 2016-09-20 16:39:07 -05:00
Louis Sato 8b1d29feef
Land #7304, fix rails_secret_deserialization popchain 2016-09-20 16:05:03 -05:00
Mehmet Ince 2d3c167b78
Grammar changes again. 2016-09-20 23:51:12 +03:00
Mehmet Ince 0f16393220
Yet another grammar changes 2016-09-20 19:48:40 +03:00
Mehmet Ince fb00d1c556
Another minor grammer changes 2016-09-20 19:23:28 +03:00
Brendan 251421e4a7 Minor grammar changes 2016-09-20 10:37:39 -05:00
Mehmet Ince 385428684f
Move module and docs under the exploit/linux/http folder 2016-09-20 12:45:23 +03:00
Brent Cook a9a1146155 fix more ssh option hashes 2016-09-20 01:30:35 -05:00
Mehmet Ince c689a8fb61
Removing empty lines before module start 2016-09-20 01:42:18 +03:00
Mehmet Ince 29a14f0147
Change References to EDB number and remove 4 space 2016-09-20 01:31:56 +03:00
Justin Steven a1ca27d491
add module metasploit_static_secret_key_base 2016-09-20 07:04:00 +10:00
David Maloney e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules 2016-09-19 15:27:37 -05:00
David Maloney 06ff7303a6
make pubkey verifier work with old module 
make the new pubkey verifier class and
the old identify_pubkeys aux module work
together

7321
 2016-09-19 15:20:35 -05:00
Pearce Barry 3f5ed75198
Relocate Rex::Platform:Windows content (fixes MS-1714) 2016-09-19 14:34:44 -05:00
h00die 3bc566a50c fix email 2016-09-18 20:09:38 -04:00
h00die 9c922d111f colorado ftp 2016-09-18 20:03:16 -04:00
h00die edd1704080 reexploit and other docs and edits added 2016-09-18 09:01:41 -04:00
h00die 4f85a1171f reexploit and other docs and edits added 2016-09-18 08:51:27 -04:00
Mehmet Ince 53d4162e7d Send payload with POST rather than custom header. 2016-09-17 23:11:16 +03:00
Thao Doan d2100bfc4e
Land #7301, Support URIHOST for exim4_dovecot_exec for NAT 2016-09-16 12:49:57 -07:00
Thao Doan 7c396dbf59
Use URIHOST 2016-09-16 12:48:54 -07:00
William Vu 4d0643f4d1
Add missing DefaultTarget to Docker exploit 2016-09-16 13:09:00 -05:00
William Vu da516cb939
Land #7027, Docker privesc exploit 2016-09-16 12:44:21 -05:00
William Vu 4ba1ed2e00
Fix formatting in fortinet_backdoor 
Also add :config and :use_agent options.
 2016-09-16 12:32:30 -05:00
William Vu e3060194c6
Fix formatting in ubiquiti_airos_file_upload 
Also add :config and :use_agent options.
 2016-09-16 12:27:09 -05:00
David Maloney 26491eed1a
pass the public key in as a file instead of data 
when using key_data it seems to assume it is a private
key now. the initial key parsing error can be bypassed
by doing this

7321
 2016-09-16 11:48:51 -05:00