Commit Graph

8687 Commits (6b94513a37fa641bc1a350593d60c1a62416ff6e)

Author SHA1 Message Date
William Vu cc8650f98a Fix TMPPATH description 2015-06-09 14:15:18 -05:00
William Vu 9c97da3b7c
Land #5224, ProFTPD mod_copy exploit 2015-06-09 14:11:27 -05:00
William Vu 5ab882a8d4 Clean up module 2015-06-09 14:10:46 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
wchen-r7 ea33d7060e Correct ranking 2015-06-05 21:07:27 -05:00
wchen-r7 ff39e32cc6 Single quote 2015-06-05 21:06:57 -05:00
wchen-r7 ee13a215e9
Merge branch 'upstream-master' into bapv2 2015-06-05 14:09:07 -05:00
jvazquez-r7 318f67fcda
update descriptions 2015-06-05 09:01:20 -05:00
wchen-r7 71a8487091 Correct Flash version in the module description
There is no 11.2.202.404, mang.
2015-06-04 23:46:41 -05:00
wchen-r7 5f4b2ed22a Newline 2015-06-04 23:36:36 -05:00
wchen-r7 69968fc9f1 Merge branch 'upstream-master' into bapv2 2015-06-04 23:36:24 -05:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 23df66bf3a
Land #5481, no powershell. exec shellcode from the renderer process. 2015-06-04 15:45:09 -05:00
jvazquez-r7 ab68d8429b Add more targets 2015-06-04 12:11:53 -05:00
wchen-r7 be709ba370
Merge branch 'upstream-master' into bapv2 2015-06-04 10:33:07 -05:00
wchen-r7 744baf2d44 Update kloxo_sqli to use the new cred API 2015-06-03 23:28:35 -05:00
jvazquez-r7 80cb70cacf
Add support for Windows 8.1/Firefox 2015-06-03 22:46:04 -05:00
wchen-r7 78e4677bb1 Oops it blew up 2015-06-03 20:10:01 -05:00
wchen-r7 a0aa6135c5 Update ca_arcserve_rpc_authbypass to use the new cred API 2015-06-03 20:02:07 -05:00
jvazquez-r7 74117a7a52
Allow to execute payload from the flash renderer 2015-06-03 16:33:41 -05:00
Pedro Ribeiro d5b33a0074 Update sysaid_rdslogs_fle_upload.rb 2015-06-03 22:01:13 +01:00
Pedro Ribeiro 37827be10f Update sysaid_auth_file_upload.rb 2015-06-03 22:00:44 +01:00
Pedro Ribeiro 62993c35d3 Create sysaid_rdslogs_fle_upload.rb 2015-06-03 21:45:14 +01:00
Pedro Ribeiro 193b7bcd2e Create sysaid_auth_file_upload.rb 2015-06-03 21:44:02 +01:00
OJ a6467f49ec Update description 2015-06-03 22:17:25 +10:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
James Lee d03ee5667b
Remove assigned but unused local vars 2015-06-01 16:45:36 -05:00
James Lee 7133f0a68e
Fix typo in author's name 2015-06-01 16:45:09 -05:00
wchen-r7 e83677d29d rm deprecated mod 2015-05-29 17:43:26 -05:00
wchen-r7 13779adab4
Merge branch 'upstream-master' into bapv2 2015-05-29 14:59:04 -05:00
wchen-r7 6be363d82a
Merge branch 'upstream-master' into bapv2 2015-05-29 14:58:38 -05:00
jvazquez-r7 1be04a9e7e
Land #5182, @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection 2015-05-29 14:49:09 -05:00
jvazquez-r7 8b2e49eabc
Do code cleanup 2015-05-29 14:45:47 -05:00
jvazquez-r7 8c7d41c50c
Land #5426, @wchen-r7's adds more restriction on Windows 7 target for MS14-064 2015-05-29 14:35:44 -05:00
wchen-r7 c3fa52f443 Update description 2015-05-29 13:47:20 -05:00
wchen-r7 dab9a66ea3 Use current ruby hash syntax 2015-05-29 13:43:20 -05:00
jvazquez-r7 9ccf04a63b
Land #5420, @m-1-k-3's miniigd command injection module (ZDI-15-155) 2015-05-29 13:29:03 -05:00
jvazquez-r7 9ebd6e5d6e
Use REXML 2015-05-29 13:27:19 -05:00
jvazquez-r7 294fa78c1f
Land #5430, @m-1-k-3's adding specific endianess Arch to some exploits 2015-05-29 11:43:25 -05:00
jvazquez-r7 dd39d196f5
Land #5226, @m-1-k-3's Airties login Buffer Overflow exploit 2015-05-29 10:51:32 -05:00
jvazquez-r7 952f391fb4
Do minor code cleanup 2015-05-29 10:49:51 -05:00
wchen-r7 2a260f0689 Update description 2015-05-28 15:18:05 -05:00
Michael Messner 666b0bc34a MIPSBE vs MIPS 2015-05-28 18:50:48 +02:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
Spencer McIntyre 24b4dacec5
Land #5408, @g0tmi1k fixes verbiage and whitespace 2015-05-27 21:02:02 -04:00
wchen-r7 bcdae5fa1a Forgot to add the datastore option 2015-05-27 18:12:38 -05:00
wchen-r7 4f0e908c8b Never mind, Vista doesn't have powershell. 2015-05-27 18:08:58 -05:00
wchen-r7 d43706b65e It doesn't look like Vista shows the powershell prompt 2015-05-27 18:04:35 -05:00
wchen-r7 53774fed56 Be more strict with Win 7 for MS14-064
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
Tod Beardsley 95b5ff6bea
Minor fixups on recent modules.
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301, @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces

Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in

Edited modules/auxiliary/scanner/http/title.rb first landed in #5333,
HTML Title Grabber

Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401, multi-platform CVE-2015-0311 - Flash uncompress()
UAF

Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290, Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
wchen-r7 60cdf71e6c
Merge branch 'upstream-master' into bapv2 2015-05-26 15:56:48 -05:00
wchen-r7 a0e0e3d360 Description 2015-05-25 17:24:41 -05:00
Michael Messner 43f505b462 fix contact details 2015-05-25 19:31:50 +02:00
jvazquez-r7 f953dc08d9
Land #5280, @m-1-k-3's support for Airties devices to miniupnpd_soap_bof 2015-05-24 15:17:38 -05:00
Michael Messner 10baf1ebb6 echo stager 2015-05-23 15:50:35 +02:00
wchen-r7 60b0be8e3f Fix a lot of bugs 2015-05-23 01:59:29 -05:00
jvazquez-r7 5bceeb4f27
Land #5349, @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation 2015-05-22 17:14:20 -05:00
wchen-r7 9600f6a30a rm deprecated exploit 2015-05-22 17:14:08 -05:00
wchen-r7 6de75ffd9f
Merge branch 'upstream-master' into bapv2 2015-05-22 17:11:03 -05:00
wchen-r7 eb5aadfb4e
Land #5401, multi-platform CVE-2015-0311 - Flash uncompress() UAF 2015-05-22 16:50:13 -05:00
jvazquez-r7 3aa1ffb4f5
Do minor code cleanup 2015-05-22 16:20:36 -05:00
wchen-r7 2bb6f390c0 Add session limiter and fix a race bug in notes removal 2015-05-22 12:22:41 -05:00
jvazquez-r7 03b70e3714
Land #5388, @wchen-r7's fixes #5373 by add info to BrowserRequiements 2015-05-22 10:21:59 -05:00
jvazquez-r7 6da94b1dd5
Deprecate windows module 2015-05-21 15:01:41 -05:00
jvazquez-r7 b9f9647ab1
Use all the BES power 2015-05-21 14:06:41 -05:00
wchen-r7 6e8ee2f3ba Add whitelist feature 2015-05-21 00:05:14 -05:00
jvazquez-r7 aa919da84d
Add the multiplatform exploit 2015-05-20 18:57:59 -05:00
wchen-r7 2cadd5e658 Resolve #5373, Add ActiveX info in BrowserRequirements
Resolve #5373
2015-05-20 16:34:09 -05:00
OJ 44f8cf4124 Add more size to stagers, adjust psexec payloads
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
OJ a93565b5d1 Add 'Payload' section with 'Size' to psexec_psh
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.

This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
wchen-r7 89be3fc1f2 Do global requirement comparison in BAP 2015-05-18 16:27:18 -05:00
Hans-Martin Münch (h0ng10) d99eedb1e4 Adding begin...ensure block 2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10) acb053a2a7 CloseHandle cleanup 2015-05-17 20:39:10 +02:00
jvazquez-r7 2882374582
Land #5276, @lanjelot fixes #4243 and improves java_jdwp_debugger 2015-05-15 11:12:10 -05:00
jvazquez-r7 a46975f1f0
Fix read_reply to use get_once correctly 2015-05-15 11:11:25 -05:00
Hans-Martin Münch (h0ng10) e075495a5b string concatenation, clear \ handling 2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10) 94d39c5c75 remove hard coded pipe name 2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10) bb4f5da6d9 replace client.sys.config.getenv with get_env 2015-05-15 06:33:57 +02:00
wchen-r7 8bcdd08f34 Some basic code in place for real-time exploit list generation 2015-05-14 19:09:38 -05:00
Hans-Martin Münch (h0ng10) bba261a1cf Initial version 2015-05-15 00:36:03 +02:00
wchen-r7 1a8ab91ce3 Configurable max exploits 2015-05-13 16:23:22 -05:00
wchen-r7 7617217eff Add ability to exclude 2015-05-13 15:55:19 -05:00
jvazquez-r7 0fb21af247
Verify deletion at on_new_session moment 2015-05-11 18:56:18 -05:00
wchen-r7 30b1c508f1 javascript portion 2015-05-10 16:50:32 -05:00
William Vu eeb87a3489 Polish up module 2015-05-09 14:33:41 -05:00
HD Moore fe907dfe98 Fix the disclosure date 2015-05-09 10:44:28 -05:00
jvazquez-r7 cb51bcc776
Land #5147, @lightsey's exploit for CVE-2015-1592 MovableType deserialization 2015-05-09 01:56:38 -05:00
jvazquez-r7 89bc405c54
Do minor code cleanup 2015-05-09 01:54:05 -05:00
wchen-r7 8e86a92210 Update 2015-05-08 00:25:34 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
William Vu 2f2169af90 Use single quotes consistently 2015-05-07 22:39:36 -05:00
wchen-r7 95f087ffd3 Some progress 2015-05-07 19:26:38 -05:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
Brent Cook a066105a86 prefer reading directly with MetasploitPayloads where possible 2015-05-07 16:59:02 -05:00
William Vu 134a674ef3
Land #5312, @todb-r7's release fixes 2015-05-07 15:34:31 -05:00
Christian Mehlmauer 1469a151ad
Land #5290, Wordpress RevSlider Module 2015-05-07 22:15:56 +02:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
William Vu b8c7161819 Fix up NameError'd payload_exe 2015-05-06 11:34:05 -05:00
William Vu 59ffe5d98f
Land #5306, payload_exe NameError fix 2015-05-06 11:29:29 -05:00
wchen-r7 4b0f54f0aa
Land #5305, CVE-2015-0336 Flash NetConnection Type Confusion 2015-05-06 11:26:22 -05:00
wchen-r7 97807e09ca
Lad #5125, Group Policy startup exploit 2015-05-06 11:17:01 -05:00
wchen-r7 5b57e4e9ca Add info about the waiting time 2015-05-06 11:15:11 -05:00
Tom Sellers 94d1905fd6 Added WPVDB reference
Added a link to the new WPVDB article 7540 that @FireFart provided.
2015-05-06 05:41:02 -05:00
Tom Sellers c293066198 Leverage check_version_from_custom_file in PR #5292
Change the 'check' code to leverage check_version_from_custom_file added to wordpress/version.rb by @FireFart in PR #5292
2015-05-06 05:41:02 -05:00
Tom Sellers 18697d8d02 Fixed the following based on feedback from @FireFart ( Thanks! )
- Adjusted references section
- Corrected call to normalize_uri
- Removed unnecessary require for rex/zip
2015-05-06 05:41:02 -05:00
Tom Sellers 8cb18f8afe Initial commit of code 2015-05-06 05:41:02 -05:00
Sam Roth 5cb8b9a20a Fix #5304 2015-05-05 22:25:06 -04:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
Brent Cook a0c806c213 Update java meterpreter and payload references to use metasploit-payloads 2015-05-05 15:01:00 -05:00
Darius Freamon c988447c18 title enhancement, OSVDB ref
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
m-1-k-3 c8123c147f upnp vs hnap 2015-05-05 20:57:05 +02:00
Christian Mehlmauer 73f7885eea
add comment 2015-05-29 23:08:55 +02:00
jvazquez-r7 b95be1b25f
Support information to include logon scripts 2015-05-04 15:49:19 -05:00
Darius Freamon dc42a3ee1a add OSVDB ref
add OSVDB ref
2015-05-04 14:27:44 -06:00
m-1-k-3 c7e05448e7 various MIPS vs MIPSBE fixes 2015-05-04 12:55:21 +02:00
William Vu 67a23f2c74
Land #5296, info hash product name fix 2015-05-03 14:36:25 -05:00
John Lightsey 4bfb9262e6 Add exploit module for MovableType CVE-2015-1592
This module targets the deserialization of untrusted Storable data in
MovableType before 5.2.12 and 6.0.7. The destructive attack will
function on most installations, but will leave the webapp corrupted.
The non-destructive attack will only function on servers that have the
Object::MultiType (uncommon) and DateTime (common) Perl modules
installed in addition to MovableType.
2015-05-03 14:18:01 -05:00
Darius Freamon a5c10b7f10 Fix product name
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
m-1-k-3 53043dcbbc make msftidy happy 2015-05-03 18:14:51 +02:00
m-1-k-3 6fbce56a52 realtek upnp command injection 2015-05-03 18:09:22 +02:00
joev db999d2c62 Remove ff 31-34 exploit from autopwn, requires interaction. 2015-05-03 10:42:21 -05:00
jvazquez-r7 1bc6822811
Delete Airties module 2015-05-22 11:57:45 -05:00
jvazquez-r7 70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof 2015-05-22 11:57:19 -05:00
jvazquez-r7 a531ad9ec2
Land #5096, @pedrib's exploit for Novell ZCM CVE-2015-0779 2015-05-01 14:35:28 -05:00
jvazquez-r7 0ff33572a7
Fix waiting loop 2015-05-01 14:34:43 -05:00
jvazquez-r7 645f239d94
Change module filename 2015-05-01 14:18:34 -05:00
jvazquez-r7 11a3f59b0b
Return false if there isn't a positive answer 2015-05-01 14:06:57 -05:00
jvazquez-r7 093c2e3ace
Do minor style cleanup 2015-05-01 13:56:48 -05:00
jvazquez-r7 d38adef5cc
Make TOMCAT_PATH optional 2015-05-01 13:54:39 -05:00
jvazquez-r7 d2a7d83f71
Avoid long sleep times 2015-05-01 13:51:52 -05:00
jvazquez-r7 8fcf0c558d
Use single quotes 2015-05-01 13:20:27 -05:00
wchen-r7 08b5f71f99 More options 2015-04-30 19:09:08 -05:00
wchen-r7 5ae06310b6 Do some option handling 2015-04-30 18:59:44 -05:00
Darius Freamon aa59b3acc6 title enhancement, description touch-up
Expanded title to be more precise and standardized use of vendor name
2015-04-30 17:23:15 -06:00
wchen-r7 89d026c900 Fix merge conflict 2015-04-30 12:33:45 -05:00
lanjelot 5ab9f01eee Use byte[] so it works even if Base64 unavailable 2015-04-30 12:46:14 +10:00
lanjelot 15bb4d1ea4 Fix #4243, regression introduced by commit 6e80481384 2015-04-30 12:42:39 +10:00
wchen-r7 ca32db3e23 Merge branch 'upstream-master' into BAPv2 2015-04-29 18:53:37 -05:00
jvazquez-r7 d773f85dca
Add reference to malware 2015-04-29 17:53:29 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
William Vu 5defb50252
Fix #5267, references fixes 2015-04-29 14:21:23 -05:00
William Vu a4531e62a0 Clean up references 2015-04-29 14:21:08 -05:00
William Vu b2d08251e4 Move reference 2015-04-29 14:18:45 -05:00
William Vu fd567195e3 Fix punctuation and missing comma 2015-04-29 14:12:44 -05:00
Darius Freamon 5f0736fa4c enhance title and description, add OSVDB reference, standardized JBoss 2015-04-29 11:39:40 -06:00
wchen-r7 65b7659d27 Some progress 2015-04-29 01:01:36 -05:00
wchen-r7 43492b7c67 Some progress 2015-04-28 18:17:32 -05:00
Darius Freamon c01fc829ab Title enhancement, OSVDB refs 2015-04-28 15:56:34 -06:00
m-1-k-3 d8b8017e0b remove debugging 2015-04-27 06:36:34 +02:00
m-1-k-3 8db88994ac fingerprint, title 2015-04-27 06:34:46 +02:00
m-1-k-3 285d767e20 initial commit of UPnP exploit for Airties devices 2015-04-27 05:34:30 +02:00
Roberto Soares b537c8ae2c Changed fail_with output. 2015-04-26 01:28:55 -03:00
Roberto Soares a4b4d7cf6a Add WordPress Front-end Editor File Upload Vuln 2015-04-25 22:00:05 -03:00
Brent Cook ff96101dba
Land #5218, fix #3816, remove print_debug / DEBUG 2015-04-24 13:41:07 -05:00
jvazquez-r7 7167dc1147
Land #5243, @espreto's WordPress WPshop eCommerce File Upload exploit 2015-04-24 11:30:28 -05:00
jvazquez-r7 558103b25d
Do code cleanup 2015-04-24 11:30:08 -05:00
jvazquez-r7 8a8d9a26f4
Do code cleanup 2015-04-24 10:47:46 -05:00
jvazquez-r7 b5223912cb
Fix check method 2015-04-24 10:41:41 -05:00
Roberto Soares c9b4a272e3 Changed fail_with output. 2015-04-24 12:16:23 -03:00
Roberto Soares e14c6af194 Removed double 'Calling payload'. 2015-04-24 06:26:04 -03:00
Roberto Soares 01efc97c4a Add WordPress WPshop eCommerce File Upload. 2015-04-24 06:21:49 -03:00
Roberto Soares 5bf4c9187a Removed double "Calling payload..." 2015-04-23 03:41:34 -03:00
Roberto Soares 844f768eee Add WordPress InBoundio Marketing File Upload 2015-04-23 03:32:17 -03:00
m-1-k-3 f5b0a7e082 include rop gadget description 2015-04-23 00:11:02 +02:00
m-1-k-3 1ec0e09a43 msftidy 2015-04-22 10:32:47 +02:00
m-1-k-3 58099d0469 airties login bof module 2015-04-22 10:21:58 +02:00
xistence 92c91c76f7 Proftpd 1.3.5 Mod_Copy Command Execution 2015-04-22 01:41:16 -04:00
jvazquez-r7 3f40342ac5
Fix sock_sendpage 2015-04-21 14:17:19 -05:00
jvazquez-r7 ab94f15a60
Take care of modules using the 'DEBUG' option 2015-04-21 12:13:40 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
jvazquez-r7 4f59abe842
Land #5203, @Meatballs1 fixes #5199 by using the correct namespace
* Fixes web_delivery
2015-04-20 11:20:48 -05:00
Meatballs eb1c01417a
Bogus : 2015-04-20 11:00:26 +01:00
Meatballs aa4f913800
Resolves #5199
Fix Powershell namespace in web_delivery module
2015-04-20 09:37:42 +01:00
Christian Mehlmauer a60fe4af8e
Land #5201, Change module wording to conform with other WP modules 2015-04-20 10:07:05 +02:00
aushack 1a32cf7fc0 Change module wording to conform with other WP modules. 2015-04-20 16:48:35 +10:00
Christian Mehlmauer a5583debdc
Land #5131, WordPress Slideshow Upload 2015-04-19 23:12:26 +02:00
Roberto Soares c1a1143377 Remove line in description and output line in fail_with 2015-04-18 15:38:42 -03:00
Michael Messner b991dec0f9 Dlink UPnP SOAP-Header Injection 2015-04-17 22:54:32 +02:00
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
Christian Mehlmauer bba0927c7e
Land #5163, WordPress Reflex Gallery Plugin File Upload 2015-04-17 11:26:34 +02:00
wchen-r7 3927024f79
Land #5154, CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
sage aborts
2015-04-16 21:21:09 -05:00
Christian Mehlmauer 153344a1dd
fix Unkown typo 2015-04-16 23:59:28 +02:00
Roberto Soares 33cf2f1578 Added Faliure:: symbol to fail_with 2015-04-16 17:40:25 -03:00
Roberto Soares 2138325129 Add Failure:: symbol to fail_with 2015-04-16 17:15:24 -03:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer 8c5890d506
more fixes 2015-04-16 21:56:42 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
Christian Mehlmauer b4b8ac0849
moar fail_with's 2015-04-16 21:26:37 +02:00
Christian Mehlmauer a193ae42b0
moar fail_with's 2015-04-16 21:25:05 +02:00
Christian Mehlmauer 4dc402fd3c
moar fail_with's 2015-04-16 21:16:52 +02:00
Christian Mehlmauer 0e186fa617
first fail_with fixes 2015-04-16 21:08:33 +02:00
William Vu f0d6735332
Land #5165, version number correction 2015-04-16 12:10:12 -05:00
William Vu 26f2b350d2
Land #5168, more fail_with fixes 2015-04-16 12:04:55 -05:00
sinn3r 904339f0d7 Fix #5130, Correct use of fail_with in wp_worktheflow_upload.rb 2015-04-16 10:32:50 -05:00
sinn3r 5c98270f4d Fix #5137 - Correct use of fail_with 2015-04-16 09:57:02 -05:00
Christian Mehlmauer 418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload 2015-04-16 16:24:41 +02:00
Christian Mehlmauer 7f79acb996
Land #5137, WordPress N-Media Website File Upload 2015-04-16 16:17:20 +02:00
Roberto Soares 517ad54617 Fix the correct version in check. 2015-04-16 10:56:43 -03:00
Roberto Soares 95310dbe4f Fix 'if' condition. 2015-04-16 10:51:36 -03:00
Roberto Soares 626a9f0508 Fix the correct version in check. 2015-04-16 10:46:08 -03:00
Roberto Soares 6ef074cd28 Fix the correct version in check 2015-04-16 10:34:34 -03:00
Christian Mehlmauer d9f4c7548f
Land #5136, WordPress Creative Contact Form upload 2015-04-16 15:17:14 +02:00
Christian Mehlmauer 84c74b8d42
use correct version number 2015-04-16 15:01:54 +02:00
Roberto Soares ee8dc49a25 Fix wrong version in check. 2015-04-16 09:45:18 -03:00
Roberto Soares e16cc6fa82 Fix the correct version in check. 2015-04-16 09:38:42 -03:00
Christian Mehlmauer 7dde7f6f7c
Land #5130, WordPress WorkTheFlow Upload 2015-04-16 14:06:37 +02:00
Roberto Soares dc7f161339 Add author, EDB, OSVDB and WPVDB. 2015-04-16 08:56:33 -03:00
Roberto Soares 1112a3b0ae Add WordPress Reflex Gallery Plugin File Upload 2015-04-16 08:40:51 -03:00
Roberto Soares 4aa4f83372 Removed timeout 2. 2015-04-16 05:37:11 -03:00
Roberto Soares 39556c10c7 Rewrote check method. 2015-04-16 05:36:20 -03:00
Roberto Soares ace316a54f Added WPVDB and EDB references. 2015-04-16 05:29:21 -03:00
Roberto Soares 10c218319a Rewrote response condition. 2015-04-16 05:26:48 -03:00
Roberto Soares 5cb9b1a44c Removed timeout 2. 2015-04-16 05:21:59 -03:00
Roberto Soares 0e1b173d15 Renamed USER/PASSWORD to WP_USER/WP_PASSWORD. 2015-04-16 05:11:56 -03:00
Roberto Soares 13ded8abe7 Added WPVDB. 2015-04-16 05:08:45 -03:00
Roberto Soares 64923ffdc2 Fixed plugin name in check method 2015-04-16 05:06:36 -03:00
Roberto Soares e9212c4d6b wordpress_url_admin_ajax intead of wordpress_url_backend 2015-04-16 04:53:05 -03:00
Roberto Soares 81d898fd7e Rewrote check code. 2015-04-16 04:51:40 -03:00
Roberto Soares aeb0484889 Removed timeout 2. 2015-04-16 04:48:00 -03:00
Roberto Soares e6e9c173e3 Rewrote res conditions. 2015-04-16 04:43:34 -03:00
Roberto Soares d11db4edc7 Rewrote check code. 2015-04-16 04:37:30 -03:00
Roberto Soares f13d31c7c2 Added WPVDB. 2015-04-16 04:31:23 -03:00
Roberto Soares cccda4e851 Removed unnecessary line. 2015-04-16 04:27:15 -03:00
Roberto Soares d3a6de761d Removed timeout 2. 2015-04-16 04:09:02 -03:00
William Vu 01625e3bba
Land #5148, DRY BSD/OS X shellcode
Also fix a semi-regression in the Rootpipe exploit.
2015-04-16 02:08:18 -05:00
William Vu 13da15e434 Add default PAYLOAD again
PrependSetreuid doesn't work with generic/shell_reverse_tcp.
2015-04-16 02:07:02 -05:00
Roberto Soares 1249f29ee8 Add JSON::ParserError exception handler. 2015-04-16 04:03:54 -03:00
jvazquez-r7 c1753672bf
Delete file_contents initialization 2015-04-15 17:58:32 -05:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
jvazquez-r7 ef6bf54e2f
Fix metadata 2015-04-15 09:22:59 -05:00
jvazquez-r7 1da6b32df7
Land #4924, @m-1-k-3's DLink CVE-2015-1187 exploit
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
jvazquez-r7 6019bbe0d2
Add ranking comment 2015-04-15 09:12:03 -05:00
jvazquez-r7 ad465c4d5b
Do code cleanup 2015-04-15 09:10:18 -05:00
sinn3r b5335ab266 Some progress, mostly documentation 2015-04-14 19:03:08 -05:00
sinn3r aca93cc86e Add missing Rank 2015-04-14 13:33:37 -05:00
sinn3r 6c9cc7c725 Some progress 2015-04-14 13:30:34 -05:00
sinn3r 4486831ba3 Module loading portion 2015-04-14 01:33:02 -05:00
William Vu e114c85044
Land #5127, x64 OS X prepend stubs 'n' stuff 2015-04-14 01:25:39 -05:00
Roberto Soares a09e643a71 Add author, URL, WPVDB and disclosure date. 2015-04-13 22:54:05 -03:00
Roberto Soares 271a81778e Add Module WP N-Media Website Contact Form Upload 2015-04-13 22:48:34 -03:00
Roberto Soares 7f10fb5bf0 Fix disclosure date 2015-04-13 18:53:20 -03:00
Roberto Soares e94ca0bdd1 Add EDB, OSVDB and author. 2015-04-13 18:42:17 -03:00
Roberto Soares d5d975c450 Add Module WordPress Creative Contact Form Upload 2015-04-13 18:38:43 -03:00
William Vu e324819feb Add Privileged to info hash
Also remove default payload. Was set for CMD.
2015-04-13 15:23:30 -05:00
Tod Beardsley bd3b6514fa
Dubbed. Whump whump. 2015-04-13 10:52:32 -05:00
Tod Beardsley d87483b28d
Squashed commit of the following:
commit 49f480af8b9d27e676c02006ae8873a119e1aae6
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Apr 13 10:42:13 2015 -0500

    Fix funny punctuation on rootpipe exploit title

    See #5119

commit 0b439671efd6dabcf1a69fd0b089c28badf5ccff
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Apr 13 10:37:39 2015 -0500

    Fix vendor caps

    Trusting the github repo README at

    https://github.com/embedthis/goahead

    See #5101
2015-04-13 10:46:47 -05:00
Roberto Soares 7b57496501 Fix typo and add email addr. 2015-04-13 04:12:32 -03:00
Roberto Soares abee3f17c4 Add author, CVE and EDB references 2015-04-13 04:08:34 -03:00
Roberto Soares 58c4042321 Add Module WP Slideshow Gallery Shell Upload 2015-04-13 03:56:59 -03:00
Roberto Soares 2d1f8c510e Add author and references 2015-04-12 21:21:49 -03:00
Roberto Soares 9f06cee53d Add Module WordPress WorkTheFlow Shell Upload 2015-04-12 21:09:44 -03:00
joev c132a3fb0a Fix OSX prepends and implement x64 setreuid. 2015-04-11 20:04:21 -05:00
jvazquez-r7 656abac13c Use keyword arguments 2015-04-10 18:03:45 -05:00
jvazquez-r7 1720d4cd83
Introduce get_file_contents 2015-04-10 17:34:00 -05:00
jvazquez-r7 ca6a5cad17
support changing files 2015-04-10 16:53:12 -05:00
jvazquez-r7 b2e17a61a9
Fix disclosure date 2015-04-10 13:09:24 -05:00
jvazquez-r7 ab944b1897
Add module to exploit dangerous group policy startup scripts 2015-04-10 13:01:50 -05:00
joev 3313dac30f
Land #5119, @wvu's addition of the OSX rootpipe privesc exploit.
orts
borts
2015-04-10 12:38:25 -05:00
sinn3r 4419c1c728
Land #5120, Adobe Flash Player casi32 Integer Overflow 2015-04-10 12:18:11 -05:00
William Vu fc814a17ae Add admin check
Also break out version check.
2015-04-10 11:24:49 -05:00
William Vu 41885133d8 Refactor and clean
Finally breaking free of some stubborn old habits. :)
2015-04-10 11:22:27 -05:00
William Vu a7601c1b9a Use zsh to avoid dropping privs
Also add some configurable options.
2015-04-10 11:22:00 -05:00
William Vu 4cc6ac6eaa Clarify vulnerable versions 2015-04-10 11:22:00 -05:00
William Vu c4b7b32745 Add Rootpipe exploit 2015-04-10 11:22:00 -05:00
Jon Cave c6f062d49e Ensure that local variable `upload_path` is defined
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
Pedro Ribeiro 4808d61af3 Add OSVDB id and full disclosure URL 2015-04-09 16:32:22 +01:00
Brent Cook e03f2df691
Land #5002, RMI/JMX improvements 2015-04-08 15:23:29 -05:00
Pedro Ribeiro cf8b92b747 Create zcm_file_upload.rb 2015-04-07 16:05:51 +01:00
William Vu 7a2d3f5ebd
Land #5082, firefox_proxy_prototype autopwn_info 2015-04-06 13:36:03 -05:00
William Vu e1af495d21 Add extra release fixes 2015-04-06 13:08:40 -05:00
Tod Beardsley b62011121b
Minor word choice fix on Solarwinds exploit
Removing the second person pronoun usage.

[See #5050]
2015-04-06 12:40:22 -05:00
Tod Beardsley 5be5b6097c
Minor grammar on #5030, Adobe Flash
[See #5030]
2015-04-06 12:36:25 -05:00
Tod Beardsley 1e6d895975
Description fixes on #4784, jboss exploit
Also, needed to run through msftidy.

[See #4784]
2015-04-06 12:34:49 -05:00
root cd65e6f282 Add browser_autopwn info to firefox_proxy_prototype 2015-04-06 10:42:32 +05:00
William Vu 56dc7afea6
Land #5068, @todb-r7's module author cleanup 2015-04-03 16:00:36 -05:00
jvazquez-r7 e3bbb7c297 Solve conflicts 2015-04-03 14:57:49 -05:00
jvazquez-r7 828301a6cc
Land #5050, @wchen-r7's exploit for Solarwinds Firewall Security Manager
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
jvazquez-r7 7c9b19c6f8
Do minor cleanup 2015-04-03 11:53:50 -05:00
scriptjunkie 0f7c644fff
Land #4784, JBoss Seam 2 upload exec exploit 2015-04-02 22:32:35 -05:00
Tod Beardsley 3ff91d74ca
More cleanup, mostly abysssec
[See #5012]
2015-04-02 16:16:38 -05:00
Tod Beardsley 11057e5b3b
Fix up the last couple from Tenable, missed last
[See #5012]
2015-04-02 15:27:46 -05:00
Tod Beardsley 4bbec88882
Various other one-off nonhuman author credits
[See #5012]
2015-04-02 15:25:47 -05:00
Tod Beardsley 6532fad579
Remove credits to Alligator Security Team
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.

The one that didn't was credited to dflah_ specifically, so merely
changed the author name.

Longer description, if needed, wrapped at 72 characters.

[See #5012]
2015-04-02 15:12:22 -05:00
Tod Beardsley b17727d244
Switching to privileged => false 2015-04-01 14:35:45 -05:00
Tod Beardsley 0825534d2c
Fix reference 2015-04-01 14:16:45 -05:00
Tod Beardsley 8ec71e9daf
Add a module for R7-2015-05 2015-04-01 14:05:41 -05:00
jvazquez-r7 02a5730d92
Use calculate_interface_hash 2015-04-01 12:09:42 -05:00
sinn3r 0b14a18ad2 This is final 2015-04-01 12:00:49 -05:00
jvazquez-r7 f954ff78c0
Fix typo 2015-04-01 10:51:54 -05:00
sinn3r 0ee858cd65 Some useful messages 2015-04-01 01:41:31 -05:00
sinn3r 8ad07cdc0f This should be on the right track 2015-04-01 01:27:50 -05:00
sinn3r 6795c90eac Some progress 2015-03-31 20:46:34 -05:00
sinn3r 97305629cb Add Solarwinds FSM module
starter
2015-03-31 16:21:52 -05:00
sinn3r 8ea1ffc6ff
Land #5030, CVE-2015-0313 Flash Exploit 2015-03-30 11:31:53 -05:00
h00die 28b9e89963 removed duplicate "uses" from description 2015-03-29 19:40:31 -04:00
William Vu ef8c0aac69
Land #5020, spelling fixes for some modules 2015-03-28 00:36:04 -05:00
jvazquez-r7 f84a46df63
Add module for CVE-2015-0313 2015-03-27 18:51:13 -05:00
sinn3r 9cfafdd8b8
Land #4649, improve post/windows/manage/run_as and as an exploit 2015-03-27 17:31:30 -05:00